Advertisement
joemccray

Exploit Dev Process

May 1st, 2018
975
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.30 KB | None | 0 0
  1. Skill Level 1: (Can identify vulnerable hosts - KNOWN VULNERABILITIES)
  2. ----------------------------------------------------------------------
  3. - Ping Sweep
  4. - Port Scan
  5. - Bannergrab
  6. - Vulnerability Research
  7.  
  8.  
  9. ########################
  10. # Scanning Methodology #
  11. ########################
  12.  
  13. - Ping Sweep
  14. What's alive?
  15. ------------
  16.  
  17. ---------------------------Type This-----------------------------------
  18. sudo nmap -sP 157.166.226.*
  19.  
  20. -----------------------------------------------------------------------
  21.  
  22.  
  23.  
  24. -if -SP yields no results try:
  25. ---------------------------Type This-----------------------------------
  26. sudo nmap -sL 157.166.226.*
  27.  
  28. -----------------------------------------------------------------------
  29.  
  30.  
  31.  
  32. -Look for hostnames:
  33. ---------------------------Type This-----------------------------------
  34. sudo nmap -sL 157.166.226.* | grep com
  35.  
  36. -----------------------------------------------------------------------
  37.  
  38.  
  39.  
  40. - Port Scan
  41. What's where?
  42. ------------
  43. ---------------------------Type This-----------------------------------
  44. sudo nmap -sS 162.243.126.247
  45.  
  46. -----------------------------------------------------------------------
  47.  
  48.  
  49.  
  50. - Bannergrab/Version Query
  51. What versions of software are running
  52. -------------------------------------
  53.  
  54. ---------------------------Type This-----------------------------------
  55. sudo nmap -sV 162.243.126.247
  56.  
  57. -----------------------------------------------------------------------
  58.  
  59.  
  60.  
  61.  
  62. - Vulnerability Research
  63. Lookup the banner versions for public exploits
  64. ----------------------------------------------
  65. http://exploit-db.com
  66. http://securityfocus.com/bid
  67. https://packetstormsecurity.com/files/tags/exploit/
  68.  
  69.  
  70.  
  71.  
  72.  
  73.  
  74.  
  75. Skill Level 2: Can identify UNKNOWN VULNERABILITIES)
  76. ----------------------------------------------------
  77. 1. App Type
  78. - Stand Alone
  79. - Client-Server (app name: vulnserver.exe)
  80. - Web App
  81.  
  82. 2. Data Input Type
  83. - File/Keyboard/Mouse (Stand Alone)
  84. - Logical Network Port (Client-Server) (tcp port: 9999)
  85. - Browser (Web App)
  86.  
  87.  
  88. 3a. Map and fuzz all app entry points
  89. - Methods
  90. - Functions
  91. - Subroutines
  92. - Controllers
  93. - Commands
  94. HELP
  95. STATS [stat_value]
  96. RTIME [rtime_value]
  97. LTIME [ltime_value]
  98. SRUN [srun_value]
  99. TRUN [trun_value]
  100. GMON [gmon_value]
  101. GDOG [gdog_value]
  102. KSTET [kstet_value]
  103. GTER [gter_value]
  104. HTER [hter_value]
  105. LTER [lter_value]
  106. KSTAN [lstan_value]
  107. EXIT
  108.  
  109. 3b. Fuzz each app entry point
  110.  
  111.  
  112. 4. Isolate the crash
  113. - TRUN 2100 is where the app crashes once placed in OllyDBG
  114.  
  115.  
  116.  
  117. 5. Calculate distance to EIP
  118. - Distance to EIP is 2006 bytes
  119.  
  120.  
  121.  
  122. 6. Redirect program execution
  123. - JMP REG (example: JMP ESP)
  124. - PUSH REG; RET (PUSH EST; RET)
  125. - CALL REG; (CALL ESP)
  126. "\x91\xC8\x41\x7E" # CALL EDI - user32.dll
  127. - Land in dummy shellcode
  128.  
  129.  
  130. 7. Replace dummy shellcode with real shellcode
  131. - Bad characters
  132. \x00\x0a\x2f\x5c
  133. - Not enough space
  134. 243 bytes for shellcode
  135.  
  136.  
  137.  
  138.  
  139. --------------------------------------------------------------------------------------------------------------------------------
  140.  
  141.  
  142.  
  143.  
  144. #################################
  145. ----------- ############### # Intro to Exploit Development ################ -----------
  146. #################################
  147. - You can download everything you need for this exercise (except netcat) from the link below
  148. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
  149.  
  150. - Extract this zip file to your Desktop
  151.  
  152. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  153.  
  154. - Open a new command prompt and type:
  155. nc localhost 9999
  156.  
  157. - In the new command prompt window where you ran nc type:
  158. HELP
  159.  
  160. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  161. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  162.  
  163. - Now double-click on 1-simplefuzzer.py
  164. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  165.  
  166.  
  167. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  168.  
  169. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  170.  
  171. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  172.  
  173. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  174.  
  175. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  176.  
