Meta
Main | Exploitation 102 »

Exploitation 101

Lecture

Homework

Exploit the vulnerability in homework-re-fall2011-v2.exe, which is a simple server very similar to the demo.exe from class.

Submit your answers to the following tasks:

1. Write a script to trigger the vulnerability and set EIP to a chosen value.  Describe the format of the attack string that you used to trigger the vulnerability.  For example, the attack string from the demo could be described as: [ 69 bytes of space ] [ EIP ]

2. Attach WinDbg to homework.exe and trigger the vulnerability.  Use the !exploitable extension to analyze the crash.  To do this, enter the commands below in the WinDbg command window after WinDbg has reported the exception (crash):

0:001> .load msec
0:001> !exploitable

Document the exception output from WinDbg (where it shows the values of the registers) and the output of the !exploitable command.

3. Write a complete exploit for homework.exe. You will need to find a suitable jump address with WinDbg, Immunity Debugger, or msfpescan. You should use the attached payload (in Ruby). You can write it in any language, but I'd recommend trying to use Ruby because the next homework will include converting your exploit to a Metasploit exploit module.

The homework deliverable is a ruby script, just like demo_exploit.rb, that exploits homework.exe to bind a cmd.exe shell to TCP port 4444 (the payload included in payload.rb does this). Make sure that your return address is one that you chose randomly from the thousands of possible ones that you can find with WinDbg or Immunity Debugger. We don't want to see any duplicates in the submitted homework and definitely none with the return address used in demo_exploit.rb.

Required Reading