----------- ############### # Day 1: Python Fundamentals & File Parsing with Python # ############### -----------

                            #########################################################

#####################

# Installing Python #

https://www.python.org/downloads/

https://www.python.org/ftp/python/3.7.3/python-3.7.3-webinstall.exe

---------------------------Type This-----------------------------------

Debian/Ubuntu:		sudo apt-get install -y python

RHEL/CentOS/Fedora:	sudo yum install -y python 

After you install Python in Linux the next thing that you will need to do is install idle. 

---------------------------Type This-----------------------------------

-----------------------------------------------------------------------

Open IDLE, and let's just dive right in.

- I prefer to use Putty to SSH into my Linux host.

- You can download Putty from here:

- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Here is the information to put into putty

Host Name:          108.61.216.188

protocol:           ssh

port:               22

username:           usn

password:           norway!cybersecurity!    

####################################

# Python Lesson 1: Simple Printing #

####################################

---------------------------Type This-----------------------------------

$ python3

>>> print ("Today we are learning Python.")

>>> exit()

-----------------------------------------------------------------------

############################################

# Python Lesson 2: Simple Numbers and Math #

############################################

---------------------------Type This-----------------------------------

$ python3

>>> 2+2

>>> 6-3

>>> 18/7

>>> 18.0/7

>>> 18/7

>>> 9%4

1

>>> 8%4

0

>>> 8.75%.5

>>> 6.*7

>>> 7*7*7

>>> 7**3

>>> 5**12

>>> -5**4

>>> exit()

-----------------------------------------------------------------------

##############################

# Python Lesson 3: Variables #

##############################

---------------------------Type This-----------------------------------

$ python3

>>> x=18

>>> x+15

>>> x**3

>>> y=54

>>> g=int(input("Enter number here: "))

Enter number here: 43

>>> g

>>> g+32

>>> g**3

>>> exit()

-----------------------------------------------------------------------

##########################################

# Python Lesson 4: Modules and Functions #

##########################################

---------------------------Type This-----------------------------------

$ python3

>>> 5**4

>>> pow(5,4)

>>> abs(-18)

>>> abs(5)

>>> floor(18.7)

>>> import math

>>> math.floor(18.7)

>>> math.ceil(18.7)

>>> math.sqrt(81)

>>> joe = math.sqrt

>>> joe(9)

>>> joe=math.floor

>>> joe(19.8)

>>> exit()

-----------------------------------------------------------------------

############################

# Python Lesson 5: Strings #

############################

---------------------------Type This-----------------------------------

$ python3

>>> "XSS"

>>> 'SQLi'

>>> "Joe's a python lover"

>>> "Joe said \"InfoSec is fun\" to me"

>>> a = "Joe"

>>> b = "McCray"

>>> a, b

>>> a+b

>>> exit()

-----------------------------------------------------------------------

#################################

# Python Lesson 6: More Strings #

#################################

---------------------------Type This-----------------------------------

$ python3

>>> num = 10

>>> num + 2

>>> "The number of open ports found on this system is ",  num

>>> num = str(18)

>>> "There are ", num, " vulnerabilities found in this environment."

>>> num2 = 46

>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is ", + num2

>>> exit()

-----------------------------------------------------------------------

########################################

# Python Lesson 7: Sequences and Lists #

########################################

---------------------------Type This-----------------------------------

$ python3

>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks

['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks[3]

'SQL Injection'

>>> attacks[-2]

'Cross-Site Scripting'

>>> exit()

------------------------------- Summary of fundamentals -------------------------------

Joe rule #1 single quote, single quote, left arrow

--------------------------------------------------

'' <-- as soon as you type '', then hit your left arrow key to put you inside of the '' 

"" <-- as soon as you type "", then hit your left arrow key to put you inside of the ""

something()	<-- as soon as you type (), then hit your left arrow key to put you inside of the ()

something[] <-- as soon as you type [], then hit your left arrow key to put you inside of the []

something{} <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}

-- Now kick it up a notch

[]	<-- as soon as you type [], then hit your left arrow key to put you inside of the []

