Sunday, January 23, 2011

Exploiting NIPrint using ncat

Now the topic of discussion is exploitation of NIPrint service using ncat command.
Download the NIPrint executable file from the link: http://www.computerdefense.org/class/nidemo.exe
And Immunity debugger executable file from the link:
http://debugger.immunityinc.com/register.html after providing some basic details.
After installation of both software programs in the VMware workstation, starts the debugger and NIPrint, then start both services: local and remote print service under ‘configuration’ tab and ‘general setting’ menu item. Also, install nmap on host machine to run ncat command.
From the host machine, open command prompt and run ncat <IP address of remote machine> 515. It will open command line for input from user. Try to enter as many A’s until the NIPrint on remote machine crashes by repetition of the above command.
Here Immunity debugger is used to prevent the exploit to occur, when we join the NIPrint application with debugger, any exploit attack results in pausing the application. Thus, we can track the exploit going on.
Moreover, to find the number of A’s required to do an exploit of stack buffer overflow in NIPrint is calculated using pattern_create.rb and pattern_offset.rb file. First file is used to generate string of different character and second is used to calculate its position in the string. We find the exact number of characters required by checking the overwritten EIP pointer with input characters in immunity debugger. That value is calculated as an offset value and total numbers of input characters are calculated before EIP to do buffer overflow for NIPrint program.

No comments:

Post a Comment