Exploit Development Windows Part — 1

Exploit Development Windows

In the field of ethical hacking, or penetration testing, exploit development forms the core of these fields, however, not every hacker or security professional is sound in exploit development.

What usually happens is security professionals and so-called hackers use the exploits, which are developed by the security researchers and available on the Internet and are just a Google search away.

Exploit development requires the thorough understanding of assembly language and how it works on different platforms and different operating systems.

You also need to be a good programmer or, at a minimum, you understand the programming logic and can write your own code in any of the object-oriented programming languages.

Exploiting software requires hands-on practice with different tools and techniques. For our workshop, we will be focused on how to write exploits with Metasploit Framework, Immunity Debugger and its wonderful plugin called “Mona.py” so, in summary, you need to have a better understanding of the following:

* Assembly Language Concepts
* One Object-Oriented Programming Language Concepts
* Buffer overflows
* Immunity Debugger and “Mona.py”
* Fuzzers and Fuzzing
* Metasploit Framework

To let you concentrate on the exploit development, we will try to cover the prerequisites within our workshop but only to the level we feel that you should be comfortable with the concepts so that you don’t need to waste your time in hitting searches on these topics.

Assembly Language Concepts

Assembly language itself is a huge topic to explain and understand and it cannot be covered in one workshop. However, we will cover the useful set of available instructions. The full instruction set is large and complex. Basically, assembly language is dependent upon the instruction set and the architecture of the processor.

The basic syntax of assembly program can be divided into three sections.

* The Data section
* The bss section
* The text section

The Data section is used for declaring initializing data or constants. This data does not change at run time. It is useful to declare file names or buffer size in the section of the assembly program.

This section is mainly used for declaring the variables.

The text section is used for keeping the actual code. It sounds strange but that’s the reality of assembly language. This section must begin with the declaration of global start, which tells the kernel where the program execution begins.

Statements in assembly language are categorized in three types, as follows:

* Executable instructions or simply instructions
* Assembler directives or pseudo-ops
* Macros

Instructions tell the processor what to do, each instruction consists of an operation code [opcode] and each instruction generates one machine language instruction.

Assembler directives tell the assembler about the different aspects of the assembly process. These are non-executable and do not generate machine language instructions.

Macros are nothing but simply the text substitution mechanism.

Syntax of assembly statements

In any programming language, there is a mechanism of writing the code, which is termed as the syntax of the programming language. Assembly also has a set way of communicating with the machine.

[label] mnemonic [operands] [; comments]

Following are some examples of assembly instructions for your better understanding.

This is just the beginning of assembly key terminologies and doesn’t cover the details. There are some more key topics that you should understand in order to be comfortable with exploit development. In reality, exploit development is the field of experts only and this workshop will drop you inside the circle of exploit development where you can further enhance your skills to be an expert.

Assembly Registers

Registers are used in order to speed up the processing; they store data elements for processing without having to access the memory. Processor registers are of different types with different functionalities to perform. In exploit development, key registers are basically Pointer registers called EIP, ESP and EBP registers where “E” stands for extended.

Instruction Pointer stores the offset address of the next instruction to be executed. This pointer plays a key role in exploit development, which you will realize once you complete this workshop.
[Keep a note somewhere]

Stack Pointer provides the offset value within the program stack. Stack pointer in association with SS register refers to the current position of data r address within the program stack.

Base Pointer helps in referencing the parameter variables passed to a subroutine.

Object oriented Programming Language

Languages like “C”, “Perl” & “Python” are commonly used in exploit development. It is up to you to select and practice in any one of these languages. This is very important as it’s not only becoming master in any one programming language but it’s equally important to be familiar with the syntax of other programming languages.

What matters more is that you should be an expert in the programing concepts, and comfortable with how software code works and how to code and control the exploitation by simply writing a small piece of software code in any programming language.

Buffer Overflows

It takes no time to learn about buffer overflows if you just search with Google. However, you would not be able to clearly grasp the key concepts behind these two words “buffer overflows.” Let’s just quickly and very simply help you understand buffer overflow.

Have you ever tried filling a cup with a coffee? Or a glass with water?

Or putting any liquid into any container?

What happens when you put more and more? The water will start overflowing after some time over the boundaries of the glass and it happens when it can not hold more water, and it’s because they run out of capacity.

“Buffer is nothing but a memory location and it overflows when you put more data into the buffer.”

Now, the question is why the buffer overflows? Why doesn’t it understand that I
am running out of storage capacity? Why hasn’t it stopped accepting more and
more data?

Answer: insecure programming.

Using buffer overflows against the variables on the stack is sometimes called stack overflows, and more often is called the smashing the stack. Stack overflows are widely popular and exploited in majority.

Immunity Debugger & Mona.py

This is a very powerful debugger with functionalities to support exploit development, malware analysis, reverse engineering and much more. Professionals widely use this in the field of security assessments and malware analysis. Experts in the security industry use this debugger to develop exploits as it reduces the exploit development time nearly by 40%. (Claimed by the industry)

It’s a GUI based tool and also supports command line all the time.

“Mona.py” is the plugin for Immunity Debugger written by Corelan Team. So far, it is the best of the best tool in the exploit development history, which makes the exploit development much easier and saves a lot of time.

By using Mona.py with Immunity debugger, you can easily develop exploits in the format of Metasploit Exploits. This functionality of Mona.py makes your life easy, as it is just a use of predefined commands in Mona.py.

You can also easily find the memory locations to point to for your shellcode. This will be further explored in the upcoming modules where we will first be discovering a known vulnerability and then writing an exploit code with the help of Immunity Debugger and the wonderful plugin Mona.py and the Metasploit functionalities.

Fuzzers and Fuzzing

In the science of exploit development, the interesting things start when you start looking for something unusual or you force the application to behave unusual and give errors. To achieve this, security professionals have developed tools called fuzzer. By using a fuzzer, security professionals provide invalid and unexpected data to the inputs of an application accepting data input by any means.

What fuzzers typically do is simply test an application for buffer overflows, format string, directory traversal attacks, command execution vulnerabilities, SQL Injection, XSS and more. The whole process is simply named as fuzzing, so nothing like rocket science.

Metasploit Framework

Metasploit framework has provided enough power for exploit module development. Normally, newcomers in the field of penetration testing & ethical hacking don’t have any idea how powerful this Metasploit framework is, what they do is simply look for remote-exploits available in Metasploit framework.

“In any exploit development cycle, the key steps involve fuzzing, EIP control, shellcode development, finding EIP offset and then packing everything together in a piece of code called exploit.”

Metasploit provides all these features and makes it much easier for us to develop a new exploit. Metasploit comes up with pre-developed Fuzzers for fuzzing different protocols.

Among the many powerful features of Metasploit, one of the greatest features is its power and ease of use for its code re-use functionality of existing code.

When you start fuzzing any application, there are certain challenges to face. You don’t know if the application is really vulnerable to buffer overflows and what length of data you can send which will cause a buffer overflow and, most importantly, how you will know that the application has really stopped working and you can control the flow of application as you want.

Exploit Development Life Cycle

So far, you are a bit familiar with the concepts and techniques explained. Let’s focus more on the key concepts and on the actual process of discovering the vulnerability in an application and then exploiting the discovered vulnerability.

Exploit development life cycle, and step-by-step approach to write exploits.

Cyber Security Analyst & researcher