Finally, after preparing OllyDbg and WarFTP on our machine, its time to put reverse engineering in action.
What I do in this post is based on my teacher book titled "Harmless Hacking". Lets get started.
- Start your Windows XP machine.
- WarFTPD and install on your Windows OllyDbg, for OllyDbg can be found at / reverse-enginering/ollydbg/.
- Open WarFTP and start its service by clicking Properties> Start Service
Lets check the connection using nc
# Nc 172.16.227.128 21
- Lets do some fuzzing first. Make a python file with this code inside.
type in the terminal:
nano fuzzer.py
Spoiler:
- and open OllyDbg and choose File - attach - find warftpd - attach
- after running a new type F9 on the keyboard or the play button in OllyDbg
Lets execute the fuzzer (Make sure that you can see the machine window to see what happened at the software when we execute the fuzzer), type in terminal :
# python fuzzer.py
Ok, next is the debugging process. Prepare your OllyDbg.
if you see this then you have successfully made the crash in warftpd
At this point WarFTP can't start because its user configuration file as the results from our fuzzing process before is broken. To repair it, simply delete a file called "FtpDaemon.dat" at the folder where you install WarFTP. If you install it in the default directory, it should be located at C:\Program Files\War-ftpd.
Start again your WarFTP. It should be running correctly.
- Create a new user by clicking this button below the menu bar.
- Ok, attack the software using the fuzzer again. But before that, don't forget to start WarFTP service again.
- Lets see what happened at WarFTP by running it in OllyDbg.
- Start your OllyDbg and attach to the WarFTP service
- Attack again with the fuzzer and see what happen to the WarFTP and OllyDbg.
- Before using OllyDbg we can't see what happened with the WarFTP, but after using it, we can see what happened.
- As you can see EIP register is fully overwritten. This is dangerous because as you know, EIP stored what command that will be executed.
Next step is to find where byte is EIP register overwritten. To help us find it, we can use metasploit.
- One of metasploit tools 'pattern_create' can create a structured dummy data. This will help us locate the real string in the packet data sent by our fuzzer.
- Enter metasploit tools directory
# cd /pentest/exploits/framework/tools/
- To create a 1000 bytes data, execute this command.
# ./pattern_create.rb 1000 > string_pattern.txt
Next, change the fuzzer code with the generated string.
Spoiler:
-Run fuzzer newly created and see what happens to OllyDbg.
- Next, we use another metasploit tool called 'pattern_offset'. This tool is used to calculate byte created by pattern_create. The location is the same as pattern_create
- To execute the command, just add the value in the ESP and EIP after the command
type:
#. / Pattern_offset.rb 32714131
485
#. / Pattern_offset.rb q4Aq5Aq
493.
- As you can see, to reach EIP register 485 bytes data is needed and to reach ESP register 493 bytes data is needed.
- Modify the fuzzer script that we've created before.
Spoiler:
if you like the above, then you will succeed.
-Next, we try to overwrite the ESP register.
- Once again, modify the fuzzer code.
Spoiler:
At this point, we've gain the control over ESP and EIP registers.
- Next thing that we must do is find out the location of the process that read the stack in the memory. To do this, we can use 'JMP ESP' to help us. JMP ESP is a command used by the application to read the data inside the buffer memory.
- So, how to find JMP ESP in WarFTP. Using the help of OllyDbg' module we can do that easily.
- Start your OllyDbg and attach to the WarFTP service.
- Click View > Executable modules, a window showing all library used by WarFTP while running.
- We will choose shell32.dll as the target. Double click it.
- After that, at the main window right click > search for > command, Enter 'JMP ESP' in the search box.
- Transform the offset memory address to a little endian.
In my case, 7C9D30D7 will be \xD7\x30\x9D\x7C
- Modify the fuzzer again.
Spoiler:
-As you notice here, EIP register's value changed into 00AFFD59. Why? because EIP store the command that will be executed next. To make sure address 7C9D30D7 is really read by EIP.
- Give a breakpoint at 7C9D30D7, run the fuzzer and watch the result in OllyDbg.
- how, right click - then select the breakpoint - memory - a check mark on the menu - ok
Now you can see, OllyDbg preventing access to address 7C9D30D7. EIP value 7C9D30D7.
- Next thing we must do is creating a payload to be inserted in the fuzzer. We will use msfweb to generate the payload code.
- Enter the msfweb directory located in the framework2, type on terminal :
# cd /pentest/exploits/framework2
- then
# ./msfweb
- Open the address on web browser and type on address bar : 127.0.0.1:55555
- Click "PAYLOADS" on the menu because we only want to create payload.
- Filter the list by choosing "os::win32" at the filter options.
- I'll use windows bind shell.
- Fill out the required fields and when you're ready click "Generate"
- Then, we will insert the code given in the fuzzer.
- Or copy my fuzzer :
Spoiler:
- Open WarFTP normally without OllyDbg
- Run the fuzzer above
- Connect to the machine using telnet through the created port.
# telnet 172.16.227.128 4444
"The Quieter You Become, The More You Are Able To Hear"
Try Harder
0 komentar:
Posting Komentar