Exploit Development


Created: 27.09.2020

Process

Steps Overview

  1. Fuzz and fins unusual behaviour
  2. Detect any possibility to overwrite crucial parts:
    1. EIP
    2. SEH
    3. Acces violations/invalid memory addresses
    4. etc
  3. Hijack Execution
  4. Eliminate bad characters
  5. Write PoC, spawning a reverse or bind shell, RAT or move to other systems.

Bad Characters

All characters from 0 to 255 (decimal) represented in a hex format like this: /0x00/0x01....

📕 RTFM

msf-pattern_create -l 1400
echo "POST"$(mapstr) | nc -nv 127.0.0.1:8080
msf-pattern_offset -q <part of mapstr in EIP>

http://docs.pwntools.com/en/stable/index.html and an example of use - https://www.megabeets.net/a-journey-into-radare-2-part-2/.

⛔ïļ I was getting the following error when trying to install the framework on my workstation: Error: Failure while executing; /bin/ln -h -f -s -- /opt/metasploit-framework/bin/msfvenom /opt/homebrew/bin/msfvenom was terminated by uncaught signal KILL.. I could not understand what I was doing wrong, but it turned out that this is CS Falcon’s handiwork.

Scanning for SAMBA shares

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.3.97

# access the share
smbclient //<ip>/<sharesname>
# when prompted for a password, try hitting Enter (in case there is no password)

# download all the files recursevely
smbget -R smb://<ip>/anonymous

RPC

This is just a server that converts remote procedure call (RPC) program number into universal addresses. When an RPC service is started, it tells rpcbind the address at which it is listening and the RPC program number its prepared to serve.

nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.3.97

🧰 Toolkit

References

Hacking: the Art of Exploitation

https://www.udemy.com/course/introduction-to-exploitzero-day-discovery-and-development/learn/lecture/17856092#overview