Well this post will be some kind of “buffer overflow exploiting for dummies”. In buffer overflow based exploits what we do is overwrite important parts of the program’s memory by sending an extra large buffer of data to the program via the network, a program control box, input, etc. When our buffer overwrites the program’s memory we are able to redirect the execution flow of the program and run injected code into it.
First of all we have to detect wich part of the program can be exploited and used to overwrite the memory. The process of doing that is called “fuzzing”. We can find several fuzzers for various protocols inside the metasploit framework.
In this example we’ll be fuzzing an ftp server with metasploit:
After running the fuzzer for few minutes, the program gets crashed as we can see:
And if we look at the metasploit window we can see the length of the crashing buffer.
After analizing all lines of the output we can see that the program gets crashed after sending a buffer larger than 250 via the USER command on the ftp server.
We can recreate that crash manually using python
Now, we’ll re-launch the attack, but first we’ll attach the FTP SERVER process into a debugger, we’ll use OLLYDBG
After launching the attack, we can inmediately see that ESP, EDI and EIP registers have been overwriten.
After doing a quick research anyone can realize that EIP controls the execution flow of the program, if we can overwrite EIP we can manually redirect the execution flow of the program. So EIP points to the next address to be executed.
At this point we need to know at wich length of the buffer EIP gets overwritten. We can create a pattern with pattern_create in metasploit and use it as a buffer to know the position of the 4 bytes that will overwritte EIP.
We add that to our exploit and run it again
Now we can see the pattern all along the memory of the program.
Now we just have to use pattern_offset to know the exact position of our 4 bytes(just paste the 4 bytes inside the EIP as an argument of the script).
As ESP is overwritten just after EIP we can craft a skeleton exploit like this:
And if we re-launch it and look inside OLLY we can see that it works perfectly
And ESP is overwritten just after EIP
So what we need inside EIP? We’ll place our evil shellcode just after we overwrite EIP so all we need to do here is a simple JMP ESP.
Remember, EIP will contain the address of the next instruction to be executed, so what we have to do here is to search an address that will contain a JMP ESP. We can search for that in OLLY (inside the E tab)
A simple command search will give us an address
And now let’s copy it’s address
The last thing we’ll need to add inside our exploit will be the shellcode to be executed after launching the attack. We can generate shellcode with metasploit
Now our exploit will look like this. Be aware of the ENDIAN of your CPU in this case we’ll use litle endian for the EIP register
And now if we laucn the attack one more time, we get our shellcode running
Nice, now we can generate another piece of shellcode to perform a different task.
We can generate a reverse shell shellcode to get access to our victims box
Add it into our exploit
And run the exploit one last time.
HINT: Be aware of the bad characters, if your exploit code gets cut in the midle of the buffer, it can happen due to the badchars. Badchars are characters like “\xa0” “\|x00” etc that cut your shellcode, you must find it by testing and avoid it’s presence on your shellcode. You are warned!