Buffer Overflows (Free-float FTP)

Finally after some hard work I managed to understand and create my first buffer overflow it has been amazing and really worth the learning of course some people might say that this is really to old school as there are different and more techniques to create and detect buffer overflows but sometimes the basic is the best and all you need as it is still applied in modern softwares and if you ever need to learn anything new its always best to have a solid understanding in the basics so you know where to go after that

Lets Start

I managed to follow tutorials from different blogs (I will put the links at the end) where they amazingly explain buffer overflow and give you an insight of what they are and how they work

A simple Wikipedia search says this:

In information security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer’s boundary and overwrites adjacent memory locations.

We will download the free-float ftp server into our debugging  machine and attach it to Immunity Debugger

Screenshot from 2018-08-09 06-45-29(RDP Session)

We will create a simple fuzzer from our attacking machine (I used python) and send a huge amount of characters so we can understand where the EIP gets over written once we send ouf fuzzer we can see the results running on our immunity debugger

Screenshot from 2018-08-09 06-50-20(I used the pattern script from msfconsole to find the exact location on where the EIP gets written then the offset script from msfconsole to locate the exact location)

Screenshot from 2018-08-06 01-47-34

Once located we can make sure by editing our fuzzer and add 42 (“B” in hex code) and see if we got the correct location

Screenshot from 2018-08-09 06-47-42

We run it and check our debugger

Screenshot from 2018-08-09 06-52-56

Perfect the EIP gets over written with 42’s

Once that has been handled we will need to replace the “B” with a pointer that redirects the flow into ESP as it contains a suitable amount of characters to contain our shellcode (Our shellcode cannot contain bad characters)

We will go into the Logs Option in the View menu on the debugger and use mona.py script to help us locate a suitable pointer with this command

!mona jmp -r esp

Screenshot from 2018-08-09 06-58-20

We are almost done. We need to do modify our POC a bit to add a variable for our shellcode and  insert a payload that is to our liking. Lets start with the POC, we will be inserting our payload in the part of the buffer that is now made up of C’s. Ideally we would like to have the buffer length modified dynamically so we don’t need to recalculate if we insert a payload with a different size (our total buffer length should remain 1000-bytes). We should also insert some NOP’s (No Operation Performed = \x90) before our payload as padding. You can see the result below. Any shellcode that we insert in the shellcode variable will get executed by our buffer overflow.

We will use msfvenom to create our shell and eliminate the bad characters that stops us from executing our shell

Screenshot from 2018-08-09 07-07-22

Our final result

Screenshot from 2018-08-09 07-08-17

We restart our program and run a handler to get the connection back to us and I will use msfconsole just for the simplicity of it and we can see that we got a shell back to our attacking machine

Screenshot from 2018-08-09 07-13-01

 

References:

https://www.fuzzysecurity.com/tutorials/expDev/2.html

https://en.wikipedia.org/wiki/Buffer_overflow

https://www.phillips321.co.uk/2012/08/02/writing-my-first-exploit-freefloat-ftp/

 

Categories: Uncategorized

dmcxblue

Infosec Hobbyist, Wanna Be Red-Teamer, Pentester Dreamer
OSCP | OSWP
GED- In Progress

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s