Advanced Exploitation Techniques — Part 4

Case Studies on Advanced Exploitation Techniques

Tutorial 1 — Hello world, some history

Welcome again, so far we have been studying and hacking into systems by exploiting the discovered vulnerabilities. Here in this module we will be going through different studies, which have been put together as advanced techniques so that we can grab more knowledge in exploit development and the peripherals of this field.

Buffer overflow exploits are extremely dangerous if they have been successfully exploited and the attacker is making a good use of the exploited vulnerability. A long time back, somewhere around 1988, there was a Worm! So far, it is considered to be first worm since it gained so much media coverage and popularity just because of its effects, and it was written by a student that caused damage of approximately hundreds million dollars.

We have been exploring enough on egg hunters and we have also gone through the exploitation techniques, like buffer overflows. However, there is much more to explore in exploitation; there are many other ways of exploiting an application, however, the method of detecting the vulnerability doesn’t differ 100%.

So what are other ways of exploitations or what are the other types of vulnerabilities that can lead to system compromises? Deploying rootkits or anything that causes much damage to the victim’s machine or simply owning the box.

There are many other ways which an attacker can use for gaining access to the victim machine if the following vulnerabilities can be exploited, which can lead to exploitation of systems.

● Heap Overflows
● Format String
● SQL Injections
● Client Side Attacks
● IE Exploitation

These names might be familiar to you, however, they are the most common and still cause serious damages to the systems. However, techniques like Trojan horses, social engineering, and password attack may still work but nowadays these types of attacks don’t help you out in real world hacking attempts.

The days have passed where you simply run a password attack and gain access to the routers and Windows machines, or send a file that compromises the system. This is legacy.

However, personally, I have seen in live pen testing where the password for a cisco router was still “cisco” and the password for a web application admin panel was still “admin” so idiots are still working in the field of web development and network or system administration.

Sometimes it does happen that you can exploit a vulnerability but the payload you are using doesn’t help you make more damage to the system or fully compromise the system.

Let’s pay attention to the great payload and most loving part of Metasploit called Meterpreter We would exploit a known vulnerability and then we explore what advanced options we have to explore with Meterpreter.

Case Study — Meterpreter & PCManFTPD Vulnerability

We have downloaded and installed the PCManFTPD server on a Windows XP machine and we ran the Metasploit framework to look for an available exploit. Below screen shows the configured options for exploiting this vulnerability

Okay, here you can see we have one Meterpreter session opened on the victim machine. So what we can do now after exploiting the vulnerability? Here it’s worthwhile showing the power of Meterpreter. Below are the available options for us to play with on this system.

● Core Commands
● File System Commands
● Networking Commands
● System Commands
● User Interface Commands
● Webcam Commands
● Elevate Commands
● Password Database Commands
● Timestomp commands

Core Commands

File System Commands

Networking Commands

System Commands

User Interface Commands

Web Cam Commands

Elevate, Password & Timestomp Commands

That’s the power this awesome payload Metasploit has. Okay so what can we do with this? We can dump the content of SAM database and crack password later while using Metasploit itself.

We can download or upload any files to and from the victim’s system and we can even see the webcam snap and videos. You can try and practice all of these commands on your own by simply exploiting any known vulnerability as we have shown in this case.

Exploring Meterpreter is a detailed exercise. If you want to be a master of Meterpreter and want to learn more on this please post on the forum for the workshop demand and we will develop one dedicated workshop for Meterpreter including other key topics so that you can enhance your skill of after hacks! Please post on forum for the workshop request.

Case Study, Exploit Development & Metasploit

Some people still believe that Metasploit is a penetration testing and hacking tool, however it is and indeed most used and maintained tool in ethical hacking & penetration testing but it is not just for hacking into systems.

A security researcher uses this wonderful tool for exploit development, as well. Now, you might think how can we use this tool for exploit development? So here we will run through quick exploit development with Metasploit for the EasyFTP Server as a bonus.

We will follow quick and short steps to show how this tool can be used for exploit development. As you have already seen at the beginning of the workshop, we used Metasploit for fuzzing so I will not explain that again here. You have to do it on your own and don’t copy the required info from available exploits. Okay we will run an exercise here for you to complete this exploit development for the known vulnerability of EasyFTP Server.

Use Metasploit for fuzzing, find the point where the application is crashed and post the details on the forum how you did and your main task in step one is finding the offset. So post the offset value you find. These may be different on different machines.

You can download the vulnerable application from the below download link, if you need any help practicing on the vulnerable help, please post on the forum so we can help you, however, don’t give up trying on your own first.

Download Link: http://www.exploit-db.com/exploits/14402/

Step 2

Now, arrange the stack and overwrite the EIP register. If you have read module one and understood the exploit development explained in that module then I believe you should be able to find this with small efforts. Find the ESP location.

Post your story on the forum how you obtained and overwrite the EIP.

Step 3

Now, you should have the following known with you.

1 — Evilbuffer to send for crashing
2 — Offset value
3 — Find the ESP location

Step 4

Get your shell code ready, you can generate one from Metasploit or use the one I use in module 1.

Submit your success story on the forum.

We have shown high level steps for developing the EasyFTP Server exploit, you can use any technique you want, for your ease you can use Mona.py for everything you want, however, do submit your techniques that you used for developing the exploit.

And don’t forget to submit your PoC Code for others to learn, I developed one for you guys and will post once requested by anyone. You can ask questions via forum if you are facing any difficulty in coding the PoC.

Originally published at https://learncybersec.blogspot.com.

Cyber Security Analyst & researcher