Concept:
- Exploit is a piece of Software Code written to take advantage of bugs is an application or software. Exploits consist of payload and a piece of code to inject the payload in to Vulnerable Application.
Purpose:
- The main purpose is to get Access of the system and control the System. However, it is not necessary that every Vulnerability will results in the Target being Compromise. It can range from anything between DOS (Denial of Service) i.e. Making the Application Crash to Code Execution.
Prerequisites for Exploit Writing:
- Understanding of any programming languages and
- Knowledge of Memory Management and addressing.
- Assembly Language mnemonics
- Assembly Language opcodes
- Stacks
- Heap
- Buffer
- Reference and pointers
- Registers
Types of Exploits:
Exploits are generally categorized using the following criteria:
- The type of Flaw which is taken advantage of, such as BOF or Dangling Pointer.
- Remote or Local – Remote Exploits refer to vulnerabilities which can be exploited from a Network, remotely while local exploits need to be executed on the same machine. RCE are more critical and important then Local Exploits, since user interaction is almost removed.
- The result of the exploit (Privilege Escalation, DoS, RCE, etc...)
Stack Based Exploits:
- Stack based Exploits exploit stack based buffer overflow, which occurs when Data more than the Stack space has been filled out.
- Attackers may manage to push some malicious code on the stack which may redirect the flow of the program and execute the malicious program which the attacker wants to execute (This is done by overwriting the return pointer so that the flow of control can be passed to malicious code).
Here you can see if the user enter some lengthy data in buffer2 then the whole stack can be overflowed in such a way that the buffer1, SFP, and finally RET overwrite and RET or Return pointer will also be overwritten with the data.
Stack Based Overflow: Example.c
Int add()
{
char buffer1[5];
char buffer2[10];
}
Int main()
{
int x;
x=1;
add(10,20,30);
x=1;
printf(“The Value of X: %d”, x);
return 0;
}
- In computer, memory can only be addressed in multiples of the word size
- A word in our case is 4 bytes
char buffer1[5];
char buffer2[10];
char buffer3[12];
- Therefore buffer1 will not be allocated with 5 byte instead it will be allocated with 8 byte, because 5 byte can not accommodated in 1 word, but it can be in 2 word.
- Therefore buffer1[5] will be taking 2 words that is 8 bytes long and buffer2[10] will be taking 3 words that is 12 bytes, while Buffer3[12] will also take 3 words.
Heap Based Exploits:
- Heaps stores the data which is dynamically created with functions, such as malloc()
- As we know by now, heap is FIFO and it grows towards the higher memory address in the memory, when an attacker enters the data in heap, it overflows the adjacent data that is in the lower part of the heap.
- If any application takes an input from the user and copies it in the memory without checking it, a heap overflows may occur.
- And most of the times, it can also result in arbitrary code execution, due to the data entered by the attacker, resulting in compromising the application and the system.
Format String Exploits:
- Format String Exploits are used to crash a software or to execute a malicious code. This attack is possible because the user input is filtered as a format string parameter in certain C functions that perform formatting, such as printf(). A malicious user may use the %s and %x format tokens, among others, to print data from the stack or possibly other locations in memory.
Integer Bug Exploits:
- Integer bugs are exploited by passing an oversized integer to a integer variable. It may cause overwriting of valid program control data resulting in execution of malicious codes.
- Integer bugs are very often found and exploited.
Attack Methodologies:
Remote Exploit
- Remote exploits are those exploits which can be executed on the remote system for example a FTP server taking a malicious input from a client machine resulting into a buffer overflow which gives access to whole server.
- Remote exploits tends to exploit the services running on the system to gain access to systems. They are generally non-root and not the SYSTEM services
- Remote exploits are carried out over a network (remotely).
Local Exploit
- Local exploits are those exploits which can only be executed on the local machine where the vulnerability has been found and can not be mutated to a remote exploit.
- Local exploits usually exist in the applications that are locally installed on the System and results in privileges escalation.
Steps for Writing an Exploit:
- First of all, Identify and analyze application for any vulnerability.
- Attach it with a debugger and try to see if you are able to overwrite the return value or not, by giving some input to the Vulnerable Application.
- If You do succeed, then try to automate this process by using any scripting language like Perl or Python to make your work easier.
- Try to find an address from the DLL’s that are loaded in the ram where you can inject the Shellcode and redirect the execution flow to this address.
Shellcodes
- Shellcodes are set of instruction which uses system calls and are used by exploits for carrying out some actions on clients machines.
- Shellcodes are executed after a vulnerability is exploited, and they are working machine instructions in a character array within an exploit source code.
- Shellcodes are very operating system dependent, as we have different system calls in different operating system, Even in windows itself, different service packs involved different system calls, it means a shellcode written for SP2 may be not be executed in SP3.
- Shellcodes are machine instruction which are used to directly processed by the desired instruction at memory location.
NULL Byte
- Shell functions are usually injected via string functions such as read(), sprintf() and strcpy() and most of string functions expect NULL byte termination.
- If in case you have created a Shellcode using system call numbers and opcodes, then next thing you need to do is to look for null bytes and remove them from your shellcode, otherwise your shellcode becomes unusable.
- Null byte in shellcodes looks like “\0x00”.
- It is important to make sure that your Shellcode does not contain any null bytes because if in case your exploits become successful and your null byte contained Shellcode executes, it will give you no results at all.
Types of Shellcodes:
- Remote Shellcodes
- Download and execute
- Staged
- Egg Hunt
- Omelet
- Local Shellcodes
- Execve Shellcode
- Setuid Shellcode
- Chroot Shellcode
- Windows shellcode
Steps for writing Shellcode:
- Write the code in assembly language or in C language and disassemble it using Gdb or Ollydbg.
- Get the argument (args) and syscall ID’s from long list of syscall ID’s for the operating system you are targetting the shellcode for.
- Convert the assembly codes in to opcodes and eliminate null bytes from it.
- Compile it and Execute
- Now, Inject the running code into the previous working exploit to check if its working or not.
Introduction to MetaSploit Framework:
The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.