exploitation

1. ############################
2. # Exploit Development 2018 #
3. ############################
4.  
5.  
6.  
7.  
8.  
9.  
10. #######################
11. # VMs for this course #
12. #######################
13. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
14. username: workshop
15. password: password
16.  
17. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
18. user: infosecaddicts
19. pass: infosecaddicts
20.  
21. You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
22.  
23.  
24.  
25.  
26.  
27. #######################################################
28. # Files you may find helpful for learning Exploit Dev #
29. #######################################################
30. https://s3.amazonaws.com/secureninja/files/ExploitDevProcessDocs.zip
31.  
32.  
33.  
34.  
35.  
36. #####################################
37. # Quick Stack Based Buffer Overflow #
38. #####################################
39.  
40. - You can download everything you need for this exercise (except netcat) from the link below
41. https://s3.amazonaws.com/infosecaddictsfiles/ExploitLab.zip
42.  
43. - Extract this zip file to your Desktop
44.  
45. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
46.  
47. - Open a new command prompt and type:
48. nc localhost 9999
49.  
50. - In the new command prompt window where you ran nc type:
51. HELP
52.  
53. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
54. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
55.  
56. - Now double-click on 1-simplefuzzer.py
57. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
58.  
59.  
60. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
61.  
62. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
63.  
64. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
65.  
66. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
67.  
68. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
69.  
70. - Calculate the distance to EIP by running script 3-3000chars.py
71. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
72.  
73. 4-count-chars-to-EIP.py
74. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
75. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
76.  
77. 5-2006char-eip-check.py
78. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
79.  
80. 6-jmp-esp.py
81. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
82.  
83. 7-first-exploit
84. - In this script we actually do the stack overflow and launch a bind shell on port 4444
85.  
86. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
87.  
88.  
89. ------------------------------
90.  
91. cd /home/infosecaddicts/toolz/metasploit/modules/exploits/windows/misc
92.  
93. vi vulnserv.rb (paste the code into this file)
94.  
95.  
96. cd ~/toolz/metasploit
97.  
98. ./msfconsole
99.  
100.  
101.  
102. use exploit/windows/misc/vulnserv
103. set PAYLOAD windows/meterpreter/bind_tcp
104. set RHOST CHANGEME-TO-YOUR-WIN7-IP
105. set RPORT 9999
106. exploit
107.  
108. -----------------------------------------------------------------------------------
109. Day 1 Homework:
110. Watch the following videos and take notes for questions tomorrow.
111.  
112. http://www.securitytube.net/video/1389
113. http://www.securitytube.net/video/1398
114. http://www.securitytube.net/video/1399
115.  
116.  
117.  
118. -----------------------------------------------------------------------------------------------------------------------
119.  
120. #########
121. # Day 2 #
122. #########
123. You can download the Secure Ninja courseware here:
124.  
125.  
126.  
127. Morning challenge:
128. Your task is to convert the SLMail 5.5 exploit (https://www.exploit-db.com/exploits/646) to the multiple script format used yesterday with vulnserver.
129.  
130.  
131.  
132. Day 2 Homework:
133. Watch the following videos and take notes for questions tomorrow.
134. http://www.securitytube.net/video/1406
135. http://www.securitytube.net/video/1407
136. http://www.securitytube.net/video/1408
137.  
138.  
139.  
140.  
141. -----------------------------------------------------------------------------------------------------------------------
142.  
143. #########
144. # Day 3 #
145. #########
146. You can download the Secure Ninja courseware here:
147.  
148.  
149. Morning challenge:
150. Your task is to convert the Easy File Sharing Web Server 7.2 exploit (https://www.exploit-db.com/exploits/39008/) to the multiple script format used with vulnserver and SLMail on your Windows 7 host machine.
151.  
152. NOTE: If you did the SMail exploit on Windows XP yesterday, then please do it on Windows 7 today prior to doing the Easy File Sharing Web Server 7.2 exploit.
153.  
154.  
155.  
156.  
157. #########
158. # Day 4 #
159. #########
160. You can download the Secure Ninja courseware here:
161.  
162.  
163. Morning challenge:
164. Your task is to convert the Konica Minolta exploit (https://www.exploit-db.com/exploits/39215/, https://www.exploit-db.com/exploits/38252/, https://www.exploit-db.com/exploits/38254/) to the multiple script format used with vulnserver, SLMail, and Easy File Sharing Web Server 7.2 on your Windows 7 host machine.