0% found this document useful (0 votes)
9 views7 pages

Advanced Exploit Development

Uploaded by

rubalsharma00ads
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
9 views7 pages

Advanced Exploit Development

Uploaded by

rubalsharma00ads
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Advanced Exploit

Development
EEL 4531 – Advanced Ethical Hacking
Group Project – Spring 2015

Ronnie Nsale
UMASS – Computer Engineering Department
Massachusetts, United States
01003
[email protected]
apply a brute force attack on the system, but this one is faster.
4) DNS Poisoning
Abstract— the insights of exploits revealed. This document The DNS poisoning attack is when the attacker gains
contains information about exploits, ruby, and details on how to physical access to the computer. Once the attacker gained
write/create an exploit.
physical access, it can spoof the system.
5) Fuzzing
Index Items— Metasploit, exploits, ruby, coding, security,
computer security. This attack goes hand in hand with the social engineering
attack. First, the attacker uses an exploit and a payload to
I. INTRODUCTION – WHAT IS AN EXPLOIT? access gain access into the system. The attacker fools the
system because he/she is impersonating the victim once the
An exploit is the formula to get access into a system
attacker has gained the access desired.
wherever the code or system has a flaw. Next, we are going to
present the different types of attackers, the different types of 6) Network Mapping
attacks, the different types of exploits, and the terminology. This attack is basically the attacker tracing the victim’s
steps. The attacker will scan the network for the entire system
A. Different types of attackers including the services the system has. This way, the attacker
1) White hat gains access and commit the harmful attack.
The white hats are the good guys. This type of attacker is 7) Password Cracking
the ones that run penetration tests or hacks into a system Password cracking is when the attacker cracks the victim’s
ethically in order to find the flaws the system may have. After, password through rainbow tables.
they share their findings with the company or network’s owner 8) Session Hacking
without using the exploits to harm others. This attack happens when the attacker uses the victim’s
2) Black hat credentials to impersonate the victim and gain access to their
The black hats are the bad guys. This type of attacker will system. An example of this attack is password hacking. The
find flaws and holes in the system and won’t notify anyone to attacker finds out the password of the victim and logs in as the
use for their own benefit. They will exploit it themselves to victim.
harm others. 9) Social Engineering
3) Red hat This attack happens when the attacker impersonates and
The red hats are those who hack the system, usually convinces the victim of being someone of trust. This way, the
Linux/UNIX platforms, in order to find flaws and make it attacker gathers important information or credentials from the
better without any permission from anyone through open victim to commit harmful attacks.
source software. 10) SQL Injection
4) Gray hat This happens when the attacker uses injections of malicious
SQL responses or scripts to gain full access to the system.
11) Vulnerability Scanning
The attackers, to gain knowledge about the system, do this
The gray hats are in between black hats and white hats. type of scanning. They make a penetration test after finding
These are the type of attackers who will find a flaw and let the out how many exploits are known to the system. Then, they
owner of the system know. At the same time, they will let the proceed with the attack to gain full access.
12) Wardriving
world know by publicizing it in the web so other attackers Wardriving is an attack where the attacker has access to an
would go for an attack to harm others. encrypted access point. From there, the attacker captures the
packets that are encrypted to decrypt them. After decrypting
B. Different types of attacks them, they gain access to the network because they find out
the key necessary.
1) ARP Poisoning
13) Zero Day
The attacker gets in between the computer and the router.
Zero Day is the term they have chosen to describe a new
This way, having physical access, the attacker continues to
attack that no one knows about. It presents new attacks
run a man in the middle attack from this situation.
without any solution yet.
2) Brute Force
Brute Force is basically deciphering a password. The C. Different types of exploits
process is long depending on the victim’s password. This 1) Arbitrary Code Execution
attack is very noticeable because trying out the password The name itself explains it, the attacker puts a bug into a
attempts the system can tell whether the person trying to log software on the machine so he/she can execute the code
in is actually the victim or not. arbitrarily.
3) Dictionary Attack 2) Buffer Overflow
A dictionary attack is when the attacker uses a text file that This is the most common exploit, also known as buffer
contains various common words for passwords and uses it to overrun. This is the type of exploit that writes data to the
buffer, and then the boundaries of the buffer are overrun. Once range to another or in between a network, machine, or a subnet.
the boundaries are overrun, the adjacent memory gets 9) Remote Access:
overwritten. This exploits creates different problems to the It is not having the physical access to the system so they
data such as losing it, creating incorrect results, etc. access it remotely.
3) Code Injection 10) Scanner
As the name says, this is the exploit where code gets A scanner is a tool that scans or looks up something
injected with a bug in order to process invalid data. specific throughout the system.
4) Cross-Site Scripting 11) Server Side Exploit
Cross-site scripting, or also known as XSS, is the type of This is the opposite of client side exploit; this is when the
exploit that you can find in web applications. The attackers exploit is being accessed through the server.
inject the script on the client’s side so it spreads through the 12) Shellcode
web to users who views those infected websites. The shellcode is the code that is in a payload.
5) Denial-of-Service (DoS) 13) Spoof
As the name itself says, this exploit will ask the server for Spoof is the term used to describe the masking of the
some data from many sources at the same time. This creates a attacker’s IP address or information.
lot of traffic and confuses the server’s allocated memory 14) Target
making it crash. The target as its definition suggest is the machine or
6) Heap Spraying system that the attacker is focused on harming.
This happens when the attacker uses other exploits such as 15) Trigger
arbitrary code execution to flood the application and make it Trigger is used in an exploit by the attacker or the user.
crash as soon as it can. 16) Vulnerability
7) HTTP Header Injection Vulnerability is where the system is flawed. It is the
This is a web-based attack where the attacker uses HTTP location in the system that the attackers exploit.
headers to infect the victim’s system. The attacker usually Having a little bit of background information about the
creates a system where the headers are dynamically generated exploits, we now proceed to give information about Ruby.
throughout the web.
8) Privilege-confusion bugs
These exploits are bugs that their main focus is to confuse II. RUBY
the system by requesting forgery or attacks to the system. A. What is Ruby?
9) Unauthorized Data Access
This type of exploit is just someone having unauthorized Ruby is an interpreter, general-purpose object-oriented
access to certain data in a system without wanting it. programming language developed by Yukihiro Matsumoto in
Japan in the 90’s. As an interpreted language the computer
D. Terminology read the code line by line in contrast the compile languages,
1) Client Side Exploit where the computer reads the entire code up front. The first
This means doing the exploit through social engineering, public release of this language was on December 21 of 1995,
on the client’s side of the system. were Matsumoto announced the Ruby’s 0.95 version.
2) Exploit According to his creator Matsumoto was inspired in his
An exploit, as stated earlier, is the access found through favorite languages: Perl, Smalltalk, Eiffel, Ada, and Lisp [1].
the system’s flaws This language has the difference that everything is an object
3) Honey Pot and every line of code can be given unique properties and
actions, also called instance variables and methods
This is an application that will have flaws intentionally to
correspondingly.
create an easy way to get the exploits into the system to keep
track of them and sometimes even prevent attacks. Ruby also present different implementations, which can be
appointed the following:

