Skip to main content

Exploit Development Windows Part - 1


Exploit Development Windows 

Introduction

           In the field of ethical hacking, or penetration testing, exploit development forms the core of these fields, however, not every hacker or security professional is sound in exploit development.
What usually happens is security professionals and so-called hackers use the exploits, which are developed by the security researchers and available on the Internet and are just a Google search away.

Prerequisites

      Exploit development requires the thorough understanding of assembly language and how it works on different platforms and different operating systems.

     You also need to be a good programmer or, at a minimum, you understand the programming logic and can write your own code in any of the object-oriented programming languages.

        Exploiting software requires hands-on practice with different tools and techniques. For our workshop, we will be focused on how to write exploits with Metasploit Framework, Immunity Debugger and its wonderful plugin called “Mona.py” so, in summary, you need to have a better understanding of the following:

• Assembly Language Concepts
• One Object-Oriented Programming Language Concepts
• Buffer overflows
• Immunity Debugger and “Mona.py”
• Fuzzers and Fuzzing
• Metasploit Framework

Understanding the Basics

   To let you concentrate on the exploit development, we will try to cover the prerequisites within our workshop but only to the level we feel that you should be comfortable with the concepts so that you don’t need to waste your time in hitting searches on these topics.

Assembly Language Concepts

     Assembly language itself is a huge topic to explain and understand and it cannot be covered in one workshop. However, we will cover the useful set of available instructions. The full instruction set is large and complex. Basically, assembly language is dependent upon the instruction set and the architecture of the processor.

The basic syntax of assembly program can be divided into three sections.

• The Data section
• The bss section
• The text section

The Data Section

     The Data section is used for declaring initializing data or constants. This data does not change at run time. It is useful to declare file names or buffer size in the section of the assembly program.

The bss section

This section is mainly used for declaring the variables.

section .bss

The text section

     The text section is used for keeping the actual code. It sounds strange but that’s the reality of assembly language. This section must begin with the declaration of global start, which tells the kernel where the program execution begins.

section .text

             global _start

_start:

Assembly Statements

Statements in assembly language are categorized in three types, as follows:

• Executable instructions or simply instructions
• Assembler directives or pseudo-ops
• Macros

Instructions tell the processor what to do, each instruction consists of an operation code [opcode] and each instruction generates one machine language instruction.

Assembler directives tell the assembler about the different aspects of the assembly process. These are non-executable and do not generate machine language instructions.

Macros are nothing but simply the text substitution mechanism.

Syntax of assembly statements

    In any programming language, there is a mechanism of writing the code, which is termed as the syntax of the programming language. Assembly also has a set way of communicating with the machine.

[label]       mnemonic               [operands]                 [; comments]

  Following are some examples of assembly instructions for your better understanding.



    This is just the beginning of assembly key terminologies and doesn’t cover the details. There are some more key topics that you should understand in order to be comfortable with exploit development. In reality, exploit development is the field of experts only and this workshop will drop you inside the circle of exploit development where you can further enhance your skills to be an expert.

Assembly Registers

   Registers are used in order to speed up the processing; they store data elements for processing without having to access the memory. Processor registers are of different types with different functionalities to perform. In exploit development, key registers are basically Pointer registers called EIP, ESP and EBP registers where “E” stands for extended.

Instruction Pointer stores the offset address of the next instruction to be executed. This pointer plays a key role in exploit development, which you will realize once you complete this workshop.
[Keep a note somewhere]

Stack Pointer provides the offset value within the program stack. Stack pointer in association with SS register refers to the current position of data r address within the program stack.

Base Pointer helps in referencing the parameter variables passed to a subroutine.


Object oriented Programming Language

       Languages like “C”, “Perl” & “Python” are commonly used in exploit development. It is up to you to select and practice in any one of these languages. This is very important as it’s not only becoming master in any one programming language but it’s equally important to be familiar with the syntax of other programming languages.

     What matters more is that you should be an expert in the programing concepts, and comfortable with how software code works and how to code and control the exploitation by simply writing a small piece of software code in any programming language.

Buffer Overflows

     It takes no time to learn about buffer overflows if you just search with Google. However, you would not be able to clearly grasp the key concepts behind these two words “buffer overflows.” Let’s just quickly and very simply help you understand buffer overflow.

Have you ever tried filling a cup with a coffee? Or a glass with water?

Or putting any liquid into any container?

    What happens when you put more and more? The water will start overflowing after some time over the boundaries of the glass and it happens when it can not hold more water, and it’s because they run out of capacity.

“Buffer is nothing but a memory location and it overflows when you put more data into the buffer.”


Food for thought:

Now, the question is why the buffer overflows? Why doesn’t it understand that I
am running out of storage capacity? Why hasn’t it stopped accepting more and
more data?






Answer: insecure programming.



   Using buffer overflows against the variables on the stack is sometimes called stack overflows, and more often is called the smashing the stack. Stack overflows are widely popular and exploited in majority.

Immunity Debugger & Mona.py

    This is a very powerful debugger with functionalities to support exploit development, malware analysis, reverse engineering and much more. Professionals widely use this in the field of security assessments and malware analysis. Experts in the security industry use this debugger to develop exploits as it reduces the exploit development time nearly by 40%. (Claimed by the industry)

It’s a GUI based tool and also supports command line all the time.

  “Mona.py” is the plugin for Immunity Debugger written by Corelan Team. So far, it is the best of the best tool in the exploit development history, which makes the exploit development much easier and saves a lot of time.

    By using Mona.py with Immunity debugger, you can easily develop exploits in the format of Metasploit Exploits. This functionality of Mona.py makes your life easy, as it is just a use of predefined commands in Mona.py.

    You can also easily find the memory locations to point to for your shellcode. This will be further explored in the upcoming modules where we will first be discovering a known vulnerability and then writing an exploit code with the help of Immunity Debugger and the wonderful plugin Mona.py and the Metasploit functionalities.

Fuzzers and Fuzzing

    In the science of exploit development, the interesting things start when you start looking for something unusual or you force the application to behave unusual and give errors. To achieve this, security professionals have developed tools called fuzzer. By using a fuzzer, security professionals provide invalid and unexpected data to the inputs of an application accepting data input by any means.

  What fuzzers typically do is simply test an application for buffer overflows, format string, directory traversal attacks, command execution vulnerabilities, SQL Injection, XSS and more. The whole process is simply named as fuzzing, so nothing like rocket science.

Metasploit Framework

    Metasploit framework has provided enough power for exploit module development. Normally, newcomers in the field of penetration testing & ethical hacking don’t have any idea how powerful this Metasploit framework is, what they do is simply look for remote-exploits available in Metasploit framework.

“In any exploit development cycle, the key steps involve fuzzing, EIP control, shellcode development, finding EIP offset and then packing everything together in a piece of code called exploit.”

    Metasploit provides all these features and makes it much easier for us to develop a new exploit. Metasploit comes up with pre-developed Fuzzers for fuzzing different protocols.

     Among the many powerful features of Metasploit, one of the greatest features is its power and ease of use for its code re-use functionality of existing code.

    When you start fuzzing any application, there are certain challenges to face. You don’t know if the application is really vulnerable to buffer overflows and what length of data you can send which will cause a buffer overflow and, most importantly, how you will know that the application has really stopped working and you can control the flow of application as you want.

Exploit Development Life Cycle

           So far, you are a bit familiar with the concepts and techniques explained. Let’s focus more on the key concepts and on the actual process of discovering the vulnerability in an application and then exploiting the discovered vulnerability.

       Exploit development life cycle, and step-by-step approach to write exploits.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more