Advanced Exploit Development
Advanced Exploit Development
Development
EEL 4531 – Advanced Ethical Hacking
Group Project – Spring 2015
Ronnie Nsale
UMASS – Computer Engineering Department
Massachusetts, United States
01003
[email protected]
apply a brute force attack on the system, but this one is faster.
4) DNS Poisoning
Abstract— the insights of exploits revealed. This document The DNS poisoning attack is when the attacker gains
contains information about exploits, ruby, and details on how to physical access to the computer. Once the attacker gained
write/create an exploit.
physical access, it can spoof the system.
5) Fuzzing
Index Items— Metasploit, exploits, ruby, coding, security,
computer security. This attack goes hand in hand with the social engineering
attack. First, the attacker uses an exploit and a payload to
I. INTRODUCTION – WHAT IS AN EXPLOIT? access gain access into the system. The attacker fools the
system because he/she is impersonating the victim once the
An exploit is the formula to get access into a system
attacker has gained the access desired.
wherever the code or system has a flaw. Next, we are going to
present the different types of attackers, the different types of 6) Network Mapping
attacks, the different types of exploits, and the terminology. This attack is basically the attacker tracing the victim’s
steps. The attacker will scan the network for the entire system
A. Different types of attackers including the services the system has. This way, the attacker
1) White hat gains access and commit the harmful attack.
The white hats are the good guys. This type of attacker is 7) Password Cracking
the ones that run penetration tests or hacks into a system Password cracking is when the attacker cracks the victim’s
ethically in order to find the flaws the system may have. After, password through rainbow tables.
they share their findings with the company or network’s owner 8) Session Hacking
without using the exploits to harm others. This attack happens when the attacker uses the victim’s
2) Black hat credentials to impersonate the victim and gain access to their
The black hats are the bad guys. This type of attacker will system. An example of this attack is password hacking. The
find flaws and holes in the system and won’t notify anyone to attacker finds out the password of the victim and logs in as the
use for their own benefit. They will exploit it themselves to victim.
harm others. 9) Social Engineering
3) Red hat This attack happens when the attacker impersonates and
The red hats are those who hack the system, usually convinces the victim of being someone of trust. This way, the
Linux/UNIX platforms, in order to find flaws and make it attacker gathers important information or credentials from the
better without any permission from anyone through open victim to commit harmful attacks.
source software. 10) SQL Injection
4) Gray hat This happens when the attacker uses injections of malicious
SQL responses or scripts to gain full access to the system.
11) Vulnerability Scanning
The attackers, to gain knowledge about the system, do this
The gray hats are in between black hats and white hats. type of scanning. They make a penetration test after finding
These are the type of attackers who will find a flaw and let the out how many exploits are known to the system. Then, they
owner of the system know. At the same time, they will let the proceed with the attack to gain full access.
12) Wardriving
world know by publicizing it in the web so other attackers Wardriving is an attack where the attacker has access to an
would go for an attack to harm others. encrypted access point. From there, the attacker captures the
packets that are encrypted to decrypt them. After decrypting
B. Different types of attacks them, they gain access to the network because they find out
the key necessary.
1) ARP Poisoning
13) Zero Day
The attacker gets in between the computer and the router.
Zero Day is the term they have chosen to describe a new
This way, having physical access, the attacker continues to
attack that no one knows about. It presents new attacks
run a man in the middle attack from this situation.
without any solution yet.
2) Brute Force
Brute Force is basically deciphering a password. The C. Different types of exploits
process is long depending on the victim’s password. This 1) Arbitrary Code Execution
attack is very noticeable because trying out the password The name itself explains it, the attacker puts a bug into a
attempts the system can tell whether the person trying to log software on the machine so he/she can execute the code
in is actually the victim or not. arbitrarily.
3) Dictionary Attack 2) Buffer Overflow
A dictionary attack is when the attacker uses a text file that This is the most common exploit, also known as buffer
contains various common words for passwords and uses it to overrun. This is the type of exploit that writes data to the
buffer, and then the boundaries of the buffer are overrun. Once range to another or in between a network, machine, or a subnet.
the boundaries are overrun, the adjacent memory gets 9) Remote Access:
overwritten. This exploits creates different problems to the It is not having the physical access to the system so they
data such as losing it, creating incorrect results, etc. access it remotely.
3) Code Injection 10) Scanner
As the name says, this is the exploit where code gets A scanner is a tool that scans or looks up something
injected with a bug in order to process invalid data. specific throughout the system.
4) Cross-Site Scripting 11) Server Side Exploit
Cross-site scripting, or also known as XSS, is the type of This is the opposite of client side exploit; this is when the
exploit that you can find in web applications. The attackers exploit is being accessed through the server.
inject the script on the client’s side so it spreads through the 12) Shellcode
web to users who views those infected websites. The shellcode is the code that is in a payload.
5) Denial-of-Service (DoS) 13) Spoof
As the name itself says, this exploit will ask the server for Spoof is the term used to describe the masking of the
some data from many sources at the same time. This creates a attacker’s IP address or information.
lot of traffic and confuses the server’s allocated memory 14) Target
making it crash. The target as its definition suggest is the machine or
6) Heap Spraying system that the attacker is focused on harming.
This happens when the attacker uses other exploits such as 15) Trigger
arbitrary code execution to flood the application and make it Trigger is used in an exploit by the attacker or the user.
crash as soon as it can. 16) Vulnerability
7) HTTP Header Injection Vulnerability is where the system is flawed. It is the
This is a web-based attack where the attacker uses HTTP location in the system that the attackers exploit.
headers to infect the victim’s system. The attacker usually Having a little bit of background information about the
creates a system where the headers are dynamically generated exploits, we now proceed to give information about Ruby.
throughout the web.
