Skip to main content

Advanced Exploitation Techniques - Part 4



Case Studies on Advanced Exploitation Techniques

 Tutorial 1 – Hello world, some history

Welcome again, so far we have been studying and hacking into systems by exploiting the discovered vulnerabilities. Here in this module we will be going through different studies, which have been put together as advanced techniques so that we can grab more knowledge in exploit development and the peripherals of this field.

Some History

Buffer overflow exploits are extremely dangerous if they have been successfully exploited and the attacker is making a good use of the exploited vulnerability. A long time back, somewhere around 1988, there was a Worm! So far, it is considered to be first worm since it gained so much media coverage and popularity just because of its effects, and it was written by a student that caused damage of approximately hundreds million dollars.

We have been exploring enough on egg hunters and we have also gone through the exploitation techniques, like buffer overflows. However, there is much more to explore in exploitation; there are many other ways of exploiting an application, however, the method of detecting the vulnerability doesn’t differ 100%.

So what are other ways of exploitations or what are the other types of vulnerabilities that can lead to system compromises? Deploying rootkits or anything that causes much damage to the victim’s machine or simply owning the box.

There are many other ways which an attacker can use for gaining access to the victim machine if the following vulnerabilities can be exploited, which can lead to exploitation of systems.

                    ● Heap Overflows
                    ● Format String
                    ● SQL Injections
                    ● Client Side Attacks
                    ● IE Exploitation

These names might be familiar to you, however, they are the most common and still cause serious damages to the systems. However, techniques like Trojan horses, social engineering, and password attack may still work but nowadays these types of attacks don’t help you out in real world hacking attempts.

The days have passed where you simply run a password attack and gain access to the routers and Windows machines, or send a file that compromises the system. This is legacy.

However, personally, I have seen in live pen testing where the password for a cisco router was still “cisco” and the password for a web application admin panel was still “admin” so idiots are still working in the field of web development and network or system administration.

Sometimes it does happen that you can exploit a vulnerability but the payload you are using doesn’t help you make more damage to the system or fully compromise the system.

Let’s pay attention to the great payload and most loving part of Metasploit called Meterpreter We would exploit a known vulnerability and then we explore what advanced options we have to explore with Meterpreter.

Case Study – Meterpreter & PCManFTPD Vulnerability

We have downloaded and installed the PCManFTPD server on a Windows XP machine and we ran the Metasploit framework to look for an available exploit. Below screen shows the configured options for exploiting this vulnerability



Okay, here you can see we have one Meterpreter session opened on the victim machine. So what we can do now after exploiting the vulnerability? Here it’s worthwhile showing the power of Meterpreter. Below are the available options for us to play with on this system.

            ● Core Commands
            ● File System Commands
            ● Networking Commands
            ● System Commands
            ● User Interface Commands
            ● Webcam Commands
            ● Elevate Commands
            ● Password Database Commands
            ● Timestomp commands

Core Commands


File System Commands


Networking Commands


System Commands


User Interface Commands


Web Cam Commands



Elevate, Password & Timestomp Commands


That’s the power this awesome payload Metasploit has. Okay so what can we do with this? We can dump the content of SAM database and crack password later while using Metasploit itself.

We can download or upload any files to and from the victim’s system and we can even see the webcam snap and videos. You can try and practice all of these commands on your own by simply exploiting any known vulnerability as we have shown in this case.

Exploring Meterpreter is a detailed exercise. If you want to be a master of Meterpreter and want to learn more on this please post on the forum for the workshop demand and we will develop one dedicated workshop for Meterpreter including other key topics so that you can enhance your skill of after hacks! Please post on forum for the workshop request.

Case Study, Exploit Development & Metasploit

Some people still believe that Metasploit is a penetration testing and hacking tool, however it is and indeed most used and maintained tool in ethical hacking & penetration testing but it is not just for hacking into systems.

A security researcher uses this wonderful tool for exploit development, as well. Now, you might think how can we use this tool for exploit development? So here we will run through quick exploit development with Metasploit for the EasyFTP Server as a bonus.


We will follow quick and short steps to show how this tool can be used for exploit development. As you have already seen at the beginning of the workshop, we used Metasploit for fuzzing so I will not explain that again here. You have to do it on your own and don’t copy the required info from available exploits. Okay we will run an exercise here for you to complete this exploit development for the known vulnerability of EasyFTP Server.

Exercise 1 – Find the rabbit’s foot

Step 1

Use Metasploit for fuzzing, find the point where the application is crashed and post the details on the forum how you did and your main task in step one is finding the offset. So post the offset value you find. These may be different on different machines.

You can download the vulnerable application from the below download link, if you need any help practicing on the vulnerable help, please post on the forum so we can help you, however, don’t give up trying on your own first.

Download Link: http://www.exploit-db.com/exploits/14402/

Step 2

Now, arrange the stack and overwrite the EIP register. If you have read module one and understood the exploit development explained in that module then I believe you should be able to find this with small efforts. Find the ESP location.

Post your story on the forum how you obtained and overwrite the EIP.

Step 3

Now, you should have the following known with you.

1 – Evilbuffer to send for crashing
2 – Offset value
3 – Find the ESP location

Step 4

Get your shell code ready, you can generate one from Metasploit or use the one I use in module 1.

Submit your success story on the forum.

Step 5

We have shown high level steps for developing the EasyFTP Server exploit, you can use any technique you want, for your ease you can use Mona.py for everything you want, however, do submit your techniques that you used for developing the exploit.

And don’t forget to submit your PoC Code for others to learn, I developed one for you guys and will post once requested by anyone. You can ask questions via forum if you are facing any difficulty in coding the PoC.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho...
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the pa...
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was ...
Read more