With a buffer overflow attack an attacker can take over a system by building their own exploits based application used by the target, in this article I will try to review Buffer Overflow Direct Return on the application WarFTP in Windows XP SP3 operating system, the first thing to do is make fuzzer for attacking the application that is on target, this time using a fuzzer Python-based applications.
After building the fuzzer application we will process fuzzing to the target, the following is the state before fuzzing done
Now I’ll try to run a fuzzer that has been prepared in before, to run it type python name> fuzzer> included for python-based application fuzzer is, after carry out this fuzzer
Compare the state of the application and monitoring of Ollydbg WarFTP time prior to fuzzing and thereafter
After performing fuzzing applications we find error in the target system, which means that fuzzing is done on the target on target, this initial application fuzzer fuzzing is that determines the target or not, because I tried to do the coding of the application file fuzzer takes the longest time of all processes to ensure the application is running correctly.
After conducting the first phase of fuzzing we need to delete files with DAT and BAK in WarFTP applications so that applications can be restarted after the crash because the fuzzing process, after deleting the file then run it again and do the addition WarFTP User on the application, after the application we need to add a new user make modifications to the script fuzzer to fill the character in the buffer with metasploit with creat_pattern.rb menu
After getting the characters to the buffer with metasploit we would insert the resulting string in the previous fuzzer script by modifying the buffer
After adding a string to the fuzzer fuzzing process as we did previously see what happens
Now we can see the value in the EIP and ESP views have been overwhelmed by the characters in the fuzzer that has been inserted as an additional buffer payload, now can be seen that the position of the EIP address will be the target jump overlfow we do to change the address ESP EIP, with modify the fuzzer script by entering the address of ESP
After making modifications to the fuzzer fuzzing process and we are doing this should change the value of EIP with DEADBEEF character, actually it can be replaced with the text of A through F and the writing of the fuzzer done with litlle endian or two characters in one block is read and sorted inverted, can be seen modification of the script fuzzer, fuzzing after this process is done and the results are as follows
In this condition we can conclude that the address on the fuzzer fuzzing process has been successfully overwrite EIP and that means an attack on the address and the address of EIP managed properly, now what happens if we change the address of EIP and perverted into a sequence of EIP!?, Of course it will change the sequence of work yanga be executed by the processor and can be used to mengkesekusi backdoor or other exploit, after this we can fill the buffer with the payload, and, we need a tool to generate a Metasploit payload to the WEB-based, in this case I used to use the Metasploit Framwork 2 MSFWEB to do generate the payload
Enter and search for Windows and in this instance I do to generate SHELL BIND, this payload will take over the shell on the target or other payload can also be used to activate a case COMMAND ekesekusi an application such as Calculator, and this time I chose to bind shell payload take over more global computer
After making the payload will generate code to generate the output string buffer used, like this
After getting my bind shell payload to not use a fuzzer that previously has undergone several modifications, but I make an application fuzzer copy of the script that inserts the number of characters before, and the payload in buffer with exploitwarftp name.
After creating the target EIP last exploit I run the application with the command python exploitwarftp.py
Switching to Windows XP to see what happens to the application after sending last fuzzer
The application will crash and Windows in this state has been exploited, to prove it can send IP Telnet with Windows XP with port 4444 in accordance with the current port to generate the payload in this case the commands in the terminal telnet 192.168.56.101 4444 and the result is
Automatically by executing telnet shell will be drawn and the position of the attacker in the shell Windows XP, this can be substituted for the payload, if only to prove that the application is vulnerable and can be exploited to use a different payload used in the examples, can replace the payload with the type different, such as Command and setting up to execute the calculator application after application WarFTP exploitation will replace the calculator program.
No comments:
Post a Comment