Smashing the Stack in 2011

Recently, as part of Professor Brumley‘s Vulnerability, Defense Systems, and Malware Analysis class at Carnegie Mellon, I took another look at Aleph One (Elias Levy)’s Smashing the Stack for Fun and Profit article which had originally appeared in Phrack and on Bugtraq in November of 1996.  Newcomers to exploit development are often still referred (and rightly so) to Aleph’s paper.  Smashing the Stack was the first lucid tutorial on the topic of exploiting stack based buffer overflow vulnerabilities.  Perhaps even more important was Smashing the Stack‘s ability to force the reader to think like an attacker.  While the specifics mentioned in the paper apply only to stack based buffer overflows, the thought process that Aleph suggested to the reader is one that will yield success in any type of exploit development.

(Un)fortunately for today’s would be exploit developer, much has changed since 1996, and unless Aleph’s tutorial is carried out with additional instructions or on a particularly old machine, some of the exercises presented in Smashing the Stack will no longer work.  There are a number of reasons for this, some incidental, some intentional.  I attempt to enumerate the intentional hurdles here and provide instruction for overcoming some of the challenges that fifteen years of exploit defense research has presented to the attacker.  An effort is made to maintain the tutorial feel of Aleph’s article.

Read more…

Metasploit Plugin for EasyFTP Server Exploit

Update: The module has been added to the Metasploit tree.  Thanks to jduck for cleaning it up and generalizing it!  View here; now just use svn update to get the module.

—

In my previous post, I detailed my efforts and solution to injecting a Meterpreter payload into a buffer of size 260B.  I mentioned that if I had the time, I would try to port the exploit to Metasploit itself, considering I had targeted my technique for the Metasploit-specific payload anyways.

I found some time and have made my plugin available below.  There’s several things that can be improved in this exploit:

• rewrite the fixRet to occupy less space and to use metasm to compile it on the fly
• use JMP ESP/EBP type addresses to help with porting to other versions of Windows

EasyFTP Server is an obscure FTP server, which makes it great for playing around with memory corruption vulnerabilities, but probably isn’t something anyone is going to see in a pentest any time soon.  I decided against spending the time required to generalize the exploit to versions of Windows beyond XP SP3 English and EasyFTP versions beyond 1.7.0.2.  I ported the exploit as an exercise and also in the hopes that someone may find my experience helpful should they try something similar.

I tested the exploit module against Metasploit 3.4.0-dev, r9112.  If its failing on an older version, try upgrading first.

Get easyftp_cwd_fixret.rb (put it in [your_metasploit_dir]/modules/exploits/windows/ftp)

Cheat sheet:

$ ./msfconsole
use windows/ftp/easyftp_cwd_fixret
set RHOST [target's IP address]
set PAYLOAD [your_payload]
[set options applicable to your payload]
exploit