Process
Steps Overview
- Fuzz and fins unusual behaviour
- Detect any possibility to overwrite crucial parts:
- EIP
- SEH
- Acces violations/invalid memory addresses
- etc
- Hijack Execution
- Eliminate bad characters
- Write PoC, spawning a reverse or bind shell, RAT or move to other systems.
Bad Characters
All characters from 0 to 255 (decimal) represented in a hex format like this: /0x00/0x01...
.
📕 RTFM
msf-pattern_create -l 1400
echo "POST"$(mapstr) | nc -nv 127.0.0.1:8080
msf-pattern_offset -q <part of mapstr in EIP>
http://docs.pwntools.com/en/stable/index.html and an example of use - https://www.megabeets.net/a-journey-into-radare-2-part-2/.
⛔️ I was getting the following error when trying to install the framework on my workstation:
Error: Failure while executing; /bin/ln -h -f -s -- /opt/metasploit-framework/bin/msfvenom /opt/homebrew/bin/msfvenom was terminated by uncaught signal KILL.
. I could not understand what I was doing wrong, but it turned out that this is CS Falcon’s handiwork.
Scanning for SAMBA shares
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.3.97
# access the share
smbclient //<ip>/<sharesname>
# when prompted for a password, try hitting Enter (in case there is no password)
# download all the files recursevely
smbget -R smb://<ip>/anonymous
RPC
This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.
nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.3.97
🧰 Toolkit
- peda - python module for gdb for exploit development (Linux).
- radare2, debugging in two terminals
- gdb, gdb-peda (certificate)
- Angr
References
Hacking: the Art of Exploitation