- This topic has 4 replies, 4 voices, and was last updated 10 years ago by
.
-
Posts
-
-
Hello my name is guiltyfan and I will be needing some serious help today. for my uni coursework i need to write exploit for one of the holes in win xp sp3 i decided to chose MS08-067(i am working with clear instalation of sp3 no patches and no updates) my problem is i am not familiar with rpc methodology and dont have a clue how malicious rpc messege shold look like. i would apreciate any help in that matter. i dont want ready work or code itself since it should be learning process not copy/paste. i still have like 6 weeks so its plenty of time to learn this and that i just need a starting point and some guide lines. thanks for your time
ps. i am aware this hole has and exploit in metasploit but as i said its coursework and learning process.
-
First, familiarize yourself with the RPC protocol by reading the RFC that details that protocol. Also, you can look at existing exploit code and compare what is there to what a normal packet looks like after you read the RFC. If you dont want to look at the metasploit code, look at this python code http://downloads.securityfocus.com/vulnerabilities/exploits/31874.py
-
Developing my first exploit took me a total of 17 days, 17 days of pain
My first exploit took advantage of a BoF in a free FTP server, so was completely remote
I downloaded a vulnerable app from exploit-db.com, after that I completely ignored the original exploit and built my own fuzzer in python
I did everything manually to hopefully get me to truely understand every step that was happening
I knew about the theory behing a BoF exploit, but I’d never seen one nor had I used one, so I was completely in the dark here, but Google was there for me
The fuzzer that I made was taken from a few sources and I edited the code to suit my needs, and finally after my fuzzer was working as intended (I had to learn some python code) I managed to crash the application
The first stage took me only a few hours, but find EIP and ESP took much much longer, I think I spent 2 days on finding EIP as the random chars stuff to find out what bytes reside at EIP didn’t work for me, at the time I just did it manually, but I’m glad I did now as I feel that I truely understand the concepts behind stack based buffer overflows
-
It does have a Metasploit module. Have you tried reading the source to figure out what’s going on?
Theres a whole set of info on bypassing NX protection in the comments, as well as information about the handle you have to bind to as well as the type of dceprc call that triggers the vulnerability. I was currious what additional info was in the Metasploit module, and i just learned quite a bit about bypassing NX protection.
If you are going to be re-creating this in python, the Metasploit dcerpc library is pretty easy to decypher, so you can probably pull what you need from there. The RFCs are pretty helpful as well, but understanding how something works in theory and then looking at a protocol interaction in reality is often more helpful.
Hope this helps.
-
well first of all thanks for response.
@cd1zz i found that rfc and had a brief look it seams like a nice source of info i will read the whole thing tomorow in my lab sesion
@TheXero i have done some BoF before although it wasnt very successful i figured it would be trouble some and because i wasnt that intrested in hacking and exploit at that point of time i kind of skiped this part. now i see i was a fool 😛
@apollo just like rfc i will have a read in my lab sesion tomorow, and also i decided i would program it in ruby sincei have some previous experience with it.
thanks for help guys i really apreciate it. i might not replay to posts for next couple of days as i would like to get some practical done but if ever get stuck i will bug you again 😛
-
- You must be logged in to reply to this topic.
