.

Help writing exploit

<<

guiltyfan

Newbie
Newbie

Posts: 2

Joined: Sat Feb 26, 2011 3:02 pm

Post Sun Feb 27, 2011 1:33 pm

Help writing exploit

Hello my name is guiltyfan and I will be needing some serious help today. for my uni coursework i need to write exploit for one of the holes in win xp sp3 i decided to chose MS08-067(i am working with clear instalation of sp3 no patches and no updates) my problem is i am not familiar with rpc methodology and dont have a clue how malicious rpc messege shold look like. i would apreciate any help in that matter. i dont want ready work or code itself since it should be learning process not copy/paste. i still have like 6 weeks so its plenty of time to learn this and that i just need a starting point and some guide lines. thanks for your time

ps. i am aware this hole has and exploit in metasploit but as i said its coursework and learning process.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Feb 27, 2011 7:34 pm

Re: Help writing exploit

First, familiarize yourself with the RPC protocol by reading the RFC that details that protocol. Also, you can look at existing exploit code and compare what is there to what a normal packet looks like after you read the RFC. If you dont want to look at the metasploit code, look at this python code http://downloads.securityfocus.com/vuln ... s/31874.py
<<

TheXero

User avatar

Full Member
Full Member

Posts: 112

Joined: Tue Dec 07, 2010 12:24 pm

Post Mon Feb 28, 2011 5:07 am

Re: Help writing exploit

Developing my first exploit took me a total of 17 days, 17 days of pain

My first exploit took advantage of a BoF in a free FTP server, so was completely remote

I downloaded a vulnerable app from exploit-db.com, after that I completely ignored the original exploit and built my own fuzzer in python

I did everything manually to hopefully get me to truely understand every step that was happening

I knew about the theory behing a BoF exploit, but I'd never seen one nor had I used one, so I was completely in the dark here, but Google was there for me

The fuzzer that I made was taken from a few sources and I edited the code to suit my needs, and finally after my fuzzer was working as intended (I had to learn some python code) I managed to crash the application

The first stage took me only a few hours, but find EIP and ESP took much much longer, I think I spent 2 days on finding EIP as the random chars stuff to find out what bytes reside at EIP didn't work for me, at the time I just did it manually, but I'm glad I did now as I feel that I truely understand the concepts behind stack based buffer overflows
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Feb 28, 2011 12:58 pm

Re: Help writing exploit

It does have a Metasploit module.  Have you tried reading the source to figure out what's going on? 

Theres a whole set of info on bypassing NX protection in the comments, as well as information about the handle you have to bind to as well as the type of dceprc call that triggers the vulnerability.  I was currious what additional info was in the Metasploit module, and i just learned quite a bit about bypassing NX protection. 


If you are going to be re-creating this in python, the Metasploit dcerpc library is pretty easy to decypher, so you can probably pull what you need from there.  The RFCs are pretty helpful as well, but understanding how something works in theory and then looking at a protocol interaction in reality is often more helpful.

Hope this helps.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

guiltyfan

Newbie
Newbie

Posts: 2

Joined: Sat Feb 26, 2011 3:02 pm

Post Mon Feb 28, 2011 5:43 pm

Re: Help writing exploit

well first of all thanks for response.

@cd1zz i found that rfc and had a brief look it seams like a nice source of info i will read the whole thing tomorow in my lab sesion

@TheXero i have done some BoF before although it wasnt very successful i figured it would be trouble some and because i wasnt that intrested in hacking and exploit at that point of time i kind of skiped this part. now i see i was a fool :P

@apollo just like rfc i will have a read in my lab sesion tomorow, and also i decided i would program it in ruby sincei have some previous experience with it.

thanks for help guys i really apreciate it. i might not replay to posts for next couple of days as i would like to get some practical done but if  ever get stuck i will bug you again :P

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software