Exploit Development 2018

Exploit Development 2018


#######################
# VMs for this course #
#######################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
    username: workshop
    password: password

https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts

You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).


#####################################
# Quick Stack Based Buffer Overflow #
#####################################

- You can download everything you need for this exercise (except netcat) from the link below
https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip

- Extract this zip file to your Desktop

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:

---------------------------Type This-----------------------------------
nc localhost 9999
-----------------------------------------------------------------------

- In the new command prompt window where you ran nc type:
HELP

- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py
- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.


- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

- Calculate the distance to EIP by running script 3-3000chars.py
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

4-count-chars-to-EIP.py
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

5-2006char-eip-check.py
- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py
- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

7-first-exploit
- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.


---------------------------Type This-----------------------------------

cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc

vi vulnserv.rb    (paste the code into this file)


cd ~/toolz/metasploit

./msfconsole


use exploit/windows/misc/vulnserv
set PAYLOAD windows/meterpreter/bind_tcp
set RHOST CHANGEME-TO-YOUR-WIN7-IP
set RPORT 9999
exploit


---------------------------------------------------------------------------------

Day 1 Homework:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 1 Homework" (ex: Joseph - McCray - Exploit Dev Day 1 Homework).

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_1_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_1_Homework.docx).

NOTE: This is what is required in order to receive your certificate of completion and CPEs.
---------------------------------------------------------------------------------

Day 1 Challenge:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:
http://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html
http://www.whitelist1.com/2016/11/xstack-overflow-2-exploiting-freesshd.html
http://www.whitelist1.com/2016/11/xstack-overflow-3-exploiting-minishare.html
http://www.whitelist1.com/2016/11/xstack-overflow-4-exploiting-blaze-dvd.html
http://www.whitelist1.com/2016/11/xstack-overflow-5-exploiting-free-float.html
http://www.whitelist1.com/2016/11/stack-overflow-6-exploiting-aviosoft.html
http://www.whitelist1.com/2016/11/stack-overflow-7-exploiting-microp_52.html
http://www.whitelist1.com/2016/11/stack-overflow-8-exploiting-crossfire.html
https://windowsexploit.com/blog/2016/12/29/windows-exploit-slmail

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_1_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_1_Challenge.docx).


NOTE:
You can download WinDBG from this link:
First download and install Microsoft .NET Framework 4 Client Profile from:
https://www.microsoft.com/en-us/download/details.aspx?id=24872

Download winsdk_web.exe from the below link.
https://www.microsoft.com/en-us/download/details.aspx?id=8279

Follow next steps for installation from this link:

https://github.com/corelan/windbglib

---------------------------------------------------------------------------------


---------------------------------------------------------------------------------

Day 2 Homework:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 1 Homework" (ex: Joseph - McCray - Exploit Dev Day 2 Homework).

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_2_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_2_Homework.docx).

NOTE: This is what is required in order to receive your certificate of completion and CPEs.
---------------------------------------------------------------------------------

Day 2 Challenge:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:
http://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html
http://www.whitelist1.com/2016/11/xstack-overflow-2-exploiting-freesshd.html
http://www.whitelist1.com/2016/11/xstack-overflow-3-exploiting-minishare.html
http://www.whitelist1.com/2016/11/xstack-overflow-4-exploiting-blaze-dvd.html
http://www.whitelist1.com/2016/11/xstack-overflow-5-exploiting-free-float.html
http://www.whitelist1.com/2016/11/stack-overflow-6-exploiting-aviosoft.html
http://www.whitelist1.com/2016/11/stack-overflow-7-exploiting-microp_52.html
http://www.whitelist1.com/2016/11/stack-overflow-8-exploiting-crossfire.html
https://windowsexploit.com/blog/2016/12/29/windows-exploit-slmail

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_2_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_2_Challenge.docx).

---------------------------------------------------------------------------------


---------------------------------------------------------------------------------

Day 3 Homework:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 3 Homework" (ex: Joseph - McCray - Exploit Dev Day 3 Homework).

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_3_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_3_Homework.docx).

NOTE: This is what is required in order to receive your certificate of completion and CPEs.
---------------------------------------------------------------------------------

Day 3 Challenge:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:
http://buffered.io/posts/myftpd-exploit-on-windows-7/
https://windowsexploit.com/blog/2017/1/8/exploit-easy-file-sharing-web-server-v-72-remote-seh-based-get-request-overflow
https://ketansingh.net/pwning-with-seh-based-buffer-overflows/

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_3_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_3_Challenge.docx).


---------------------------------------------------------------------------------

Day 4 Homework:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 4 Homework" (ex: Joseph - McCray - Exploit Dev Day 3 Homework).

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_4_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_4_Homework.docx).

NOTE: This is what is required in order to receive your certificate of completion and CPEs.
---------------------------------------------------------------------------------

Day 4 Challenge:
Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/ (DEP Bypass section of this blog)

Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_4_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_4_Challenge.docx).