Advertisement
joemccray

Exploit Development 2018

Oct 30th, 2017
1,131
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.91 KB | None | 0 0
  1. Exploit Development 2018
  2.  
  3.  
  4.  
  5.  
  6. #######################
  7. # VMs for this course #
  8. #######################
  9. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
  10. username: workshop
  11. password: password
  12.  
  13. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  14. user: infosecaddicts
  15. pass: infosecaddicts
  16.  
  17. You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
  18.  
  19.  
  20.  
  21.  
  22. #####################################
  23. # Quick Stack Based Buffer Overflow #
  24. #####################################
  25.  
  26. - You can download everything you need for this exercise (except netcat) from the link below
  27. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  28.  
  29. - Extract this zip file to your Desktop
  30.  
  31. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  32.  
  33. - Open a new command prompt and type:
  34.  
  35. ---------------------------Type This-----------------------------------
  36. nc localhost 9999
  37. -----------------------------------------------------------------------
  38.  
  39. - In the new command prompt window where you ran nc type:
  40. HELP
  41.  
  42. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  43. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  44.  
  45. - Now double-click on 1-simplefuzzer.py
  46. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  47.  
  48.  
  49. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  50.  
  51. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  52.  
  53. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  54.  
  55. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  56.  
  57. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  58.  
  59. - Calculate the distance to EIP by running script 3-3000chars.py
  60. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  61.  
  62. 4-count-chars-to-EIP.py
  63. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  64. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  65.  
  66. 5-2006char-eip-check.py
  67. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  68.  
  69. 6-jmp-esp.py
  70. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  71.  
  72. 7-first-exploit
  73. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  74.  
  75. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  76.  
  77.  
  78. ---------------------------Type This-----------------------------------
  79.  
  80. cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
  81.  
  82. vi vulnserv.rb (paste the code into this file)
  83.  
  84.  
  85. cd ~/toolz/metasploit
  86.  
  87. ./msfconsole
  88.  
  89.  
  90.  
  91. use exploit/windows/misc/vulnserv
  92. set PAYLOAD windows/meterpreter/bind_tcp
  93. set RHOST CHANGEME-TO-YOUR-WIN7-IP
  94. set RPORT 9999
  95. exploit
  96.  
  97.  
  98.  
  99. ---------------------------------------------------------------------------------
  100.  
  101. Day 1 Homework:
  102. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 1 Homework" (ex: Joseph - McCray - Exploit Dev Day 1 Homework).
  103.  
  104. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_1_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_1_Homework.docx).
  105.  
  106. NOTE: This is what is required in order to receive your certificate of completion and CPEs.
  107. ---------------------------------------------------------------------------------
  108.  
  109. Day 1 Challenge:
  110. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:
  111. http://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html
  112. http://www.whitelist1.com/2016/11/xstack-overflow-2-exploiting-freesshd.html
  113. http://www.whitelist1.com/2016/11/xstack-overflow-3-exploiting-minishare.html
  114. http://www.whitelist1.com/2016/11/xstack-overflow-4-exploiting-blaze-dvd.html
  115. http://www.whitelist1.com/2016/11/xstack-overflow-5-exploiting-free-float.html
  116. http://www.whitelist1.com/2016/11/stack-overflow-6-exploiting-aviosoft.html
  117. http://www.whitelist1.com/2016/11/stack-overflow-7-exploiting-microp_52.html
  118. http://www.whitelist1.com/2016/11/stack-overflow-8-exploiting-crossfire.html
  119. https://windowsexploit.com/blog/2016/12/29/windows-exploit-slmail
  120.  
  121. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_1_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_1_Challenge.docx).
  122.  
  123.  
  124. NOTE:
  125. You can download WinDBG from this link:
  126. First download and install Microsoft .NET Framework 4 Client Profile from:
  127. https://www.microsoft.com/en-us/download/details.aspx?id=24872
  128.  
