Ethical Hacking and Penetration Testing Guide
Yüklə 22,44 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Skeleton Exploit
|
Skeleton Exploit
We would now need to create a skeleton exploit that will help us send malformed data to our FTP server. I wrote a simple code in Python for it; here is what the code looks like: 276 ◾ Ethical Hacking and Penetration Testing Guide This was the simplest code I could come up with to demonstrate the exploit. We import socket and sys libraries; next we create a socket using the socket method and assign it to variable s , which would be used to call other methods. This is essential if we want to connect to an IP and a particular port. We next define a variable with the name buffer, which will send 700 As to the FTP server. Next we use the connect method to connect to the target host running an FTP server on port 21. The connect command requires two arguments: the IP address and the port. In the very next line we use the send method to send the buffer via our USER command; the buffer contains 700 As. In the next line we see s.recv(1024) ; this is used to receive the data. The data can be received at 1024 characters at a time. We do the same with the PASS command and then send BYE to exit the FTP server and then call the close() method to close the connection. This time we attach a debugger to see exactly what happens when our application crashes; we use the immunity debugger. To attach our process to debugger we would go to File → Attach and then select the desired process, which in this case is our FTP server running on port 21, or you can simply go to File → Open and select the application to open it from the debugger. This is how the FTP server looks like. When you open it inside of the debugger, don’t get over- whelmed with the assembly code; the registers on the right tab are our area of focus. Windows Exploit Development Basics ◾ 277 We click the “Play” button to start the application from within the debugger. When the application is running, we execute our exploit skeleton from our BackTrack machine, which causes the application to crash. But that’s from the outside; let’s see what our debugger reports to us. We can see that the EIP register has been overwritten with our buffer (41 = Hex equivalent of A); EIP stands for extended instruction pointer register and is the holy grail for hackers because it contains the offset to the next instruction to be executed. In this case we are able to control the EIP; this means that we will also be able to control the next instruction to be executed by the computer. Also, we can see that the registers ESP and EDI contain our buffer; this is also a very good sign since now there are three registers we can control. |