[()] <-- as soon as you type (), then hit your left arrow key to put you inside of the ()

[({})] <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}

[({"''"})] <-- as soon as you type "", then hit your left arrow key to put you inside of the "" 

[({"''"})] <-- as soon as you type '', then hit your left arrow key to put you inside of the '' 		

Joe rule #2 "Code can only do 3 things"

--------------------------------------

Process		- 	read, write, math

Decision	- 	if/then

Loop		- 	for

Joe rule #3 "Never more than 5-10"

---------------------------------

-----5 lines of code----

line 1 blah blah blah

line 2 blah blah blah

line 3 blah blah blah

line 4 blah blah blah

line 5 blah blah blah

	sales_tax	= 	price		* 	tax_rate

	0.80		=	10		*	0.08

-----5-10 lines of code---- = function

	price = 10

	def st():

		sales_tax = price * 0.08

		print(sales_tax)

st(10) <---- how to run a function

-----5-10 functions ---- = class   "tax class"

st()

lt()

pt()

it()

dt()

tax.st()

tax.lt()

-----5-10 functions ---- = class   "expense class"

gas()

elec()

water()

food()

beer()

expense.gas()

-----5-10 classes ---- = module   "finance module"

import finance

------------------------------- Summary of fundamentals ------------------------------- 

##################################

# Lesson 8: Intro to Log Analysis #

##################################

Log into your Linux host then execute the following commands:

-----------------------------------------------------------------------

NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.

---------------------------Type This-----------------------------------

mkdir yourname          <---- Use your actual first name (all lowercase and no spaces) instead of the word yourname

cd yourname

wget http://pastebin.com/raw/85zZ5TZX

mv 85zZ5TZX access_log

cat access_log | grep 141.101.80.188

cat access_log | grep 141.101.80.188 | wc -l

cat access_log | grep 141.101.80.187

cat access_log | grep 141.101.80.187 | wc -l

cat access_log | grep 108.162.216.204

cat access_log | grep 108.162.216.204 | wc -l

cat access_log | grep 173.245.53.160

cat access_log | grep 173.245.53.160 | wc -l

----------------------------------------------------------------------

###############################################################

# Python Lesson 9: Use Python to read in a file line by line  #

###############################################################

---------------------------Type This-----------------------------------

nano logread1.py

---------------------------Paste This-----------------------------------

## Open the file with read only permit

f = open('access_log', "r")

## use readlines to read all lines in the file

## The variable "lines" is a list containing all lines

lines = f.readlines()

print (lines)

## close the file after reading the lines.

f.close()

----------------------------------------------------------------------

---------------------------Type This-----------------------------------

$ python3 logread1.py

----------------------------------------------------------------------

Google the following:

    - python difference between readlines and readline

    - python readlines and readline

Here is one student's solution - can you please explain each line of this code to me?

---------------------------Type This-----------------------------------

nano ip_search.py

---------------------------Paste This-----------------------------------

#!/usr/bin/env python3

f = open('access_log')

strUsrinput = input("Enter IP Address: ")

for line in iter(f):

   ip = line.split(" - ")[0]

   if ip == strUsrinput:

       print (line)

f.close()

----------------------------------------------------------------------

---------------------------Type This-----------------------------------

$ python3 ip_search.py

----------------------------------------------------------------------

Working with another student after class we came up with another solution:

---------------------------Type This-----------------------------------

nano ip_search2.py

---------------------------Paste This-----------------------------------

#!/usr/bin/env python3

# This line opens the log file

f=open('access_log',"r")

# This line takes each line in the log file and stores it as an element in the list

lines = f.readlines()

# This lines stores the IP that the user types as a var called userinput

userinput = input("Enter the IP you want to search for: ")

# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.

for ip in lines:

   if ip.find(userinput) != -1:

       print (ip)

----------------------------------------------------------------------

---------------------------Type This-----------------------------------

$ python3 ip_search2.py

----------------------------------------------------------------------

################################

# Lesson 10: Parsing CSV Files #

################################

Type the following commands:

---------------------------------------------------------------------------------------------------------

---------------------------Type This-----------------------------------

wget http://45.63.104.73/class_nessus.csv

----------------------------------------------------------------------

Example 1 - Reading CSV files

-----------------------------

#To be able to read csv formated files, we will first have to import the

#csv module.

