.

Buffer Overflow and Exploit writing

<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Thu Jul 08, 2010 7:29 pm

Buffer Overflow and Exploit writing

First time I have done something like this.
Few days a go I decided to write exploit for this(tftpd32 v2.21), of course I didn't know how to but whatever. I figured out that I could overwrite EIP, I didn't know what to do after that, so this morning I looked at some blogs and learned/understood some things and started writing, and finally executed calc.exe ;). I decided to blog(brag :D) about it. Its not explained very well, but there are links to other places that have better tutorials on it.

http://t3hgr0up.wordpress.com/2010/07/0 ... t-writing/

This was fun, I also got the art of exploitation second edition, I will start messing with linux too.
Knowledge Resource is Power.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Fri Jul 09, 2010 4:54 am

Re: Buffer Overflow and Exploit writing

funny, i just started with the buffer overflow chapter of the OSCP course! great (brag) blog and keep up the good work!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Fri Jul 09, 2010 7:12 am

Re: Buffer Overflow and Exploit writing

I wrote my first exploit about 2 months ago (during OSCP course) and this was a great feeling!

I want to do it again!! :)
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Darktaurus

User avatar

Full Member
Full Member

Posts: 181

Joined: Thu Sep 03, 2009 8:48 am

Post Fri Jul 09, 2010 7:22 am

Re: Buffer Overflow and Exploit writing

I agree. Great (brag) blog about buffer overflows.  I found another good post about buffer overflows at (http://www.madirish.net/?article=215).  That makes two great examples of services that can be attacked.  NICE work.  I can't wait to use the knowledge in the OSCP course.  ;D
OSCE, OSCP, OSWP, CISSP, GPEN

www.agoonie.com
<<

zeroflaw

User avatar

Full Member
Full Member

Posts: 208

Joined: Fri Feb 12, 2010 10:41 am

Location: Holland, Den Helder

Post Fri Jul 09, 2010 10:22 am

Re: Buffer Overflow and Exploit writing

Nice work 8) I find buffer overflows and coding the most interesting parts about hacking.
ZF
<<

pizza1337

Full Member
Full Member

Posts: 156

Joined: Mon Mar 08, 2010 5:29 pm

Post Fri Jul 09, 2010 7:48 pm

Re: Buffer Overflow and Exploit writing

Thank you, Can someone help me by trying exploit on XP SP1 and seeing if calc executes? or else this is fail.
Knowledge Resource is Power.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Sat Jul 10, 2010 4:10 pm

Re: Buffer Overflow and Exploit writing

Good article pizza1337. I can't help with your problem since I still don't know much about exploit writing. Started learning it some time back but had to stop it for some time since I started my eLearnsecurity course. Maybe after 2-3 days after I cover the buffer overflow module.

I would like yo to check the following link Sil pointed me to pentest.cryptocity.net They provide videos and slides of their classes for free. The content is very interesting and even beginners will be able to understand it. They also (kind of)refer Art of exploitation along with the classes, so that's a plus for you.
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Mon Jul 12, 2010 9:52 am

Re: Buffer Overflow and Exploit writing

Nicely done Pizza! I'm looking forward to my first similar experience :-)
And thx for the link Equix3n, added to my favo's.
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon Jul 12, 2010 2:03 pm

Re: Buffer Overflow and Exploit writing

pizza1337, do you have a link to where I can download and install tftpd32 v2.21?

I may have time tonight or tomorrow to test it on Win XP, SP1 English.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Mon Jul 12, 2010 2:56 pm

Re: Buffer Overflow and Exploit writing

<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Jul 12, 2010 4:23 pm

Re: Buffer Overflow and Exploit writing

Nice job pizza1337!  Ever since I read the article by n1p I've wanted to try this out but haven't had a chance.

The part I'm a bit confused on since I've never done this before is how to get the shellcode you wrote to be used?  I'm guessing it is the perl script that you get at the end, do you just plug it into metasploit?  How do you use the script you wrote in a pentest?
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jul 13, 2010 6:37 am

Re: Buffer Overflow and Exploit writing

@pizza1337 If I understand you well, you have developed this exploit on Win XP, SP1 and you just want somebody else to validate your work by trying it on a similar machine?

I couldn't test it yesterday but for sure tonight I will have time. I will let you know how it went right after.

@yatz A Buffer Overflow vulnerability is exploited when a user (attacker) enters especially crafted code instead of expected data. For example, pizza1337 used netcat to send a lot of "A" to the application using the GET request. This is called fuzzing:

  Code:
root@bt:~# ncat -u 192.168.1.6 69
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


This made the application crashed. He then replaced the "A" with his exploit and a payload. He finally created a perl script to send the exploit to the vulnerable service. He used the metasploit framework to generate his payload with this line:
  Code:
 msfpayload windows/exec cmd=calc.exe R | msfencode -a x86 -b ‘\x00\x0 a\x0d’ -t c


But if you want to run this exploit, you won't have to use metasploit because no bind or reverse shell will be created. If it works, a calculator will appear on the victim's machine.

Hope it helped
Last edited by caissyd on Tue Jul 13, 2010 6:54 am, edited 1 time in total.
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Tue Jul 13, 2010 8:24 am

Re: Buffer Overflow and Exploit writing

H1t M0nk3y wrote:@yatz A Buffer Overflow vulnerability is exploited when a user (attacker) enters especially crafted code instead of expected data. For example, pizza1337 used netcat to send a lot of "A" to the application using the GET request.

...

But if you want to run this exploit, you won't have to use metasploit because no bind or reverse shell will be created. If it works, a calculator will appear on the victim's machine.

Hope it helped


Ah, yes that makes perfect sense.  Maybe I was just not thinking clearly.

I will definitely understand this better in the future.

Thanks!!
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jul 13, 2010 8:09 pm

Re: Buffer Overflow and Exploit writing

Ok, I just gave it a try  and it didn't work. But that being said, I know what the problem is:

1) I have installed tftpd version 2.21 on Win XP, SP1 English

2) I tried the following (with the proper IP address) just to see if it crashed the application:
  Code:
root@bt:~# ncat -u 192.168.1.6 69
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

And it did crash the application. So far, so good!

3) I tried your perl script and although it crashed the application, I didn't get the calc.

4) While I was looking around around, I decided to check my version of Windows, just in case. And "dummy me", I was trying it on Windows XP SP2 English!!!  :P

So bottom line, I don't have a WinXP SP1 available, but as soon as I have a minute (in a few weeks probably!!), I will adapt your script to make it work on WinXP SP2...  ;D

But good job pizza1337, it obvious you wrote a nice piece of code!!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

Jtmalley

Newbie
Newbie

Posts: 1

Joined: Tue Sep 28, 2010 9:46 pm

Post Tue Sep 28, 2010 9:53 pm

Re: Buffer Overflow and Exploit writing

Here is a presentation that was given at HackMiami. Many were n00b when it came to BOf so it is basic but explains it and walks through completely.

http://www.n00bz.net/storage/presentati ... kMiami.pdf
Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software