8) Privilege-confusion bugs
These exploits are bugs that their main focus is to confuse II. RUBY
the system by requesting forgery or attacks to the system. A. What is Ruby?
9) Unauthorized Data Access
This type of exploit is just someone having unauthorized Ruby is an interpreter, general-purpose object-oriented
access to certain data in a system without wanting it. programming language developed by Yukihiro Matsumoto in
Japan in the 90’s. As an interpreted language the computer
D. Terminology read the code line by line in contrast the compile languages,
1) Client Side Exploit where the computer reads the entire code up front. The first
This means doing the exploit through social engineering, public release of this language was on December 21 of 1995,
on the client’s side of the system. were Matsumoto announced the Ruby’s 0.95 version.
2) Exploit According to his creator Matsumoto was inspired in his
An exploit, as stated earlier, is the access found through favorite languages: Perl, Smalltalk, Eiffel, Ada, and Lisp [1].
the system’s flaws This language has the difference that everything is an object
3) Honey Pot and every line of code can be given unique properties and
actions, also called instance variables and methods
This is an application that will have flaws intentionally to
correspondingly.
create an easy way to get the exploits into the system to keep
track of them and sometimes even prevent attacks. Ruby also present different implementations, which can be
appointed the following:
4) Injection
As the name suggests, is the term used to describe the JRuby is made for Java Virtual Machine, optimizing
b) Libraries
The Ruby Extension Library (Rex) is a collection of
modules and classes very useful for develop exploits. For
example, invoking classes with the Rex::Arch instruction,
allowed the use opcode routines from the Assembly block
which will be discussed below.
Assembly: Is the generator of opcode routines
necessary for assembly instructions needed to write some
exploits. Routines such as adjust the Stack Pointer (SP),
Figure 1. Metasploit Architecture
call, push, mov and add instructions commonly used in
assembly language.
The Metasploit architecture is divided in the following main Encoding: class that Encodes algorithms such as
blocks: Modules, Interfaces, Libraries, Tools and plugins that XOR with the instruction Rex:Encoding.
will be explained in the next chapter.
Exploitation: There is some common attack vectors
that are vulnerable like the Structure Exception Handling
III. WRITING EXPLOITS IN RUBY (SEH) and overflow presented on windows platforms.
Exploitation can be called by the routine
A. Where to start Rex::Explotation::”type_of_explotation”.
Metasploit interfaces extend the base Ruby library that Jobs: Block helpful for task such as break and stop
enables evoking initial utilities of the framework. Commands jobs with the class named Rex::JobContainer.
such as running updates, setting payloads and exploits can be Logging: It will provide information about warning
executed. The most important tool from Metasploit is the logging, error logging, and information logging with the
msfconsole interface in which the user can implement the instruction wlog, elog, ilog respectively.
commands previously appointed. Protocols: With the instruction
Rex::Proto::Type_of_protocol can called some of the
more common protocol such as SMB and HTTP. application.
Sockets: The socket subsystem provides an interface
for creating sockets of a given protocol very useful in
meterpreter connection. This routine use the TCP socket,
SSL socket, subnet walking, notification events and
reader/writer permits.
V. CONCLUSION
In conclusion, Metasploit is in fact a very powerful tool.
There are many packages and exploits available to help you
take advantage of all known vulnerabilities know. However
sometimes you might not have an exploit available that you
need or you might have problems with current exploits that
you are attempting to use. In this case it is very handy to learn
how exactly exploits are written and how they work. You need
a good understanding of register movements and how stacks
and buffer operates, as well a strong programming
background. It is recommended that since Metasploit does
primarily use ruby, that you should also. However that is not
necessarily true, exploits can be written in almost any
language with little knowledge of ruby. Once you get started
writing exploits it really becomes an easy process that allows
you to take advantage of many security flaws that come up.
REFERENCES
[1] Corlean Team, “Exploit Writing Tutorial part 1: Stack
Based Overflows”, July 2009. HTTP:
https://www.corelan.be/index.php/2009/07/19/exploit-
writing-tutorial-part-1-stack-based-overflows/
[2] Corlean Team, “Exploit writing tutorial part 4: From
Exploit to Metasploit – The basics”, August 2009. HTTP:
https://www.corelan.be/index.php/2009/08/12/exploit-
writing-tutorials-part-4-from-exploit-to-metasploit-the-
basics/
[3] nanoquetz9l, “Metasploit exploit development - The
series Part 1”, July 2012. HTTP:
https://securitystreet.jive-mobile.com/#jive-
document?content=%2Fapi%2Fcore%2Fv2%2Fposts%2
F 5785
[4] Mati Aharoni, William Coppola, Paul Hand, Alain
Hernandez, Devon Kearns, David Kennedy, Steven
McElrea, Matteo Memelli, Jim O'Gorman, David Ovitz,
Carlos Perez, “Exploit writing tutorial part 4: From
[10] M. Sheeran and S. Singh, “Ruby as a Basis for [12] D. Thomas, “Programming Ruby 1.9 & 2.0: The
Hardware/Software Codesign”, Chalmers Technical Pragmatic Programmers’ Guide”, The Pragmatic
University, Sweden, 2000. Programmers, Dallas, Texas, 2012.
[11] A. Singh, “Metasploi Penetration Testing Cookbook”, [13] P. Cooper, “Beginning Ruby from Novice to
Packt Publishing, Birmingham, Mumbai, 2012. Professional”, Apress, USA, 2007.