---------------------------Type This-----------------------------------

$ python3

f = open('class_nessus.csv', 'r')

for row in f:

   print (row)

----------------------------------------------------------------------

Example 2 - Reading CSV files

-----------------------------

---------------------------Type This-----------------------------------

nano readcsv.py

---------------------------Paste This-----------------------------------

#!/usr/bin/env python3

f = open('class_nessus.csv', 'r')      # opens the csv file

try:

    for row in f:           			# iterates the rows of the file in orders

        print (row)             		# prints each row

finally:

    f.close()               			# closing

----------------------------------------------------------------------

Ok, now let's run this thing.

--------------------------Type This-----------------------------------

$ python3 readcsv.py

----------------------------------------------------------------------

Example 3 - - Reading CSV files

-------------------------------

---------------------------Type This-----------------------------------

nano readcsv2.py

---------------------------Paste This-----------------------------------

#!/usr/bin/python3

# This program will then read it and displays its contents.

import csv

ifile  = open('class_nessus.csv', "r")

reader = csv.reader(ifile)

rownum = 0

for row in reader:

    # Save header row.

    if rownum == 0:

        header = row

    else:

        colnum = 0

        for col in row:

            print ('%-8s: %s' % (header[colnum], col))

            colnum += 1

    rownum += 1

ifile.close()

----------------------------------------------------------------------

---------------------------Type This-----------------------------------

$ python3 readcsv2.py | less

----------------------------------------------------------------------

---------------------------Type This-----------------------------------

nano readcsv3.py

---------------------------Paste This-----------------------------------

#!/usr/bin/python3

import csv

f = open('class_nessus.csv', 'r')

try:

    rownum = 0

    reader = csv.reader(f)

    for row in reader:

         #Save header row.

        if rownum == 0:

            header = row

        else:

            colnum = 0

            if row[3].lower() == 'high':

                print ('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]))

        rownum += 1

finally:

    f.close()

-----------------------------------------------------------------------

---------------------------Type This-----------------------------------

$ python3 readcsv3.py | less

-----------------------------------------------------------------------

---------------------------Type This-----------------------------------

nano readcsv4.py

-----------------------------------------------------------------------

---------------------------Paste This-----------------------------------

#!/usr/bin/python3

import csv

f = open('class_nessus.csv', 'r')

try:

    print ('/---------------------------------------------------/')

    rownum = 0

    hosts = {}

    reader = csv.reader(f)

    for row in reader:

        # Save header row.

        if rownum == 0:

            header = row

        else:

            colnum = 0

            if row[3].lower() == 'high' and row[4] not in hosts:

                hosts[row[4]] = row[4]

                print ('%-1s: %s     %-1s: %s     %-1s: %s     %-1s: %s' % (header[3], row[3],header[4], row[4],header[5], row[5],header[6], row[6]))

        rownum += 1

finally:

    f.close()

----------------------------------------------------------------------

$ python3 readcsv4.py | less

----------------------------------------------------------------------

                            #######################################

----------- ############### # Day 1: Malware analysis with Python # ############### -----------

                            #######################################

Here is the information to put into putty

Host Name:          108.61.216.188

protocol:           ssh

port:               22

username:           usn

password:           norway!cybersecurity!    

