Description: Once you get into exploit development, you’d soon realize the simplicity of the exploit development process.
To start with, generally a Buffer Over Flow condition causes the target application to crash.
I first load up a simple python based fuzzer script and attempt to fuzz a free FTP server called ‘FreeFloat FTP Server’ which is hosted on a machine in my lab with the IP of 192.168.72.129.
The program stops responding to our FTP requests after 300 A’s after the USER command.
We then load the program into Immunity Debugger and attempt to replicate the crash once again and once crashed we notice that EIP has been completely overwritten with ’41414141′ which is the hex equivalent to the letter A.
For simplicities sake we decide to export the target IP address and port number to our local environment variables so that the potential of entering the wrong IP is minimized.
We then load up Metasploit’s tool ‘Pattern Create’ to create us a unique string so that we can use that to help identify the exact position before we get to the EIP overwrite, which turned out to be 230.
We then modify our buffer to include 230 A’s then send a ‘DEADBEEF’ as the address to overwrite EIP and the rest of our buffer is also overflowed into the ESP register which means that if we overwrite EIP to a memory address that has the command ‘JMP ESP’ that hopefully the next instruction will reside at ESP.
We then send all hex bytes (minus the \x00 as it would kill out TCP connection to the FTP server) and attempt to identify any bad characters that may be included in our shellcode later on.
Metasploit is then opened with the console interface and we begin to create test shellcode, while excluding the bad characters from the payload that will run the Windows calculator application. As the payload will be encoded we had to add 8 NOPs to our buffer so that there was sufficient room for the payload to decode itself.
Once the test shellcode was added we tested our exploit which successfully crashed the program but at the same time executed our code and opened the Windows calculator.
Back in metasploit we create a Windows reverse shell payload, again excluding the bad characters that we had previously found and wrote all the hex bytes to a file called ‘shellcode’ which we then opened with gedit.
We then replaced the test Windows calculator payload with the first stage of our newly created staged Windows reverse shell payload to complete our exploit.
Then we set up a metasploit to listen on port 4444 for a staged Windows reverse shell and executed our exploit, which resulted in the target machine connecting back to our machine. As we chose a staged payload our machine delivered stage 2 of the payload creating a full reverse Windows command prompt to be given to our machine and from then on we had full control over that session.
Files used can be found at http://www.thexero.co.uk/downloads/exploit-files.zip
For education purposes only!
Latest from the SecurityTube Blog:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.