Thursday, July 7, 2011

More Buffer Overflows

It has been over a month since my last post.  It has been a really busy time.  When they say the most important resource is time, they are not kidding.  Anyway, in that time I have continuing to go to exploitdb to practice.  I was able to get some basic stack overflows going on two software ftp programs, easyftp and war-ftpd.  I have been using a test OS of Windows XP SP3.  Most of the exploits seem to center around Win XP SP2.  It would be better to try different service packs I guess.  Next, I want to find more SEH exploits.  This was fun trying to figure how to jump around in the stack.  Again, go to http://www.corelan.be/ for information about buffer overflows and infosec in general.  Great stuff.  With easyftp, I was only able to fit the "net user add" payload.  Mannnn, it was a small buffer space.  However, in war-ftpd, the buffer was much larger and I was able to fit a Windows reverse shell.  I have to say, reverse shell is the best.  Just a side note, I have noticed that I have had a lot of success when the payload is encoded in "ShikataGaNai".  It might help someone else so I figured I would mention it. 

Just in case, you thought I let it go, nope.  Paper is still on.  Of course, the new hacker groups that have come out have made this an excellent paper to write.  ;-) I mean I thought of this before two groups even came out in the media.  Not that they were not there the whole time.  I just more time to get the thoughts together and more anecdotal evidence to make it more credible.  With everything that is going on, I should probably just post it by the end of the year so I can get all the probable hacks that will come recorded.