  177. - Calculate the distance to EIP by running script 3-3000chars.py
  178. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  179.  
  180. 4-count-chars-to-EIP.py
  181. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  182. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  183.  
  184. 5-2006char-eip-check.py
  185. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  186.  
  187. 6-jmp-esp.py
  188. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  189.  
  190. 7-first-exploit
  191. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  192.  
  193. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  194.  
  195.  
  196. ------------------------------
  197.  
  198. cd ~/toolz/metasploit/modules/exploits/windows/misc
  199.  
  200. vi vulnserv.rb (paste the code into this file)
  201.  
  202.  
  203.  
  204. cd ~/toolz/metasploit
  205.  
  206. ./msfconsole
  207.  
  208.  
  209.  
  210. use exploit/windows/misc/vulnserv
  211. set PAYLOAD windows/meterpreter/bind_tcp
  212. set RHOST 192.168.88.129
  213. set RPORT 9999
  214. exploit
  215.  
  216.  
  217.  
  218. -------------------------------------------------------------------------------------------------------------------------
  219. The first exploit
  220. https://s3.amazonaws.com/infosecaddictsfiles/SLmail5-5-Exploit.zip
  221.  
  222. SLMail Scripts Questions
  223.  
  224. SLmail1.py
  225. How do you start SLMail?
  226. What do you have to be careful of when attaching your debugger to the application?
  227. How many As are you sending to the application?
  228.  
  229. SLmail2.py
  230. What tool(s) can be used to generate a cyclic pattern?
  231. What port are we attacking?
  232. What verb are we attacking?
  233.  
  234. SLmail3.py
  235. What is the value contained in EIP?
  236. What is the portion of the cyclic pattern that we must search for?
  237. What is the distance to EIP?
  238.  
  239. SLmail4.py
  240. What do you overwrite EIP with in this script?
  241. What is the length of your shellcode in this script?
  242. What is the difference between SOCK_STREAM and SOCK_DGRAM?
  243.  
  244. SLmail5.py
  245. What is struct.pack and why are we using it?
  246. What where is our JMP ESP coming from?
  247. What is the length of our shellcode in this script?
  248.  
  249. SLmail6.py
  250. Why do you subtract the top of ESP from the bottom of ESP in this script?
  251. What is the length of our shellcode in this script?
  252. What is the distance to EIP in this script?
  253.  
  254.  
  255. SLmail7.py
  256. How do you test for bad characters?
  257. What are the bad characters in this script?
  258. What is the address of the JMP ESP in this script and what DLL does it come from?
  259.  
  260.  
  261. SLmail8.py
  262. What is DEP and how do you disable it?
  263. What is the purpose of the stack adjustment?
  264. What is the purpose of the NOP sled?
  265.  
  266.  
  267. If you got through SLMail comfortably - then try the script below.
  268. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
  269.  
  270.  
  271.  
  272.  
  273.  
  274. -------------------------------------------------------------------------------------------------------------------------
  275.  
  276.  
  277. Analysis of the exploit code:
  278. https://www.exploit-db.com/exploits/15689/
  279. What is the target platform that this exploit works against?
  280. What is the variable name for the distance to EIP?
  281. What is the actual distance to EIP in bytes?
  282. Describe what is happening in the variable ‘junk2’?
  283.  
  284. Analysis of the training walk-through based on EID: 15689:
  285. https://s3.amazonaws.com/infosecaddictsfiles/ff.zip
  286.  
  287. ff1.py
  288. What does the sys module do?
  289. What is sys.argv[1] and sys.argv[2]?
  290. What application entry point is being attacked in this script?
  291.  
  292. ff2.py
  293. Explain what is happening in lines 18 - 20
  294. What is pattern_create.rb doing and where can I find it?
  295. Why can’t I just double click the file to run this script?
  296.  
  297. ff3.py
  298. Explain what is happening in lines 17 - to 25?
  299. Explain what is happening in lines 30 - to 32?
  300. Why is everything below line 35 commented out?
  301.  
  302. ff4.py
  303. Explain what is happening in lines 13 - to 15.
  304. Explain what is happening in line 19.
  305. Why is everything below line 35 commented out?
  306.  
  307. Ff5.py
  308. Explain what is happening in line 15.
  309. What is struct.pack?.
  310. How big is the shellcode in this script?
  311.  
  312. ff6.py
  313. What is the distance to EIP?
  314. How big is the shellcode in this script?
  315. What is the total byte length of the data being sent to this app?
  316.  
  317. ff7.py
  318. What is a tuple in python? Unchangeable list
  319. How big is the shellcode in this script? 1000 Bytes
  320. Did your app crash in from this script? No
  321.  
  322. ff8.py
  323. How big is the shellcode in this script?
  324. What is try/except in python?
  325. What is socket.SOCK_STREAM in Python?
  326.  
  327. ff9.py
  328. What is going on in lines 19 and 20?
  329. What is the length of the NOPs?
  330. What is socket.SOCK_STREAM in Python?
  331.  
  332. ff010.py
  333. What is going on in lines 18 - 20?
  334. How would a stack adjustment help this script?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement