Exploit Development (part 7) Network Based Exploits and Debuggers

00:04

All right, let's work on our next example. This time it is going to be a network based exploiting our previous example. It was all local. There will be certainly local exploits if you continue and exploit development.

00:18

We saw some client side attacks.

00:22

We did that section something like Adobe Reader, Music Player Anything but is local local privilege escalation, for instance. But these next few are going to be network based. So, like many of the exploits we used in this class, we will

00:38

have something listening on the port that's vulnerable, and we will attack it over the network

00:43

for this example. We're going to use one of those x p and we'll have Callie

00:48

as our attacker.

00:49

So on X p, we actually need to make a possible change. So if we open up the example control panel we currently have filed Villa FTP running good and stop that.

01:00

Open up that port 21 key peopie for another FTP server.

01:07

You can close that up

01:11

and I want to go to the war. Ftp Fuller.

01:15

We have our were FTP programs here, so we actually want this

01:19

yellow thing that looks like part of a state. Really?

01:23

This is FT. Peters is the war F T P d demon. Open that up

01:30

and then click okay through the opening banner that says he wrote it

01:34

on dhe need to put this online by the fault. It is off line because it says down here.

01:42

So we would want hit this lightning bolt up here. There you go. Online. And sure enough, it's online. It's listening on the i p address of X p on 4 21

01:56

So what we want to do now, before we start exploiting it, is we want Thio like we did with G B. And the previous example we want took it up to a D bugger. There are

02:07

many different options, really. For de buggers and windows, probably the most powerful would be windy bugger when DVD, which is

02:15

a little bit, I think, more complicated than the one we're going to use. We're gonna use one that I like to use called immunity de bugger.

02:24

It is pretty powerful. It has its limitations. You can't do any colonel debugging with it. So in that case, we'd have to use when he bug. But I like you immunity de bugger when I have the option,

02:36

and I think it's especially nice for beginners. Fillets,

02:38

I have immunity. Bugger. It is this red, black and green three leaf clover

02:46

and it opens up a graphical window for us.

02:51

And so we want to attach to war. FT Piece will get to file

02:57

and attach.

03:00

I have a list of our processes,

03:02

so we want war ftp, easiness, *** listening on TCP Port 20 ones. We look at the listening column we could see for 21. Here

03:15

we can click attach,

03:17

and we see that attaches to the process. And it's Paul is a DVD breakpoint. Basically, it pauses when they d. Bugger attach is

03:28

so what we want to do

03:30

is the play button up here to tell it to continue. The program will run so we can attack it.

03:38

Now it's running that down here at the bottom, right,

03:44

going to make the CPU when no bigger maximized it, I can

03:49

make the thought bigger.

03:51

I typically don't make it bigger than it starts to, like run off the screen,

03:55

but you can make it bigger. If you go to options and appearance

04:00

Fonz, you could make it bigger?

04:05

No, much bigger, really. But you can make it bigger. Like if I'm teaching in front of the class. I typically do,

04:13

but you could make yours

04:15

bigger. So even stayed on your screen senses this recorded.

04:18

But you do have that option. You want to teach this yourself? It's kind of worth knowing that it looks microscopic going projector.

04:28

All right, so this is running and we are hooked up to the D bugger. And I made the CPU window maximized. I have four pains here.

04:35

Go to different windows. You could go to view, thanks to file.

04:41

And we will see some of these other views. We work through these examples. Some of them we won't say with the CPU when their their fault here.

04:51

So we have our CPU here at the top. Left top, right. We'll have our registers. You have a sec at GTX,

05:01

and we have our dunk

05:03

here at the bottom. Left and bottom. Right. We have our stack.

05:09

All right. So, actually, we need some sort of exploit here for war. STP We pop over to Callie.

05:15

You look at the materials that are included with the course. I do have some exploit skeletons. We don't have to know much python for this class. We did, of course, cover a bit of python previously on our

05:29

third model,

05:30

but I gave me the exploits skeleton. So this is just war ftp scale that pie. And as you can see, I copied it onto Kelly's death top so you can download that file is included with the course.

05:43

This has the basic python code

05:45

so we can focus on trying to build our exploits, trying

05:49

my change directories to death. Stop

05:53

on DDE.

05:55

The cat war FTP scaled up high,

05:59

but first we have usually been Python tells it to execute Python interpreter

06:04

were imported

06:06

socket. That's going to be a pipe on library

06:11

that the name implies that's up a network socket

06:15

with the buffers are variable named buffer equals a times 1100

06:21

s Socket that socket blah, bitty blah. So that's just how you set up a socket and pipe on You're not familiar with it. You could basically just google it

06:32

how to set up

06:33

structures like this in different programming languages.

06:38

Not really something you need to memorize in your head. You can always look it up. Of course. That's probably what I did when I first read this.

06:46

I kill it to connect the dots. Connect. We are going to have to change this I p address to the i p address of your ex machine. So I will look up mine, of course. And yours may be different.

06:57

And port 21 that is the

07:00

TCP ports for FTP.

07:04

We

07:05

put out a response if we receive one. When we send

07:10

the correct syntax for

07:13

giving the user name to an FTP server, Does this user space whatever our user name is and then hit, Enter So

07:21

flush our slush in back, Sarge are

07:26

and her username is buffer. Remember, buffers eight times 1100.

07:31

They're basically giving it a really long user and probably much longer than the developers expected. He would want to type in the user name that long, But that's generally how exploit development goes. We give it unexpected input that the developer

07:47

no was coming and possibly make the program do something strange

07:54

again. We print a response. If we were C one and then just to finish the log in, would you pass

08:01

based on then the password.

08:05

And

08:07

obviously there is no use your call eight times 1100. So we just need some passwords. I just gave it a password.

08:13

All upper case is the password

08:16

and the way close the socket. So we just need to make it Take our user name and password and try and process it in order to get the vulnerability

08:24

trigger.

08:28

So if you copy this onto the desktop, you may have to do a C H plus X. Of course,

08:33

you make it extra cute. Herbal

08:37

on. We didn't need to change that. I p address

08:39

use nano.

08:41

And what is my idea? Dress worth tp actually told me 192.18 That one. About 76 chain jurors to meet your environment accordingly.

08:56

That is the only change we need to make right off the bat. We leave at a time 1100 as our attacks during as our long user name. We'll make changes so that as we work through this example

09:09

again, we've got our simple source code here so we don't have to worry about

09:13

the nitty gritty of the python code. I encourage you to learn at least one programming language. Well, Python is used a lot

09:22

and information security. Ruby is also used a lot.

09:26

Not so much pearl. I used to write and pray all the time, but,

09:31

uh, not many people use it anymore. She's always a good one too. No, I encourage you to know a bit of lots of languages and at least a lot of one language. But

09:41

I don't really have to for exploit development. Honestly, just

09:45

basics is probably enough.

09:48

All right, let's go ahead and run this

09:52

not flash war FTP scaled up. I would want to give it any arguments we've heard coded our I p address in. We could instead take that as an argument if we wanted Thio.

10:03

We get printed out for the screen

10:07

are welcome banner that says, Please enter your user name which we d'oh

10:13

and it says use your name. Okay, Need password. And if we were called, we do send over the password and then close the socket So everything worked as expected from this side. But of course, what's really interesting is what happened over here.

10:28

So here we have our war ftp an immunity de bugger where we left it.

10:33

We left. It was running. Now, if we look down here at the bottom right, it is paused and says we gotta access violation while executing 41 41 41 41. While do we remember what 41 is in? Hacks

10:48

do a man asking

10:52

That'll tell us so hectic that small 41 if we've forgotten,

11:00

is going to be over here. And the second column

11:05

41 Big A. Just like in our previous example. So we sent at 1100 Big A's. So it looks like those big days, much like our previous example. They over right

11:18

that saved return address. We don't know what our functions or called or anything. At this point, we don't have any source code for this, but

11:24

chances are we overrode Summer save, save return address on When the function popped off, we tried to load that same return address. It was overwritten by some A's

11:35

and

11:37

41 41 41. 41 is not map to the process.

11:41

And it could be this no hard and fast rule that says 41 41 41 41 will always make it crash to continue an exploit development. No doubt you will find examples where it doesn't cry.

11:54

But for now it did in this example. So I tried to execute that that memory dress and crashed. Well, you see, there seemed to be a lot of 40 one's on our stack,

12:05

and it looks like we've got some 40 ones in some of our registers. Two e, s, P, E V P and E D. I. I'll have some A's in there.

12:15

So in our previous example, we could just look at our d bugger output. We could count. We need got 98 years to get to our return address, which is for but it's long so we could do eight times nine plus B Times floor. We don't really have that luxury here. We don't know

12:35

what a czar, which we have 1100 of them

12:37

to begin with, and we don't necessarily know that what's showing up in memory necessarily starts it a number one. It might. It might not.

12:46

I don't really know how it's being processed. There's some sort of log in functionality that's trying to check our user name and password, and it crashes at some point here, so we don't really know what's going on. You do some reverse engineering to try and figure it out, but the more advanced.

13:07

So we need some way to figure out which four aces are

13:11

so traditionally what one would. D'oh,

13:15

we go! Thio,

13:18

open up Note Pad here So you show it to you

13:24

traditionally, what one would d'oh! Who'd be break it into, like eight times? 500 plus

13:31

be times while 550. This is 1100

13:37

150 be times 550 restarted. Send this exploit string. And if it's ever written with

13:45

41 41 41 41 we know is in the first half. And if it's ever written with 42 42 42 42 we know it's in the second half to say it's in the first half than we would restart. Do eight times 225 plus

13:58

be times 225 and

14:01

see Time's 5 50 eggs. We know that the second part is not

14:07

where it is. So then you know we run it again, and if It was a sze wee nose in the first half. It was bees we know is in the second half and then say it's in the first half again. We'd split that in half the slowly but surely with lots of tedious work, narrow it down to the exact four bites,

14:26

which was tedious and boring, and I can't believe people did that. First of all, they did. Naturally, we have a better way of doing this. So that's what we will do in the next video is try and solve where exactly are

14:39

safer turn pointer over. It happens in the attacks during a swell up

14:43

where, exactly, we have control of these registers because they will come in handy as well. In our previous example, with Lennox, we just jumped to another function. But I mentioned that we're going to use shell code here that we're gonna generate with him as a venom. The more traditional way of doing exploit development.