Meta

Exploitation 101

Lecture

Homework

Exploit the vulnerability in homework-re-fall2011-v2.exe, which is a simple server very similar to the demo.exe from class.

Submit your answers to the following tasks:

1. Write a script to trigger the vulnerability and set EIP to a chosen value.  Describe the format of the attack string that you used to trigger the vulnerability.  For example, the attack string from the demo could be described as: [ 69 bytes of space ] [ EIP ]

2. Attach WinDbg to homework.exe and trigger the vulnerability.  Use the !exploitable extension to analyze the crash.  To do this, enter the commands below in the WinDbg command window after WinDbg has reported the exception (crash):

0:001> .load msec
0:001> !exploitable

Document the exception output from WinDbg (where it shows the values of the registers) and the output of the !exploitable command.

3. Write a complete exploit for homework.exe. You will need to find a suitable jump address with WinDbg, Immunity Debugger, or msfpescan. You should use the attached payload (in Ruby). You can write it in any language, but I'd recommend trying to use Ruby because the next homework will include converting your exploit to a Metasploit exploit module.

The homework deliverable is a ruby script, just like demo_exploit.rb, that exploits homework.exe to bind a cmd.exe shell to TCP port 4444 (the payload included in payload.rb does this). Make sure that your return address is one that you chose randomly from the thousands of possible ones that you can find with WinDbg or Immunity Debugger. We don't want to see any duplicates in the submitted homework and definitely none with the return address used in demo_exploit.rb.

Required Reading

Exploitation 102

Lecture

Homework

The homework this week is to write a basic browser exploit. The homework2.zip file contains JavaScript to trigger two vulnerabilities in the Vulnerable.ocx ActiveX control as well as a payload for you to execute. The first vulnerability is a basic stack overflow. The second vulnerability is protected with /GS and requires the abuse of a structured exception handler (SEH) record to exploit. Students are required to write an exploit for only the first flaw, the second is extra credit worth an entire extra homework.

References

Tutorials, Challenges, and Walkthroughs

Shellcode

Exploitation Techniques

Mitigations

Metasploit

If you passed this section with ease and understand most of the reading material above, you might want to try taking Immunity's Network Offense Professional certification. Good luck!

Archive

Fall 2010

The first homework was to find and exploit the security vulnerability in homework.exe, which is a simple server very similar to the demo.exe (source code) from class.

Please submit your answers to the following tasks:

1. Identify the stack buffer overflow vulnerability in homework.exe using IDA Pro Freeware.  Explain the the cause of the vulnerability and how it may be triggered (1-2 paragraphs).

2. Write a script to trigger the vulnerability and set EIP to a chosen value.  Describe the format of the attack string that you used to trigger the vulnerability.  For example, the attack string from the demo could be described as: [ 69 bytes of space ] [ EIP ]

3. Attach WinDbg to homework.exe and trigger the vulnerability.  Use the !exploitable extension to analyze the crash.  To do this, enter the commands below in the WinDbg command window after WinDbg has reported the exception (crash):

0:001> .load msec
0:001> !exploitable

Document the exception output from WinDbg (where it shows the values of the registers) and the output of the !exploitable command.

4. Write a complete exploit for homework.exe.  You may use the attached payload (in Ruby). You may write it in any language, but I'd recommend trying to use Ruby because the next homework will include converting your exploit to a Metasploit exploit module.  Metasploit has been installed into the VM and you can use the command line tools from the included Cygwin Shell:

Start -> All Programs -> Metasploit3 -> Cygwin Shell
$ /msf3/tools/pattern_create.rb 1024

You can also use '/msf3/msfpescan' to find useful jump addresses.  You may find that easier than using WinDbg or Immunity Debugger's search commands.

The second homework was to port your exploit for homework.exe to the Metasploit 3 framework. The framework is installed in your VM and you may use it from there or from your VM host.  You should convert your exploit into a metasploit exploit module, which will be a single ruby file. Submit this single file as your solution for the homework.

To get you started on Metasploit module development, you should read the following web pages:

You can also refer to the following simple exploits that are already included in the framework:

  • modules/exploits/windows/lpd/niprint.rb
  • modules/exploits/windows/proxy/ccproxy_telnet_ping.rb

Fall 2009