Hacking With Security Tools Part — 3
Welcome to the exploit development module. So far, we have been talking about the ethical hacking aspects of Kali Linux. You can also use this wonderful security distribution in the exploit development. Kali Linux comes with pre-installed tools and accessories, which gives support in the exploit development lifecycle. In this module, we will not be explaining “what is exploit development” but we will be discussing where Kali Linux can be used in the exploit development.
* Basic concepts of exploits
* Prior knowledge about debugging
* Programming concepts
* TCP/IP understanding
* Understanding the background of exploit development
Kali Linux Exploit Development Support
Covering the real aspects of the exploit development lifecycle, Kali Linux basically is not a full-fleshed exploit development platform, however, it has pre-installed tools that have to exploit development as a native feature. Kali Linux also comes with pre-installed debuggers, which play an important role in the development of exploits.
Kali Linux comes with a pre-installed copy of Metasploit, which is an extraordinary tool in the development of the exploit cycle. It also has some other disassemblers which help in the development of exploit but you cannot say it will cover the overall cycle of exploit development.
In the overall lifecycle of exploit development, you cannot guarantee that only one platform will suffice for the development of exploits. In fact, you need to switch between tools in order to achieve your tasks. The concept we want to deliver here is that Kali Linux does have a support platform, which can be used in exploit development. However, this support comes in the form of Metasploit and a couple of different tools. We will talk about them shortly.
Kali and Metasploit
It has advanced functionality to support exploit development, beginning from the level of fuzzing an application until the finding of offsets and giving the shellcode for the exploit.
Fuzzing and Kali Linux
We will be running an application on a Windows machine and then use Metasploit fuzzing in order to explore fuzzing from the Kali Linux platform.
THE vulnerable FTP server is running on a Windows machine on IP address 192.168.81.140 and we will be fuzzing this application in order to crash it with the fuzzing tool available in Kali Linux within Metasploit.
We configure the auxiliary module of Metasploit as shown in the below figure.
You can see that the application crashed when our fuzzing reached the size of 500 or might be more than that, but that is the maximum size we noticed. This means that this application is successfully fuzzed and can be exploited. Let’s move a step further.
Kali Linux & EIP Offset
Now we will be finding offset, i.e. at which point the application crashed and the instruction pointer register (EIP) was overwritten.
This will be easily achieved with the Metasploit pattern_create module available in Kali. You can see the path and the command in the figure below in order to see how we can create patterns, which will be used in finding the offset.
You can see that application crashed, but what is the difference between crashing this with manual fuzzer written and before with Metasploit fuzzer? Well, now we have used a set pattern as a buffer value being created as explained above. Now the instruction pointer will have any four bytes from this pattern of 500 bytes and now we will see this a debugger. So we will repeat the step, however, we will attach the application in a debugger, in our case Immunity debugger.
In the below figure, we have shown the application running in debug mode with Immunity debugger. Note down the EIP value as highlighted in the figure. Now we will crash this application with our fuzzer and see the change in EIP value.
You can see that the EIP value is now 41346841, which was overwritten by our fuzzer, and this 41346841 is any value from the buffer of 500 bytes we sent from our fuzzer script. You can also see the ESP value which has the buffer value we sent. Now we will take this 41346841 and find out at what point this EIP was overwritten, meaning how many bytes of buffer data out of 500 bytes this EIP is overwritten.
We will again go back to Kali Linux and look for the pattern_offset tool in Kali to find the location of this 41346841 in the buffer of 500 bytes. Follow the steps shown as follows.
As expected, we have overwritten EIP with our value, but to successfully build the exploit you need to have a proper value, which should be the location in memory, where you can put your shellcode. For this, again, Metasploit has support by which you can find JMP ESP, which means you can put your shellcode in ESP and find the location as well and then put this location in EIP.
Now, how to find the return address either JMP ESP or SEH POP POP RET. Follow the steps below to quickly find it with the Metasploit tool.
We run the msfpescan tool to achieve this. This can be achieved by running the scan on the executable of the application server as follows.
The result is truncated. You can see that we can play enough with this tool in order to achieve our goal. Now you can take any of the values and test if it works for you.
Kali and Shellcode
What we need next is the shellcode we want to put in our exploit and this is also doable with Kali Linux, there are number of shellcode available in Metasploit, which you can generate, in the no of languages in which you are writing your exploit. In our case, we are using Python so we will show how you can use available shellcodes in Metasploit to generate them as per your coding language.
The above figure shows the quick and easy way to generate the payload for the exploit in the python language. These are the key aspects of exploit developments at the basic level and Kali Linux supports these features, as we have explained in this module. However, full-fleshed exploit development can also be achieved, but that requires more expertise from developer aspects as well.
We have presented below the complete list of toolsets available in Kali Linux under the category of Exploit Development.
Originally published at https://learncybersec.blogspot.com.