Penetration Testing and Vulnerability Analysis

Exploitation 101

Dino Dai Zovi's Memory Corruption 101. Performed completely off-the-cuff on Windows 2000.

Slides

Your assignment is to write an exploit for homework.exe on Windows 2000 using the attached shellcode. The shellcode is provided as a Ruby string, but an exploit written in any language is acceptable (Perl, Python, C, etc.).

Reading Material

The demo.exe binary and its source code
Advanced Windows Buffer Overflows (AWBOs)
Guide to the AWBOs
MS08-067 - Sourcefire Vulnerability Research Team Report

A video I made that shows basic debugging for exploit development with a vulnerability in WarFTPD 1.65.

2 Comments |

Exploitation 102

Exploit mitigations, shellcoding, and Metasploit with Dino Dai Zovi.

Slides (start at slide 25)

As mentioned in the video, the homework for this week is to turn your exploit for homework.exe into a Metasploit Module. The best documentation for Metasploit is online and it is probably easiest to find a sample exploit and work from there. The Metasploit wikibook has a page on writing Windows exploits that is a good place to start. Keep in mind, though, that the exploit in the wikibook uses the send_cmd function, which is FTP specific. You will want to use "sock.put" instead.

For some good examples, look at the following modules included with Metasploit:

modules/exploits/windows/lpd/niprint.rb
modules/exploits/windows/proxy/ccproxy_telnet_ping.rb

As a final note, the instructors strongly suggest that you launch your Metasploit exploits from Linux, OSX, or Cygwin on Windows (essentially, anything but the Windows installer).

Reading Material

If you passed this section with ease and understand most of the reading material above, you might want to try taking Immunity's Network Offense Professional certification. Good luck!

10 Comments |