cd ~/yourname

wget http://45.63.104.73/wannacry.zip

unzip wannacray.zip

     **** password is infected ***

file wannacry.exe 

objdump -x wannacry.exe

strings wannacry.exe

strings --all wannacry.exe | head -n 6

strings wannacry.exe | grep -i dll

strings wannacry.exe | grep -i library

strings wannacry.exe | grep -i reg

strings wannacry.exe | grep -i key

strings wannacry.exe | grep -i rsa

strings wannacry.exe | grep -i open

strings wannacry.exe | grep -i mutex

strings wannacry.exe | grep -i irc

strings wannacry.exe | grep -i admin

strings wannacry.exe | grep -i list

-------------------------------------------------------------------------------------------

Indicators of Compromise (IoC)

-----------------------------

1. Modify the filesystem

2. Modify the registry			- ADVAPI32.dll (persistance)

3. Modify processes/services

4. Connect to the network		- WS2_32.dll

if you can't detect a registry change across 5% of your network

EDR Solution

------------

1. Static Analysis	<----------------------------------------- Cloud based static analysis

Learn everything I can without actually running the file

	- Modify FS						- File integrity checker

	- Modify registry

	- Modify processes/services

	- Connect to the network

2. Dynamic Analysis

Runs the file in a VM/Sandbox

################

# The Scenario #

################

You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).

The fastest thing you can do is perform static analysis.

Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"

Quick Google search for "wannacry ransomeware analysis"

Reference

https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/

- Yara Rule -

Strings:

$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase

Ok, let's look for the individual strings

---------------------------Type This-----------------------------------

strings wannacry.exe | grep -i ooops

strings wannacry.exe | grep -i wanna

strings wannacry.exe | grep -i wannacry

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....

-----------------------------------------------------------------------

####################################

Decided to make my own script for this kind of stuff in the future. 

---------------------------Type This-----------------------------------

cp ../am.py .

----------------------------------------------------------------------- 

This is a really good script for the basics of static analysis

Reference:

https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html

---------------------------Type This-----------------------------------

python3 am.py wannacry.exe

-----------------------------------------------------------------------

##############

# Class task #

##############

Go to these websites: 

https://joesecurity.org/joe-sandbox-reports

https://github.com/Yara-Rules/rules

As a class you must do the following:

1. Come up with 3 types of attacks that you want to update my am.py script to look for

2. Identify the signatures that you think would be best for finding these types of attacks and why

3. Update the am.py script to accomplish this task

                            #################################

----------- ############### # Day 2: Software Exploitation  # ############### -----------

                            #################################

########################

# Scanning Methodology #

########################

- Ping Sweep

What's alive?

------------

---------------------------Type this command-----------------------------------

sudo nmap -sP 157.166.226.*

-------------------------------------------------------------------------------

    -if -SP yields no results try:

---------------------------Type this command-----------------------------------

sudo nmap -sL 157.166.226.*

-------------------------------------------------------------------------------

---------------------------Type this command-----------------------------------

- Port Scan

What's where?

------------

---------------------------Type this command-----------------------------------

-------------------------------------------------------------------------------

- Bannergrab/Version Query

What versions of software are running

-------------------------------------

---------------------------Type this command-----------------------------------

- Vulnerability Research

Lookup the banner versions for public exploits

https://www.exploit-db.com/search

http://securityfocus.com/bid

https://packetstormsecurity.com/files/tags/exploit/

Network Penetration Testing Process (known vulnerabilities)

-----------------------------------------------------------

1. Ping Sweep:

The purpose of this step is to identify live hosts

    nmap -sP <ip-address/ip-range>

2. Port Scan

    nmap -sS <ip-address/ip-range>

3. Bannergrab

Identify the version of version of software running on each port

4. Vulnerability Research

Use the software version number to research and determine if it is out of date (vulnerable).

    exploit-db.com/search

#################### 

# Day 2 Class Task #

####################

As a class you must do the following:

