EH-Net

First time I have done something like this.
Few days a go I decided to write exploit for this(tftpd32 v2.21), of course I didn't know how to but whatever. I figured out that I could overwrite EIP, I didn't know what to do after that, so this morning I looked at some blogs and learned/understood some things and started writing, and finally executed calc.exe ;). I decided to blog(brag :D) about it. Its not explained very well, but there are links to other places that have better tutorials on it.

http://t3hgr0up.wordpress.com/2010/07/08/buffer-overflow-and-exploit-writing/

This was fun, I also got the art of exploitation second edition, I will start messing with linux too.

funny, i just started with the buffer overflow chapter of the OSCP course! great (brag) blog and keep up the good work!

I wrote my first exploit about 2 months ago (during OSCP course) and this was a great feeling!

I want to do it again!! :)

I agree. Great (brag) blog about buffer overflows.  I found another good post about buffer overflows at (http://www.madirish.net/?article=215).  That makes two great examples of services that can be attacked.  NICE work.  I can't wait to use the knowledge in the OSCP course.  ;D

Nice work 8) I find buffer overflows and coding the most interesting parts about hacking.

Thank you, Can someone help me by trying exploit on XP SP1 and seeing if calc executes? or else this is fail.

Good article pizza1337. I can't help with your problem since I still don't know much about exploit writing. Started learning it some time back but had to stop it for some time since I started my eLearnsecurity course. Maybe after 2-3 days after I cover the buffer overflow module.

I would like yo to check the following link Sil pointed me to pentest.cryptocity.net They provide videos and slides of their classes for free. The content is very interesting and even beginners will be able to understand it. They also (kind of)refer Art of exploitation along with the classes, so that's a plus for you.

Nicely done Pizza! I'm looking forward to my first similar experience :-)
And thx for the link Equix3n, added to my favo's.

pizza1337, do you have a link to where I can download and install tftpd32 v2.21?

I may have time tonight or tomorrow to test it on Win XP, SP1 English.

@H1t M0nk3y
This might help http://tftpd32.jounin.net/tftpd32_download.html

Nice job pizza1337!  Ever since I read the article by n1p I've wanted to try this out but haven't had a chance.

The part I'm a bit confused on since I've never done this before is how to get the shellcode you wrote to be used?  I'm guessing it is the perl script that you get at the end, do you just plug it into metasploit?  How do you use the script you wrote in a pentest?

@pizza1337 If I understand you well, you have developed this exploit on Win XP, SP1 and you just want somebody else to validate your work by trying it on a similar machine?

I couldn't test it yesterday but for sure tonight I will have time. I will let you know how it went right after.

@yatz A Buffer Overflow vulnerability is exploited when a user (attacker) enters especially crafted code instead of expected data. For example, pizza1337 used netcat to send a lot of "A" to the application using the GET request. This is called fuzzing:


This made the application crashed. He then replaced the "A" with his exploit and a payload. He finally created a perl script to send the exploit to the vulnerable service. He used the metasploit framework to generate his payload with this line:

But if you want to run this exploit, you won't have to use metasploit because no bind or reverse shell will be created. If it works, a calculator will appear on the victim's machine.

Hope it helped

Ah, yes that makes perfect sense.  Maybe I was just not thinking clearly.

I will definitely understand this better in the future.

Thanks!!

Ok, I just gave it a try  and it didn't work. But that being said, I know what the problem is:

1) I have installed tftpd version 2.21 on Win XP, SP1 English

2) I tried the following (with the proper IP address) just to see if it crashed the application:
And it did crash the application. So far, so good!

3) I tried your perl script and although it crashed the application, I didn't get the calc.

4) While I was looking around around, I decided to check my version of Windows, just in case. And "dummy me", I was trying it on Windows XP SP2 English!!!  :P

So bottom line, I don't have a WinXP SP1 available, but as soon as I have a minute (in a few weeks probably!!), I will adapt your script to make it work on WinXP SP2...  ;D

But good job pizza1337, it obvious you wrote a nice piece of code!!!

Here is a presentation that was given at HackMiami. Many were n00b when it came to BOf so it is basic but explains it and walks through completely.

http://www.n00bz.net/storage/presentations/Buffer%20Overflows-HackMiami.pdf

Other advanced videos:

http://www.archive.org/details/RECON2008 (http://www.archive.org/details/RECON2008)

http://www.archive.org/search.php?query=recon%202006%20AND%20mediatype%3Amovies (http://www.archive.org/search.php?query=recon%202006%20AND%20mediatype%3Amovies)

http://www.archive.org/search.php?query=recon%202005%20AND%20mediatype%3Amovies (http://www.archive.org/search.php?query=recon%202005%20AND%20mediatype%3Amovies)

I which they could have another conference...