RSS Feed

Exploit Development

Created: 27.09.2020


Steps Overview

  1. Fuzz and fins unusual behaviour
  2. Detect any possibility to overwrite crucial parts:
    1. EIP
    2. SEH
    3. Acces violations/invalid memory addresses
    4. etc
  3. Hijack Execution
  4. Eliminate bad characters
  5. Write PoC, spawning a reverse or bind shell, RAT or move to other systems.

Bad Characters

All characters from 0 to 255 (decimal) represented in a hex format like this: /0x00/0x01....


msf-pattern_create -l 1400
echo "POST"$(mapstr) | nc -nv
msf-pattern_offset -q <part of mapstr in EIP>

http://docs.pwntools.com/en/stable/index.html and an example of use - https://www.megabeets.net/a-journey-into-radare-2-part-2/.

⛔️ I was getting the following error when trying to install the framework on my workstation: Error: Failure while executing; /bin/ln -h -f -s -- /opt/metasploit-framework/bin/msfvenom /opt/homebrew/bin/msfvenom was terminated by uncaught signal KILL.. I could not understand what I was doing wrong, but it turned out that this is CS Falcon’s handiwork.

Scanning for SAMBA shares

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse

# access the share
smbclient //<ip>/<sharesname>
# when prompted for a password, try hitting Enter (in case there is no password)

# download all the files recursevely
smbget -R smb://<ip>/anonymous


This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount

🧰 Toolkit


Hacking: the Art of Exploitation