  129. Download winsdk_web.exe from the below link.
  130. https://www.microsoft.com/en-us/download/details.aspx?id=8279
  131.  
  132. Follow next steps for installation from this link:
  133.  
  134. https://github.com/corelan/windbglib
  135.  
  136. ---------------------------------------------------------------------------------
  137.  
  138.  
  139.  
  140.  
  141.  
  142.  
  143.  
  144.  
  145.  
  146. ---------------------------------------------------------------------------------
  147.  
  148. Day 2 Homework:
  149. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 1 Homework" (ex: Joseph - McCray - Exploit Dev Day 2 Homework).
  150.  
  151. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_2_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_2_Homework.docx).
  152.  
  153. NOTE: This is what is required in order to receive your certificate of completion and CPEs.
  154. ---------------------------------------------------------------------------------
  155.  
  156. Day 2 Challenge:
  157. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:
  158. http://www.whitelist1.com/2016/11/xstack-overflow-1-exploiting-slmail.html
  159. http://www.whitelist1.com/2016/11/xstack-overflow-2-exploiting-freesshd.html
  160. http://www.whitelist1.com/2016/11/xstack-overflow-3-exploiting-minishare.html
  161. http://www.whitelist1.com/2016/11/xstack-overflow-4-exploiting-blaze-dvd.html
  162. http://www.whitelist1.com/2016/11/xstack-overflow-5-exploiting-free-float.html
  163. http://www.whitelist1.com/2016/11/stack-overflow-6-exploiting-aviosoft.html
  164. http://www.whitelist1.com/2016/11/stack-overflow-7-exploiting-microp_52.html
  165. http://www.whitelist1.com/2016/11/stack-overflow-8-exploiting-crossfire.html
  166. https://windowsexploit.com/blog/2016/12/29/windows-exploit-slmail
  167.  
  168. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_2_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_2_Challenge.docx).
  169.  
  170. ---------------------------------------------------------------------------------
  171.  
  172.  
  173.  
  174.  
  175.  
  176.  
  177. ---------------------------------------------------------------------------------
  178.  
  179. Day 3 Homework:
  180. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 3 Homework" (ex: Joseph - McCray - Exploit Dev Day 3 Homework).
  181.  
  182. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_3_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_3_Homework.docx).
  183.  
  184. NOTE: This is what is required in order to receive your certificate of completion and CPEs.
  185. ---------------------------------------------------------------------------------
  186.  
  187. Day 3 Challenge:
  188. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:
  189. http://buffered.io/posts/myftpd-exploit-on-windows-7/
  190. https://windowsexploit.com/blog/2017/1/8/exploit-easy-file-sharing-web-server-v-72-remote-seh-based-get-request-overflow
  191. https://ketansingh.net/pwning-with-seh-based-buffer-overflows/
  192.  
  193. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_3_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_3_Challenge.docx).
  194.  
  195.  
  196.  
  197.  
  198.  
  199. ---------------------------------------------------------------------------------
  200.  
  201. Day 4 Homework:
  202. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of everything that we have covered so far. Make the subject of the email "First Name - Last Name - Exploit Dev Day 4 Homework" (ex: Joseph - McCray - Exploit Dev Day 3 Homework).
  203.  
  204. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_4_Homework.docx" (Joseph_McCray_Exploit_Dev_Day_4_Homework.docx).
  205.  
  206. NOTE: This is what is required in order to receive your certificate of completion and CPEs.
  207. ---------------------------------------------------------------------------------
  208.  
  209. Day 4 Challenge:
  210. Send Ivana an email ivana{a-t}strategicsec{d-o-t}.com with a word document that contains screenshots of creating a working exploit with WinDBG as the debugger, and using any 2 of the following exploits covered in the links below:
  211.  
  212. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/ (DEP Bypass section of this blog)
  213.  
  214. Also be sure to name the attached file "FirstName_LastName_Exploit_Dev_Day_4_Challenge.docx" (Joseph_McCray_Exploit_Dev_Day_4_Challenge.docx).
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement