Buffer Overflow and Exploit writing

Viewing 15 reply threads
  • Author
    Posts
    • #5305
      pizza1337
      Participant

      First time I have done something like this.
      Few days a go I decided to write exploit for this(tftpd32 v2.21), of course I didn’t know how to but whatever. I figured out that I could overwrite EIP, I didn’t know what to do after that, so this morning I looked at some blogs and learned/understood some things and started writing, and finally executed calc.exe ;). I decided to blog(brag :D) about it. Its not explained very well, but there are links to other places that have better tutorials on it.

      http://t3hgr0up.wordpress.com/2010/07/08/buffer-overflow-and-exploit-writing/

      This was fun, I also got the art of exploitation second edition, I will start messing with linux too.

    • #33589
      j0rDy
      Participant

      funny, i just started with the buffer overflow chapter of the OSCP course! great (brag) blog and keep up the good work!

    • #33590
      caissyd
      Participant

      I wrote my first exploit about 2 months ago (during OSCP course) and this was a great feeling!

      I want to do it again!! 🙂

    • #33591
      Darktaurus
      Participant

      I agree. Great (brag) blog about buffer overflows.  I found another good post about buffer overflows at (http://www.madirish.net/?article=215).  That makes two great examples of services that can be attacked.  NICE work.  I can’t wait to use the knowledge in the OSCP course.  ;D

    • #33592
      zeroflaw
      Participant

      Nice work 8) I find buffer overflows and coding the most interesting parts about hacking.

    • #33593
      pizza1337
      Participant

      Thank you, Can someone help me by trying exploit on XP SP1 and seeing if calc executes? or else this is fail.

    • #33594
      Xen
      Participant

      Good article pizza1337. I can’t help with your problem since I still don’t know much about exploit writing. Started learning it some time back but had to stop it for some time since I started my eLearnsecurity course. Maybe after 2-3 days after I cover the buffer overflow module.

      I would like yo to check the following link Sil pointed me to pentest.cryptocity.net They provide videos and slides of their classes for free. The content is very interesting and even beginners will be able to understand it. They also (kind of)refer Art of exploitation along with the classes, so that’s a plus for you.

    • #33595
      Anquilas
      Participant

      Nicely done Pizza! I’m looking forward to my first similar experience 🙂
      And thx for the link Equix3n, added to my favo’s.

    • #33596
      caissyd
      Participant

      pizza1337, do you have a link to where I can download and install tftpd32 v2.21?

      I may have time tonight or tomorrow to test it on Win XP, SP1 English.

    • #33597
      Xen
      Participant
    • #33598
      yatz
      Participant

      Nice job pizza1337!  Ever since I read the article by n1p I’ve wanted to try this out but haven’t had a chance.

      The part I’m a bit confused on since I’ve never done this before is how to get the shellcode you wrote to be used?  I’m guessing it is the perl script that you get at the end, do you just plug it into metasploit?  How do you use the script you wrote in a pentest?

    • #33599
      caissyd
      Participant

      @pizza1337 If I understand you well, you have developed this exploit on Win XP, SP1 and you just want somebody else to validate your work by trying it on a similar machine?

      I couldn’t test it yesterday but for sure tonight I will have time. I will let you know how it went right after.

      @yatz A Buffer Overflow vulnerability is exploited when a user (attacker) enters especially crafted code instead of expected data. For example, pizza1337 used netcat to send a lot of “A” to the application using the GET request. This is called fuzzing:

      root@bt:~# ncat -u 192.168.1.6 69
      GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

      This made the application crashed. He then replaced the “A” with his exploit and a payload. He finally created a perl script to send the exploit to the vulnerable service. He used the metasploit framework to generate his payload with this line:

       msfpayload windows/exec cmd=calc.exe R | msfencode -a x86 -b ‘x00x0 ax0d’ -t c

      But if you want to run this exploit, you won’t have to use metasploit because no bind or reverse shell will be created. If it works, a calculator will appear on the victim’s machine.

      Hope it helped

    • #33600
      yatz
      Participant

      @H1t M0nk3y wrote:

      @yatz A Buffer Overflow vulnerability is exploited when a user (attacker) enters especially crafted code instead of expected data. For example, pizza1337 used netcat to send a lot of “A” to the application using the GET request.

      But if you want to run this exploit, you won’t have to use metasploit because no bind or reverse shell will be created. If it works, a calculator will appear on the victim’s machine.

      Hope it helped

      Ah, yes that makes perfect sense.  Maybe I was just not thinking clearly.

      I will definitely understand this better in the future.

      Thanks!!

    • #33601
      caissyd
      Participant

      Ok, I just gave it a try  and it didn’t work. But that being said, I know what the problem is:

      1) I have installed tftpd version 2.21 on Win XP, SP1 English

      2) I tried the following (with the proper IP address) just to see if it crashed the application:

      root@bt:~# ncat -u 192.168.1.6 69
      GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
      AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

      And it did crash the application. So far, so good!

      3) I tried your perl script and although it crashed the application, I didn’t get the calc.

      4) While I was looking around around, I decided to check my version of Windows, just in case. And “dummy me”, I was trying it on Windows XP SP2 English!!!  😛

      So bottom line, I don’t have a WinXP SP1 available, but as soon as I have a minute (in a few weeks probably!!), I will adapt your script to make it work on WinXP SP2…  ;D

      But good job pizza1337, it obvious you wrote a nice piece of code!!!

    • #33602
      Jtmalley
      Participant

      Here is a presentation that was given at HackMiami. Many were n00b when it came to BOf so it is basic but explains it and walks through completely.

      http://www.n00bz.net/storage/presentations/Buffer%20Overflows-HackMiami.pdf

    • #33603
      caissyd
      Participant
Viewing 15 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2022 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?