Time
14 hours 26 minutes
Difficulty
Advanced
CEU/CPE
15

Video Description

This lesson covers network based exploits and de-buggers in Windows and focuses on a tool called the Immunity debugger. Participants receive step by step instructions on how to de-bug in a Windows environment. The lessons also discusses how to set up a socket using the python command.

Video Transcription

00:04
All right, let's work on our next example. This time it is going to be a network based exploiting our previous example. It was all local. There will be certainly local exploits if you continue and exploit development.
00:18
We saw some client side attacks.
00:22
We did that section something like Adobe Reader, Music Player Anything but is local local privilege escalation, for instance. But these next few are going to be network based. So, like many of the exploits we used in this class, we will
00:38
have something listening on the port that's vulnerable, and we will attack it over the network
00:43
for this example. We're going to use one of those x p and we'll have Callie
00:48
as our attacker.
00:49
So on X p, we actually need to make a possible change. So if we open up the example control panel we currently have filed Villa FTP running good and stop that.
01:00
Open up that port 21 key peopie for another FTP server.
01:07
You can close that up
01:11
and I want to go to the war. Ftp Fuller.
01:15
We have our were FTP programs here, so we actually want this
01:19
yellow thing that looks like part of a state. Really?
01:23
This is FT. Peters is the war F T P d demon. Open that up
01:30
and then click okay through the opening banner that says he wrote it
01:34
on dhe need to put this online by the fault. It is off line because it says down here.
01:42
So we would want hit this lightning bolt up here. There you go. Online. And sure enough, it's online. It's listening on the i p address of X p on 4 21
01:56
So what we want to do now, before we start exploiting it, is we want Thio like we did with G B. And the previous example we want took it up to a D bugger. There are
02:07
many different options, really. For de buggers and windows, probably the most powerful would be windy bugger when DVD, which is
02:15
a little bit, I think, more complicated than the one we're going to use. We're gonna use one that I like to use called immunity de bugger.
02:24
It is pretty powerful. It has its limitations. You can't do any colonel debugging with it. So in that case, we'd have to use when he bug. But I like you immunity de bugger when I have the option,
02:36
and I think it's especially nice for beginners. Fillets,
02:38
I have immunity. Bugger. It is this red, black and green three leaf clover
02:46
and it opens up a graphical window for us.
02:51
And so we want to attach to war. FT Piece will get to file
02:57
and attach.
03:00
I have a list of our processes,
03:02
so we want war ftp, easiness, *** listening on TCP Port 20 ones. We look at the listening column we could see for 21. Here
03:15
we can click attach,
03:17
and we see that attaches to the process. And it's Paul is a DVD breakpoint. Basically, it pauses when they d. Bugger attach is
03:28
so what we want to do
03:30
is the play button up here to tell it to continue. The program will run so we can attack it.
03:38
Now it's running that down here at the bottom, right,
03:44
going to make the CPU when no bigger maximized it, I can
03:49
make the thought bigger.
03:51
I typically don't make it bigger than it starts to, like run off the screen,
03:55
but you can make it bigger. If you go to options and appearance
04:00
Fonz, you could make it bigger?
04:05
No, much bigger, really. But you can make it bigger. Like if I'm teaching in front of the class. I typically do,
04:13
but you could make yours
04:15
bigger. So even stayed on your screen senses this recorded.
04:18
But you do have that option. You want to teach this yourself? It's kind of worth knowing that it looks microscopic going projector.
04:28
All right, so this is running and we are hooked up to the D bugger. And I made the CPU window maximized. I have four pains here.
04:35
Go to different windows. You could go to view, thanks to file.
04:41
And we will see some of these other views. We work through these examples. Some of them we won't say with the CPU when their their fault here.
04:51
So we have our CPU here at the top. Left top, right. We'll have our registers. You have a sec at GTX,
05:01
and we have our dunk
05:03
here at the bottom. Left and bottom. Right. We have our stack.
05:09
All right. So, actually, we need some sort of exploit here for war. STP We pop over to Callie.
05:15
You look at the materials that are included with the course. I do have some exploit skeletons. We don't have to know much python for this class. We did, of course, cover a bit of python previously on our
05:29
third model,
05:30
but I gave me the exploits skeleton. So this is just war ftp scale that pie. And as you can see, I copied it onto Kelly's death top so you can download that file is included with the course.
05:43
This has the basic python code
05:45
so we can focus on trying to build our exploits, trying
05:49
my change directories to death. Stop
05:53
on DDE.
05:55
The cat war FTP scaled up high,
05:59
but first we have usually been Python tells it to execute Python interpreter
06:04
were imported
06:06
socket. That's going to be a pipe on library
06:11
that the name implies that's up a network socket
06:15
with the buffers are variable named buffer equals a times 1100
06:21
s Socket that socket blah, bitty blah. So that's just how you set up a socket and pipe on You're not familiar with it. You could basically just google it
06:32
how to set up
06:33
structures like this in different programming languages.
06:38
Not really something you need to memorize in your head. You can always look it up. Of course. That's probably what I did when I first read this.
06:46
I kill it to connect the dots. Connect. We are going to have to change this I p address to the i p address of your ex machine. So I will look up mine, of course. And yours may be different.
06:57
And port 21 that is the
07:00
TCP ports for FTP.
07:04
We
07:05
put out a response if we receive one. When we send
07:10
the correct syntax for
07:13
giving the user name to an FTP server, Does this user space whatever our user name is and then hit, Enter So
07:21
flush our slush in back, Sarge are
07:26
and her username is buffer. Remember, buffers eight times 1100.
07:31
They're basically giving it a really long user and probably much longer than the developers expected. He would want to type in the user name that long, But that's generally how exploit development goes. We give it unexpected input that the developer
