Non SEH Vulnerability Development

Today we try to learn about Non SEH or most people said buffer overflow vulnerability development. The aplication that used for target is WarFTP running on Windows XP SP3.

Tools we used to prepared :

1. WarFTP 1.65

2. Lab (Windows XP SP3 running on virtual Box)

3. Ollydbg

4. Python

Steps : 

1. Fuzzing

     Fuzzing is the early step that will we do to find any vulnerabilities that      can be exploited in applications. So now we try to make a simple fuzzer which can transmit data to the FTP protocol (remote) using Python programming language.

 2. Connect with the target

Don't forget to running warFTP on your virtual box, because its our aplication target LOL...

after it, we can run fuzzer on the target using command, 

root@bt:~# python fuzzer.py

then warFTP on the LAB should be dissapear or error. it means our fuzzer works.

3. Debugger 

 The next step is to look in the aplication system memory using Ollydbg. Run WarFTP through Ollydbg

 

 

then run again fuzzer and look the different at the CPU register,

we can see all of the CPU register affected by AAAA... or 0x41414141from the fuzzer we sent. With stacked values ​​in the EIP register, will bring an opportunity for an attacker to control the EIP register values ​​and change them as necessary.

4. Fuzzer byte position using Metasploit Framework
 Usually we used pattern_create tool to make some character replacing "A" characters that sent to the aplication.

root@bt:/opt/metasploit-4.3.0/msf3/tools# ./pattern_create.rb 1000 > string_pattern.txt

copy the code from string_pattern.txt and change fuzzer, 

 

run again the fuzzer on aplication then look at the ollydbg showed,

.

 see the ESP and EIP number, and then find the byte position using pattern_offset tool

it wil return 485 for EIP offset and 493 for ESP offset, it proof that we need 4 byte to overwrite EIP register. Next we will overwrite EIP register using DEADBEEF register.

run fuzzer again,

now EIP register overwrite by DEADBEEF address

5. JMP ESP

Next strategy is using JMP ESP. JMP ESP is command that used by an application to read the data in the buffer, so the value of the EIP register will point to the memory address where it is contains JMP ESP command. What we have to do now is find the JMP ESP command in Shell32.dll file using ollydbg.

 change DEADBEEF memory address to JMP ESP address 7C9D30F3 on the fuzzer. and run again the fuzzer, so it will look like this

6. Generate payload

Run from the console these command,

run browser,

generate payload from the browser and copy the code into the fuzzer. so the latest fuzzer looks like, 

 and run again warFTP without ollydbg and then run fuzzer.

 after we connect using netcat to target IP and port 4444 we've done penetrate system. ^^