4) Injection
As the name suggests, is the term used to describe the JRuby is made for Java Virtual Machine, optimizing

many collections of libraries. 


addition or injection of the payloads into the system. compiler, concurrent threads, garbage collector, and
5) Module 
This is referred to a tool.  Rubinius is a core library built using Ruby, providing
6) Payload: a C application-programming interface (API) for
It is the information about the exploit that identifies the running C-extensions to ease migrating from Matz’s
material’s destination and source and it is sent after the exploit Ruby Interpreter, also called CRuby. 


has already run.

write desktop applications with ease. 


7) Physical Access: MacRuby is a library for Mas OS X that allowed
It is having the computer or system’s access in location. 
8) Pivoting  MRuby is an implementation that can be linked and
Pivoting is the displacement or movement from either an IP embedded within your application, very useful in
 devices such as Arduino.  In order to design an exploit to use in the Metasploit
  IronRuby provide the user to connect Ruby with 
 Make use of the Rex protocol Library 
framework should have the following suggestions:
.NET Framework programming.  
  Randomize nops block 
 
  all payloads by using encoders 
dedicated for Virtual Machines. 
MagLev brings a distributed object space to Ruby

Randomize
  Avoid complicated code harder to maintain 

 Offload all possible work to the Framework. 
Cardinal is a “Ruby compiler for Parrot Virtual
Machine” [1]. 
 
B. Why Ruby? B. Essential commands and libraries 
Initially Metasploit was a portable tool using Perl, but a) Commands
Metasploit had been rewritten in Ruby on October of 2009 by The commands that will be useful in the Metasploit

 Show exploits and show payloads: These two


his developer H.D. Moore. One of the reasons to program in console are:
Ruby was because the developers simply enjoy writing in

payloads in the Metasploit directory. 


language. The second reason was they found superior the commands will display all the available exploits and

threating model set on the Ruby language compared in other
 Search exploit: This command will search for a
languages such as Python which have the block-indention
particular exploit. 

restriction that helps the developers to identify features in their

 We can also use this command to search for any


code.

specific search terms. 