07:47
no was coming and possibly make the program do something strange
07:54
again. We print a response. If we were C one and then just to finish the log in, would you pass
08:01
based on then the password.
08:05
And
08:07
obviously there is no use your call eight times 1100. So we just need some passwords. I just gave it a password.
08:13
All upper case is the password
08:16
and the way close the socket. So we just need to make it Take our user name and password and try and process it in order to get the vulnerability
08:24
trigger.
08:28
So if you copy this onto the desktop, you may have to do a C H plus X. Of course,
08:33
you make it extra cute. Herbal
08:37
on. We didn't need to change that. I p address
08:39
use nano.
08:41
And what is my idea? Dress worth tp actually told me 192.18 That one. About 76 chain jurors to meet your environment accordingly.
08:56
That is the only change we need to make right off the bat. We leave at a time 1100 as our attacks during as our long user name. We'll make changes so that as we work through this example
09:09
again, we've got our simple source code here so we don't have to worry about
09:13
the nitty gritty of the python code. I encourage you to learn at least one programming language. Well, Python is used a lot
09:22
and information security. Ruby is also used a lot.
09:26
Not so much pearl. I used to write and pray all the time, but,
09:31
uh, not many people use it anymore. She's always a good one too. No, I encourage you to know a bit of lots of languages and at least a lot of one language. But
09:41
I don't really have to for exploit development. Honestly, just
09:45
basics is probably enough.
09:48
All right, let's go ahead and run this
09:52
not flash war FTP scaled up. I would want to give it any arguments we've heard coded our I p address in. We could instead take that as an argument if we wanted Thio.
10:03
We get printed out for the screen
10:07
are welcome banner that says, Please enter your user name which we d'oh
10:13
and it says use your name. Okay, Need password. And if we were called, we do send over the password and then close the socket So everything worked as expected from this side. But of course, what's really interesting is what happened over here.
10:28
So here we have our war ftp an immunity de bugger where we left it.
10:33
We left. It was running. Now, if we look down here at the bottom right, it is paused and says we gotta access violation while executing 41 41 41 41. While do we remember what 41 is in? Hacks
10:48
do a man asking
10:52
That'll tell us so hectic that small 41 if we've forgotten,
11:00
is going to be over here. And the second column
11:05
41 Big A. Just like in our previous example. So we sent at 1100 Big A's. So it looks like those big days, much like our previous example. They over right
11:18
that saved return address. We don't know what our functions or called or anything. At this point, we don't have any source code for this, but
11:24
chances are we overrode Summer save, save return address on When the function popped off, we tried to load that same return address. It was overwritten by some A's
11:35
and
11:37
41 41 41. 41 is not map to the process.
11:41
And it could be this no hard and fast rule that says 41 41 41 41 will always make it crash to continue an exploit development. No doubt you will find examples where it doesn't cry.
11:54
But for now it did in this example. So I tried to execute that that memory dress and crashed. Well, you see, there seemed to be a lot of 40 one's on our stack,
12:05
and it looks like we've got some 40 ones in some of our registers. Two e, s, P, E V P and E D. I. I'll have some A's in there.
12:15
So in our previous example, we could just look at our d bugger output. We could count. We need got 98 years to get to our return address, which is for but it's long so we could do eight times nine plus B Times floor. We don't really have that luxury here. We don't know
12:35
what a czar, which we have 1100 of them
12:37
to begin with, and we don't necessarily know that what's showing up in memory necessarily starts it a number one. It might. It might not.
12:46
I don't really know how it's being processed. There's some sort of log in functionality that's trying to check our user name and password, and it crashes at some point here, so we don't really know what's going on. You do some reverse engineering to try and figure it out, but the more advanced.
13:07
So we need some way to figure out which four aces are
13:11
so traditionally what one would. D'oh,
13:15
we go! Thio,
13:18
open up Note Pad here So you show it to you
13:24
traditionally, what one would d'oh! Who'd be break it into, like eight times? 500 plus
13:31
be times while 550. This is 1100
13:37
150 be times 550 restarted. Send this exploit string. And if it's ever written with
13:45
41 41 41 41 we know is in the first half. And if it's ever written with 42 42 42 42 we know it's in the second half to say it's in the first half than we would restart. Do eight times 225 plus
13:58
be times 225 and
14:01
see Time's 5 50 eggs. We know that the second part is not
14:07
where it is. So then you know we run it again, and if It was a sze wee nose in the first half. It was bees we know is in the second half and then say it's in the first half again. We'd split that in half the slowly but surely with lots of tedious work, narrow it down to the exact four bites,
14:26
which was tedious and boring, and I can't believe people did that. First of all, they did. Naturally, we have a better way of doing this. So that's what we will do in the next video is try and solve where exactly are
14:39
safer turn pointer over. It happens in the attacks during a swell up
14:43
where, exactly, we have control of these registers because they will come in handy as well. In our previous example, with Lennox, we just jumped to another function. But I mentioned that we're going to use shell code here that we're gonna generate with him as a venom. The more traditional way of doing exploit development.
15:01
So we'll need somewhere to put it. And it looks like controlling those registers might be a good place to start

Up Next

Advanced Penetration Testing

The Advanced Penetration Testing course teaches the cyber attack lifecycle from the perspective of an adversary. Become more familiar with the most widely used penetration-testing tools, manipulate network traffic, and perform web application attacks such as cross-site scripting and SQL injection.

Instructed By

Instructor Profile Image
Georgia Weidman
Founder and CTO at Shevirah and Bulb Security
Instructor