HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 45 guests online
 
Free Business and Tech Magazines and eBooks

You are here: Home arrow Resourcesarrow Tutorialsarrow Buffer Overflow and Exploit writing
EH-Net
May 22, 2013, 11:05:30 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1] 2   Go Down
« previous next »
  Print  
Author Topic: Buffer Overflow and Exploit writing  (Read 15547 times)
0 Members and 1 Guest are viewing this topic.
pizza1337
Full Member
***
Offline Offline

Posts: 156

Resource is Power.


View Profile
« on: July 08, 2010, 07:29:13 PM »
First time I have done something like this.
Few days a go I decided to write exploit for this(tftpd32 v2.21), of course I didn't know how to but whatever. I figured out that I could overwrite EIP, I didn't know what to do after that, so this morning I looked at some blogs and learned/understood some things and started writing, and finally executed calc.exe Wink. I decided to blog(brag Cheesy) about it. Its not explained very well, but there are links to other places that have better tutorials on it.

http://t3hgr0up.wordpress.com/2010/07/08/buffer-overflow-and-exploit-writing/

This was fun, I also got the art of exploitation second edition, I will start messing with linux too.
Logged
Knowledge Resource is Power.
j0rDy
Hero Member
*****
Offline Offline

Posts: 590


View Profile
« Reply #1 on: July 09, 2010, 04:54:01 AM »
funny, i just started with the buffer overflow chapter of the OSCP course! great (brag) blog and keep up the good work!
Logged
ISC2 Associate, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #2 on: July 09, 2010, 07:12:25 AM »
I wrote my first exploit about 2 months ago (during OSCP course) and this was a great feeling!

I want to do it again!! Smiley
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Agoonie
Full Member
***
Offline Offline

Posts: 176



View Profile WWW
« Reply #3 on: July 09, 2010, 07:22:11 AM »
I agree. Great (brag) blog about buffer overflows.  I found another good post about buffer overflows at (http://www.madirish.net/?article=215).  That makes two great examples of services that can be attacked.  NICE work.  I can't wait to use the knowledge in the OSCP course.  Grin
Logged
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
zeroflaw
Full Member
***
Offline Offline

Posts: 208



View Profile
« Reply #4 on: July 09, 2010, 10:22:08 AM »
Nice work Cool I find buffer overflows and coding the most interesting parts about hacking.
Logged
ZF
pizza1337
Full Member
***
Offline Offline

Posts: 156

Resource is Power.


View Profile
« Reply #5 on: July 09, 2010, 07:48:05 PM »
Thank you, Can someone help me by trying exploit on XP SP1 and seeing if calc executes? or else this is fail.
Logged
Knowledge Resource is Power.
Equix3n-
Sr. Member
****
Offline Offline

Posts: 386



View Profile
« Reply #6 on: July 10, 2010, 04:10:31 PM »
Good article pizza1337. I can't help with your problem since I still don't know much about exploit writing. Started learning it some time back but had to stop it for some time since I started my eLearnsecurity course. Maybe after 2-3 days after I cover the buffer overflow module.

I would like yo to check the following link Sil pointed me to pentest.cryptocity.net They provide videos and slides of their classes for free. The content is very interesting and even beginners will be able to understand it. They also (kind of)refer Art of exploitation along with the classes, so that's a plus for you.
Logged
Synquell
Full Member
***
Offline Offline

Posts: 169



View Profile
« Reply #7 on: July 12, 2010, 09:52:52 AM »
Nicely done Pizza! I'm looking forward to my first similar experience :-)
And thx for the link Equix3n, added to my favo's.
Logged
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #8 on: July 12, 2010, 02:03:40 PM »
pizza1337, do you have a link to where I can download and install tftpd32 v2.21?