The most fundamental library used by Metasploit is the Ruby

 Use exploit: This command is used to set any exploit
Extension Library (Rex) that provides components including

as active and ready to use. 


exploitation utility classes, implementations of protocol client

and servers among others. Rex it works with the default Ruby
 Show options: This command is used to see the
components and has no dependencies other than Ruby itself.
available options or parameters of the exploit in use. 

The Metasploit architecture is illustrated in Figure 1.

 Set: This command is used to set a value to a

a payload for a particular exploit in use. 


parameter in the exploit under use. It is used to set up

 Show targets: Every exploit is made to attack a
particular target service. 

b) Libraries
The Ruby Extension Library (Rex) is a collection of
modules and classes very useful for develop exploits. For
example, invoking classes with the Rex::Arch instruction,
allowed the use opcode routines from the Assembly block
which will be discussed below.
Assembly: Is the generator of opcode routines
necessary for assembly instructions needed to write some
exploits. Routines such as adjust the Stack Pointer (SP),
Figure 1. Metasploit Architecture
call, push, mov and add instructions commonly used in
assembly language.
The Metasploit architecture is divided in the following main Encoding: class that Encodes algorithms such as
blocks: Modules, Interfaces, Libraries, Tools and plugins that XOR with the instruction Rex:Encoding.
will be explained in the next chapter.
Exploitation: There is some common attack vectors
that are vulnerable like the Structure Exception Handling
III. WRITING EXPLOITS IN RUBY (SEH) and overflow presented on windows platforms.
Exploitation can be called by the routine
A. Where to start Rex::Explotation::”type_of_explotation”.
Metasploit interfaces extend the base Ruby library that Jobs: Block helpful for task such as break and stop
enables evoking initial utilities of the framework. Commands jobs with the class named Rex::JobContainer.
such as running updates, setting payloads and exploits can be Logging: It will provide information about warning
executed. The most important tool from Metasploit is the logging, error logging, and information logging with the
msfconsole interface in which the user can implement the instruction wlog, elog, ilog respectively.
commands previously appointed. Protocols: With the instruction
Rex::Proto::Type_of_protocol can called some of the
more common protocol such as SMB and HTTP. application.
Sockets: The socket subsystem provides an interface
for creating sockets of a given protocol very useful in
meterpreter connection. This routine use the TCP socket,
SSL socket, subnet walking, notification events and
reader/writer permits.