1. Understand the logic of the shell script below

2. Verify that this shell script runs against the target network

3. Port this shell script to Python3

Some resources that you may find helpful are:

https://www.studytonight.com/network-programming-in-python/integrating-port-scanner-with-nmap

https://github.com/rikosintie/nmap-python

https://xael.org/pages/python-nmap-en.html

https://xael.org/pages/python-nmap-en.html

-----------------------------------------------------------------------

#!/bin/bash

#############################################

# Check to see if script is running as root #

#############################################

if [ "$EUID" -ne 0 ]

  then echo "Please run as root"

  exit

fi

####################################

# Check to see if gcc is installed #

####################################

file1="/usr/bin/gcc"

if [ -f "$file1" ]

then

    echo "$file is installed."

else

    echo "$file not found."

    echo Installing gcc

    apt-get install -y gcc

    clear

fi

########################

# Make the directories #

cd /tmp

rm -rf customerAudit/

mkdir -p /tmp/NetworkAudit/scan/telnet/

file2="/bin/propecia"

if [ -f "$file2" ]

then

    echo "$file is installed."

    clear

else

    echo "$file not found."

    echo Installing propecia

    cd /tmp

    gcc propecia.c -o propecia

    cp propecia /bin

fi

######################

# Find Windows Hosts #

######################

clear

echo "Scanning for windows hosts."

clear

echo "Done scanning for windows hosts. FTP is next."

propecia 172.31.2 21 >> /tmp/NetworkAudit/discovered_services/ftp_hosts

#####################

propecia 172.31.2 23 >> /tmp/NetworkAudit/discovered_services/telnet_hosts

clear

echo "Done scanning for Telnet hosts. HTTP is next."

###################

# Find HTTP Hosts #

###################

echo "Scanning for hosts running HTTP"

propecia 172.31.2 80 >> /tmp/NetworkAudit/discovered_services/http_hosts

clear

###################

# Find HTTPS Hosts #

###################

echo "Scanning for hosts running HTTP"

clear

##################

# Find Databases #

##################

propecia 172.31.2 1433 >> /tmp/NetworkAudit/discovered_services/mssql_hosts

propecia 172.31.2 1521 >> /tmp/NetworkAudit/discovered_services/oracle_hosts

propecia 172.31.2 5432 >> /tmp/NetworkAudit/discovered_services/postgres_hosts

propecia 172.31.2 27017 >> /tmp/NetworkAudit/discovered_services/mongodb_hosts

clear

propecia 172.31.2 3306 >> /tmp/NetworkAudit/discovered_services/mysql_hosts

echo "Done doing the host discovery. Moving on to nmap'ing each host discovered. Windows hosts are first."

###############################

# Ok, let's do the NMAP files #

clear

for x in `cat /tmp/NetworkAudit/discovered_services/windows_hosts` ; do nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect $x > /tmp/NetworkAudit/scan/windows/$x ; done

# FTP

for x in `cat /tmp/NetworkAudit/discovered_services/ftp_hosts` ; do nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor $x > /tmp/NetworkAudit/scan/ftp/$x ; done

echo "Done with FTP."

clear

# SSH

clear

# SUNRPC

for x in `cat /tmp/NetworkAudit/discovered_services/sunrpc_hosts` ; do nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo $x > /tmp/NetworkAudit/scan/sunrpc/$x ; done

echo "Done with SunRPC."

# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py

# as a good reference for what nmap nse scripts to run against port 80 and 443

# echo "Done with HTTP."

# HTTP Fix this...maybe use https://github.com/jmortega/europython_ethical_hacking/blob/master/NmapScannerAsync.py

# for x in `cat /tmp/NetworkAudit/discovered_services/https_hosts` ; do nmap -sV -O --script-args=unsafe=1 --script-args=unsafe  --script "auth,brute,discovery,exploit,external,fuzzer,intrusive,malware,safe,version,vuln and not(http-slowloris or http-brute or http-enum or http-form-fuzzer)" $x > /tmp/NetworkAudit/scan/http/$x ; done

clear

for x in `cat /tmp/NetworkAudit/discovered_services/mssql_hosts` ; do -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info $x > /tmp/NetworkAudit/scan/mssql_databases/$x ; done

