Application Security and Vulnerability Analysis - Exploitation

Archive

Fall 2010

Exploitation 101 video and slides
Exploitation 102 video and slides

The first homework was to find and exploit the security vulnerability in homework.exe, which is a simple server very similar to the demo.exe (source code) from class.

Please submit your answers to the following tasks:

1. Identify the stack buffer overflow vulnerability in homework.exe using IDA Pro Freeware. Explain the the cause of the vulnerability and how it may be triggered (1-2 paragraphs).

2. Write a script to trigger the vulnerability and set EIP to a chosen value. Describe the format of the attack string that you used to trigger the vulnerability. For example, the attack string from the demo could be described as: [ 69 bytes of space ] [ EIP ]

3. Attach WinDbg to homework.exe and trigger the vulnerability. Use the !exploitable extension to analyze the crash. To do this, enter the commands below in the WinDbg command window after WinDbg has reported the exception (crash):

0:001> .load msec
0:001> !exploitable

Document the exception output from WinDbg (where it shows the values of the registers) and the output of the !exploitable command.

4. Write a complete exploit for homework.exe. You may use the attached payload (in Ruby). You may write it in any language, but I'd recommend trying to use Ruby because the next homework will include converting your exploit to a Metasploit exploit module. Metasploit has been installed into the VM and you can use the command line tools from the included Cygwin Shell:

Start -> All Programs -> Metasploit3 -> Cygwin Shell
$ /msf3/tools/pattern_create.rb 1024

You can also use '/msf3/msfpescan' to find useful jump addresses. You may find that easier than using WinDbg or Immunity Debugger's search commands.

The second homework was to port your exploit for homework.exe to the Metasploit 3 framework. The framework is installed in your VM and you may use it from there or from your VM host. You should convert your exploit into a metasploit exploit module, which will be a single ruby file. Submit this single file as your solution for the homework.

To get you started on Metasploit module development, you should read the following web pages:

Metasploit Unleased: Porting Exploits
Metasploit Wiki: Exploit Module Development

You can also refer to the following simple exploits that are already included in the framework:

modules/exploits/windows/lpd/niprint.rb
modules/exploits/windows/proxy/ccproxy_telnet_ping.rb

Fall 2009

Exploitation 101 videos part 1 and part 2 and slides
Exploitation 102 video and slides (start at slide 25)

Discussion | |

Permalink

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

All HTML will be escaped. Hyperlinks will be created for URLs automatically.