IV. DETAILED PROCESS OF WRITING EXPLOITS


Figure 2. Example of exception handling
Metasploit is a great tool that you can use to take advantage
of a lot of well-known security exploits out there. There are Windows by default has a built in SHE but is really only
tons of exploits to execute and work with available online. But used as a last resort with most applications. Usually most
say you would like to build one for yourself, or say you would
applications have built in SEH that are specific to the program
just like to fix one that already exists and just may not be
and language it is written in. Usually within code, when
working correctly. One of the simplest exploits out there
would be a buffer over flow exploit, here we will show you something executes that results in an error, the application will
how to write and execute it as a means of getting started in in rely on its exception handler to catch it, and do something with
exploit writing and execution. it. That can include canceling it and returning or trying to
correct the error. In order for this to be possible the pointer to
A. Stack based buffer overflows where the exception handler is must remain on the stack at all
Usually with buffer overflows it can lead to the times for each block of code executed. Below is how the basic
particular program you are exploiting to crash in most cases. structure and components of an SHE looks after execution.
When you “exploit” a program you intend to make the
application behave in a way it was not intended to. You can do
this easily by having control over the instruction
pointer/program counter which is the register that tells the
program where the next instruction for execution will be
located. Usually before a program executes a function it will
save a restore point for it to return to after it is done with the
particular instruction. Editing this will allow for exploitation,
and the ability to point to an attackers shellcode (a small set of
code that is used as a payload in an attack, can be locally or
remotely located).
There are a lot of different ways to force a program
into executing some shell code you might have. The first of
which is a “jump” which is also referred to as a “call”. If a
register is loaded with an address that directs to some type of
shell code, then you are able to jump directly to shell code
using a jump command. You can rewrite the contents of the
Figure 3. SEH Structure
EIP register and direct it to whatever shell code you wish to
execute. Another command used is a “pop ret”. With this you
commonly find an address pointing to some shellcode We can use the SHE handler to our advantage most times
somewhere on a stack. Once you find this you can use a “pop by forcing the program to throw an exception, then gain
ret” command to delete addresses (skip certain things) on a control of it by forcing it to jump to our shell code. A common
stack, or go straight to the address that would bring you way to get your OS to jump to the next SHE is by using the
straight to the shellcode. The only catch with the “pop ret” instructions/jump code “POP, POP, RET”. The OS
method is it is only usable when the ESP (the register that understands this by jumping to the next HER. So to summarize
points to the top of the stack at any time) contains an address the steps, first you must trigger an exception, overwrite the
that directs to the shellcode. Along with these there are pointer to the net SHE with the jump code, overwrite the SE
multiple other methods to force the execution of shell code handler with a new pointer that links to an instruction that will
such as “push return”, “jmp”, “blind return”, etc. return you to the next SHE and execute the jump code. Make
sure the shell code is directly after the SE handler that you
B. Structured exception handling have just overwritten with the jump code.
Another way to execute a successful exploit is
through using SEH (Structured exception handling). This is a
feature used for handling a lot of hardware and software
exceptions. It’s used by programmers and debuggers across
multitude of programming languages and is found within the
Exploit to Metasploit – The basics”, 2014. HTTP:
http://www.offensive-security.com/metasploit-
unleashed/Writing_An_Exploit
[5] Brett Leahy, “Pentesters Thought of Attack!”, August
2010. HTTP:
http://tysonmax20042003.wordpress.com/tag/types-of-
exploits/
[6] sec00rit3y, “Exploit writing - Stack based Buffer
overflow”, August 2009. HTTP:
http://blog.pusheax.com/2013/03/exploit-writing-stack-
based-buffer.html?m=1
[7] Metasploit Framework: Metasploit Developer’s Guide
TTP: https://www.ruby-lang.org/
[8] Ruby: A Programmer’s Best Friend HTTP:
https://www.ruby-lang.org/en/about/
[9] M. Bachle and P. Kirchberg, “Ruby on Rails”, IEEE
Intelligent Systems, Ravensburg, Germany, 2007
Figure 4. SHE Execution

V. CONCLUSION
In conclusion, Metasploit is in fact a very powerful tool.
There are many packages and exploits available to help you
take advantage of all known vulnerabilities know. However
sometimes you might not have an exploit available that you
need or you might have problems with current exploits that
you are attempting to use. In this case it is very handy to learn
how exactly exploits are written and how they work. You need
a good understanding of register movements and how stacks
and buffer operates, as well a strong programming
background. It is recommended that since Metasploit does
primarily use ruby, that you should also. However that is not
necessarily true, exploits can be written in almost any
language with little knowledge of ruby. Once you get started
writing exploits it really becomes an easy process that allows
you to take advantage of many security flaws that come up.

REFERENCES
[1] Corlean Team, “Exploit Writing Tutorial part 1: Stack
Based Overflows”, July 2009. HTTP:
https://www.corelan.be/index.php/2009/07/19/exploit-
writing-tutorial-part-1-stack-based-overflows/
[2] Corlean Team, “Exploit writing tutorial part 4: From
Exploit to Metasploit – The basics”, August 2009. HTTP:
https://www.corelan.be/index.php/2009/08/12/exploit-
writing-tutorials-part-4-from-exploit-to-metasploit-the-
basics/
[3] nanoquetz9l, “Metasploit exploit development - The
series Part 1”, July 2012. HTTP:
https://securitystreet.jive-mobile.com/#jive-
document?content=%2Fapi%2Fcore%2Fv2%2Fposts%2
F 5785
[4] Mati Aharoni, William Coppola, Paul Hand, Alain
Hernandez, Devon Kearns, David Kennedy, Steven
McElrea, Matteo Memelli, Jim O'Gorman, David Ovitz,
Carlos Perez, “Exploit writing tutorial part 4: From
[10] M. Sheeran and S. Singh, “Ruby as a Basis for [12] D. Thomas, “Programming Ruby 1.9 & 2.0: The
Hardware/Software Codesign”, Chalmers Technical Pragmatic Programmers’ Guide”, The Pragmatic
University, Sweden, 2000. Programmers, Dallas, Texas, 2012.
[11] A. Singh, “Metasploi Penetration Testing Cookbook”, [13] P. Cooper, “Beginning Ruby from Novice to
Packt Publishing, Birmingham, Mumbai, 2012. Professional”, Apress, USA, 2007.

You might also like