KUMEL'S NOTE

knftpd v1.0.0

In a concept if we are finding the application which have SEH protection in our process of an exploit development we must bypass the SEH protection first using POP,POP,RETN instruction and then we have control the EIP register at Next SEH position, but sometimes we must follow the applications flow.
Now we will try to do how to build an exploit with following the applications flow. We will use knftpd-v1.0.0 application. Hem, it's a sounds good to be practice materials in this case. I know if it already exploited in last year and the exploit can be found here, but here i'm trying to explain how to build an exploit at that application.
The application have overflow if we sending an overly long request to Multiple FTP command, so we can create fuzzer like below to have crash in that application :

After we're fuzzing the application, it have crash and the SEHandler overwrited (we can see about SEHandler overwrited with debugger)
Ok, the SEHandler have overwrite, to know on how many byte of our buffer which needed in order to overwrite the SEHandler of that application, we need to generate a pattern and insert it into our fuzzer's buffer. To generate the pattern, we can use metasploit tools, or mona plugin in Immunity Debugger. And then we insert the pattern to our fuzzer's buffer, after we insert the pattern, the fuzzer become :
Send again the fuzzer and now the SEHandler have a value of our generated pattern.
From the pattern_offset we are knowing if the SEHandler was overwrite after 324 byte.
So we will send 322 byte junk, after that we insert jmpshort instruction to the nseh, then insert an offset of the POP,POP,RETN instruction to bypass the SEH protection and then insert junk again as a residual in order to our buffer have values 2000 byte.
Now we search an offset of the POP,POP,RETN instruction, here i'm using mona
Hem, there are four offset which have a good POP, POP, RETN instruction, here i have choose the first offset (0x00403723) and insert it into our fuzzer's buffer, and the fuzzer become :
If we send the fuzzer like above should the SEHandler will have a value of the offset POP POP RETN, but in the fact the SEHandler become :
However if we follow the flow of that application, we will find if EIP register was overwrite like below
EIP register was overwrite with value 41414141, it look like some value of  322 byte first of our buffer. Hem, may be we can generate the pattern again to find how many byte which needed in order to overwrite the EIP register.
and then our fuzzer look like blow :
Now send the fuzzer above and following the flow of that application again, and now our pattern arrive to the EIP register

Now we knew if EIP register was overwrite after 284 byte, and ESP will overwrite after 292 byte, to ensure the fact may be we can generate the fuzzer like below :
And then the result is
DEADBEEF in EIP register, what if we insert an offset of jmp ESP instruction to EIP register? I don't know, but just try it. Here i'm using an offset of jmp ESP instruction from dll which loaded of that application (i'm chose kernel32.dll).
and the fuzzer like as below :
send the fuzzer, and we have landing in the stack of that application

the stack just have 34 byte space, may be it's not so enough if we want to landing the most wanted shellcode, but its so enough to the staged shellcode egghunter (let's say YEAH...!!!)
Ok, we will insert an egghunter at the stack, because the space of this application so low, then we will insert our shellcode in first 324 byte of our buffer.
so the fuzzer become :
Let's fuzzing the application and see whats will happens?