DIRECT RETURN - EXPLOIT WarFTP  

BUFFER OVERFLOW

First open OllyDbg and then open the file select warFTP
after that you run and when warFTP already open then click run to start service on file.
BT then type in the command

after that run xfuzz.py
with the command python xfuzz.py
and look at the results

at the time of opening WarFTP without OllyDbg will appear a message like the following

open back OllyDbg then open the file select WarFTP and make a new user to add and then click ok

warFTP then run and type in your BT nc 192.168.56.101 21
then in another shell that you run xfuzz.py

 

 And warFTP is lost here we can see how EIP

then type the following
and open it with kwrite type string_pattern.txt

before you have to copy files on string_pattern.txt
and you can paste on xfuuz.py
with rules like this
then in the save

after that run back run back like previous perocess

currently existing in the memory registers warFTP application has been filled with a string that has been incorporated into the application fuzzer
and here we can see the EIP has changed from the previous

here we can calculate how many bytes of data from the initial pattern to the string contained in it
by typing the following command

after that go back and add the value xfuzz.py EIP
remember the s.send there is also changed to the value of EIP

xfuzz rerun with the same process
below we can see the value of EIP to change again

then open it again xfuzz.py
add more buffer + = "\ X90" * (493-len (buffer))
buffer + = "\ CC" * (1000-len (buffer))

then run back to the fuzzer as previously proceses
and note the value that appears in the registers and stack windows in illydbg will like this

OllyDbg then click on view and select the executable modules
will appear as below

and two times in the shell32.dll kelick
then you can search the JMP ESP with right click --> search --> type in JMP ESP command and after that find

after that there are numbers on the JMP ESP 7C9D30D7
here you go again xfuzz.py
and you edit the buffer+= into the buffer+= "\ xD7 \ x30 \ x9D \ x7C"

after the return process jalanken fuzzer is still the same pace
Here we see why the value of EIP does not turn into 7C9D30D7 ...?
EIP register value has changed to address that will be executed, to determine whether the address 7C9D30D7 have actually read the EIP register, it can be done to make breakpoint debugging process.

after that make payloadnya using msfweb

above you can select a category os :: win32
after that you select the windows shell bind

Here you can fill in the following columns

then you generate the payload and will Appear under
the script below you can copy to xfuzz.py starting from * \ x

and you can paste in xfuzz.py like below and add the buffer + =

after that run these xfuzz.py but at run warFTP is not in Ollydbg

then you run the following command