# Oracle Servers

# for x in `cat /tmp/NetworkAudit/discovered_services/oracle_hosts` ; do nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt $x >> /tmp/NetworkAudit/scan/oracle_databases/$x ; done

# echo "Done with Oracle."

clear

# MongoDB

for x in `cat /tmp/NetworkAudit/discovered_services/mongodb_hosts` ; do nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info  $x > /tmp/NetworkAudit/scan/mongodb_databases/$x ; done

# MySQL Servers

for x in `cat /tmp/NetworkAudit/discovered_services/mysql_hosts` ; do nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables $x >> /tmp/NetworkAudit/scan/mysql_databases/$x ; done

echo "Done with MySQL."

# References:

# https://nmap.org/nsedoc/scripts/pgsql-brute.html

echo " "

clear

sleep 2

cd /tmp/NetworkAudit/scan/

ls

Skill Level 1. Run the scanners

-------------------------------

    Nexpose

    Qualys

    Retina

    Nessus              known vulnerabilities

    OpenVas

    Foundscan

    GFI LanGuard

-----------------------------------------------------------------------

    Linux->     dpkg -l

# Quick Stack Based Buffer Overflow #

http://45.63.104.73/ExploitLab.zip

- Extract the ExploitLab.zip file to your Desktop

- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe

- Open a new command prompt and type:

---------------------------Type This-----------------------------------

--------------------------------------------------------------------------

- In the new command prompt window where you ran nc type:

- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts

- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++

- Now double-click on 1-simplefuzzer.py

- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.

- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.

- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe

- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.

- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).

- Now isolate the crash by restarting your debugger and running script 2-3000chars.py

- Calculate the distance to EIP by running script 3-3000chars.py

- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338

4-count-chars-to-EIP.py

- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)

- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it

5-2006char-eip-check.py

- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242

6-jmp-esp.py

- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll

7-first-exploit

- In this script we actually do the stack overflow and launch a bind shell on port 4444

8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.

------------------------------

Skill Level 3. Identify unknown vulnerabilities

-----------------------------------------------

- App Type

------------

    Stand Alone             Client Server               Web App

                        ***(vulnerserver.exe)***

- Input TYpe

    FIle                    logical network port            Browser

    Keyboard

    Mouse

                        ***(9999)***

- Map & Fuzz app entry points:

------------------------------

    - Commands              ***(commands)***

    - Methods

    - Verbs

    - functions

    - subroutines

    - controllers

- Isolate the crash

-------------------

App seems to reliably crash at TRUN 2100

- Calculate the distance to EIP

-------------------------------

Distance to EIP is 2006

We found that EIP was populated with the value: 396F4338

396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern

An online tool that we can use for this is:

https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html

- Redirect Program Execution

----------------------------

A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.

We learned that we control EAX and ESP in script 2.

- Implement Shellcode

---------------------

There are only 2 things that can go wrong with shellcode:

- Not enough space

- Bad characters

#######################################################

# Open the following web links below as tabs          # 

# For each web link answer all of the questions below #

#######################################################

https://www.exploit-db.com/exploits/46762

https://www.exploit-db.com/exploits/46070

https://www.exploit-db.com/exploits/40713

https://www.exploit-db.com/exploits/46458

https://www.exploit-db.com/exploits/40712

https://www.exploit-db.com/exploits/40714

https://www.exploit-db.com/exploits/40680

https://www.exploit-db.com/exploits/40673

https://www.exploit-db.com/exploits/40681

https://www.exploit-db.com/exploits/37731

https://www.exploit-db.com/exploits/31254

https://www.exploit-db.com/exploits/31255

https://www.exploit-db.com/exploits/27703

https://www.exploit-db.com/exploits/27277

https://www.exploit-db.com/exploits/26495