I may have time tonight or tomorrow to test it on Win XP, SP1 English.
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Equix3n-
Sr. Member
****
Offline Offline

Posts: 386



View Profile
« Reply #9 on: July 12, 2010, 02:56:21 PM »
@H1t M0nk3y
This might help http://tftpd32.jounin.net/tftpd32_download.html
Logged
yatz
Full Member
***
Offline Offline

Posts: 222


View Profile WWW
« Reply #10 on: July 12, 2010, 04:23:51 PM »
Nice job pizza1337!  Ever since I read the article by n1p I've wanted to try this out but haven't had a chance.

The part I'm a bit confused on since I've never done this before is how to get the shellcode you wrote to be used?  I'm guessing it is the perl script that you get at the end, do you just plug it into metasploit?  How do you use the script you wrote in a pentest?
Logged
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #11 on: July 13, 2010, 06:37:56 AM »
@pizza1337 If I understand you well, you have developed this exploit on Win XP, SP1 and you just want somebody else to validate your work by trying it on a similar machine?

I couldn't test it yesterday but for sure tonight I will have time. I will let you know how it went right after.

@yatz A Buffer Overflow vulnerability is exploited when a user (attacker) enters especially crafted code instead of expected data. For example, pizza1337 used netcat to send a lot of "A" to the application using the GET request. This is called fuzzing:

Code:
root@bt:~# ncat -u 192.168.1.6 69
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

This made the application crashed. He then replaced the "A" with his exploit and a payload. He finally created a perl script to send the exploit to the vulnerable service. He used the metasploit framework to generate his payload with this line:
Code:
msfpayload windows/exec cmd=calc.exe R | msfencode -a x86 -b ‘\x00\x0 a\x0d’ -t c

But if you want to run this exploit, you won't have to use metasploit because no bind or reverse shell will be created. If it works, a calculator will appear on the victim's machine.

Hope it helped
« Last Edit: July 13, 2010, 06:54:35 AM by H1t M0nk3y » Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
yatz
Full Member
***
Offline Offline

Posts: 222


View Profile WWW
« Reply #12 on: July 13, 2010, 08:24:20 AM »
Quote from: H1t M0nk3y on July 13, 2010, 06:37:56 AM
@yatz A Buffer Overflow vulnerability is exploited when a user (attacker) enters especially crafted code instead of expected data. For example, pizza1337 used netcat to send a lot of "A" to the application using the GET request.

...

But if you want to run this exploit, you won't have to use metasploit because no bind or reverse shell will be created. If it works, a calculator will appear on the victim's machine.

Hope it helped

Ah, yes that makes perfect sense.  Maybe I was just not thinking clearly.

I will definitely understand this better in the future.

Thanks!!
Logged
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 864



View Profile
« Reply #13 on: July 13, 2010, 08:09:07 PM »
Ok, I just gave it a try  and it didn't work. But that being said, I know what the problem is:

1) I have installed tftpd version 2.21 on Win XP, SP1 English

2) I tried the following (with the proper IP address) just to see if it crashed the application:
Code:
root@bt:~# ncat -u 192.168.1.6 69
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
And it did crash the application. So far, so good!

3) I tried your perl script and although it crashed the application, I didn't get the calc.

4) While I was looking around around, I decided to check my version of Windows, just in case. And "dummy me", I was trying it on Windows XP SP2 English!!!  Tongue

So bottom line, I don't have a WinXP SP1 available, but as soon as I have a minute (in a few weeks probably!!), I will adapt your script to make it work on WinXP SP2...  Grin

But good job pizza1337, it obvious you wrote a nice piece of code!!!
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
Jtmalley
Newbie
*
Offline Offline

Posts: 1


View Profile
« Reply #14 on: September 28, 2010, 09:53:04 PM »
Here is a presentation that was given at HackMiami. Many were n00b when it came to BOf so it is basic but explains it and walks through completely.

http://www.n00bz.net/storage/presentations/Buffer%20Overflows-HackMiami.pdf
Logged
Pages: [1] 2   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.079 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.