My Talk @ Confraria February 2012

1. Vulnerability, Exploit to
Metasploit
balgan@ptcoresec.eu

2. Before we start
• Some slides might seem like they have too much text, the reason this happens is that I
want you to be able to get home after this presentation and start messing around with
the stuff you will learn about here. To do that there is a lot of text you need as a reference
that even though it is on the slides I might not read.
• Also this presentation will be compiled in a package, with all the software, notes and
cheat sheets that you need to hack away as soon as you are out of here.

3. Who Am I ?
Team Leader of these guise
• Tiago Henriques
• @balgan
• 23
• BSc
• MSc
• CEH Which
• CHFI Means
file:///C:/Users/balga
You
n/Downloads/11545_
• CISSP Should
192585389754_51359
• MCSA Probably
9754_3020198_33334
• CISA Leave
9_n.jpg
• CISM Because
Currently employed
• CPT I will
by these guise
• CCNA Talk shit
Amirite?
• OSCP
Next project

4. What we are going to (try) to cover today

5. Terminology
• Vulnerability - Security hole in a piece of software, or hardware and can provide a
potential vector to attack a system. It can go from something simple like a weak password
to something more complex like buffer overflow, or SQL injection.
• Exploit – A program whose only reason is to take advantage of a vulnerability. Exploits
often deliver payloads to a target system.
• Payload – Piece of software that allows an attacker to control the exploited system.
• DEP – Data Execution Prevention – First introduced in Win XP SP2 – Used to mark certain
parts of the stack as non-executable.
• ASLR – Address Space Layout Randomization – Windows Vista onwards – Randomizes the
base addresses of executables, dll’s, stack and heap.

6. Step 1 - Vulnerability
Where can I find one? Why should I look for one ?What am I looking for?

7. Why do I want to look for
vulnerabilities?
• There are plenty of reasons why you would want to look for vulnerabilities:
1. Fame – Who doesn’t know people like Charlie Miller, Dino Dai Zovi, and Alex
Sotirov?
2. Money – You can make a living out of this! ZDI and other programs buy vulns and
depending on how critical it is you can get quite a lot of money for it!
3. Technical knowledge – You can learn a lot more by digging into the internals of
software/hardware then just using it normally.

8. How to find one?
• Multiple techniques exist to find vulnerabilities but we will mention only these three main
ones:
• Static analysis – Analyse the programs without running them, reading source code or
using tools for static analysis. Analyse how the program flow works and how data
enters the software.
• Potentially vulnerable Code Locations – Look at specific parts of source code, mainly
at “unsafe” locations, such as strcpy() and strcat() which are amazing for buffer
overflows.
• Fuzzing – Fuzzing is a completely different approach to finding vulnerabilities, it’s a
dynamic analysis that consists of testing the application by throwing malformed or
unexpected data as input. Though its easy to automate, the problem with this
approach is that you can crash an application 70000 times and out of those you get
10 vulns and only 2 are exploitable.
… and messing around with the aplication.

9. More theory
• Every windows application uses memory! The process memory has 3 major components:
• Code segment – Instructions that the CPU executes – EIP keeps track of next
instruction (!very important!)
• Data segment – used for variables, dynamic buffers
• Stack segment – used to pass data /arguments to functions.
• If you want to access the stack memory directly, you can use the ESP (Stack Pointer) which
points at the top (lowest memory address ) of the stack.
• The CPU’s general purpose registers (Intel, x86) are :
• EAX : accumulator : used for performing calculations, and used to store return values from
function calls. Basic operations such as add, subtract, compare use this general-purpose
register
• EBX : base (does not have anything to do with base pointer). It has no general purpose and
can be used to store data.
• ECX : counter : used for iterations. ECX counts downward.
• EDX : data : this is an extension of the EAX register. It allows for more complex calculations
(multiply, divide) by allowing extra data to be stored to facilitate those calculations.
• ESP : stack pointer
• EBP : base pointer
• ESI : source index : holds location of input data
• EDI : destination index : points to location of where result of data operation is stored
• EIP : instruction pointer
For more information on this check the notes for extra links.

10. Tools
• So we are now going to crash our first application.
• Application name: Free MP3 CD Ripper
• Type of Vulnerability: Buffer Overflow
• Tools of Trade: ImmunityDebugger, Mona.py, Python, Notepad++
• ImmunityDebugger – Variant of OllyDbg easily scriptable since its python compatible!
• Mona.py – Amazing script created by Corelan Team that integrates with
ImmunityDebugger and provides lots of functionality for finding vulns and writing
exploits
• Python – Best scripting language ever for fast prototyping and testing shit.
• Notepad++ - Pretty colors on notepad ftw! 
• Virtual Machines -

11. Mona.py
• Installing mona – Copy mona.py to the PyCommands folder.
• Useful inicial commands:
• !mona help
• !mona update –t trunk
• !mona config –set workingfolder c:logs%p
Constructor code

12. DEMO 1 - CRASHAPP

14. DEMO 2 - Crash-
EIPControl

16. Step 2 - Exploit
Developing a working exploit and Integration into Metasploit framework using mona

17. Quick recap
• Where are we at the moment:
• We can crash the app
• We sort of know how much we have to pass onto it to crash it (5k A’s)
• We know we control the EIP! (41414141)
• What do we need:
• Know exactly how much “junk” we have to pass onto it
• Get proper shellcode and pointers without bad characters

18. Getting IT!
• Know exactly how much “junk” we have to pass onto it – Mona can do this for us,
We need to turn our A’s into a cyclic pattern :
!mona pc 5000
• Get proper shellcode and pointers without bad characters – null pointers are bad!
!mona suggest –cpb ‘x00x0ax0d’

19. DEMO 3 - Generate
Cyclic Pattern

20. Cyclic Patterns
• !mona pc 5000 - Generates cyclic pattern with 5000 characters and
insert them into our constructor script.

21. DEMO 4 - Mona-
suggest

22. Exploit.rb
Now let’s analyse the file created by mona.py - exploit.rb
Also and more important, does it work ?

23. DEMO 5 - Exploit -
metasploit -
exploitation

24. Quick Recap
• So the process goes likes this:
1. Manage to crash an app using the normal constructors
2. Confirm that we control the registers
3. Create a cyclic pattern and replace it on the constructors
4. Use mona.py suggest to generate the exploit.rb
5. Check if it works out of the box by copying it to correct folder and trying it
6. Fix it if needed
7. Done.
8. (Optional) – Submit module to metasploit development and have it
implemented onto the framework.

25. Step 3 - Metasploit
Learning a bit about metasploit, why you want your exploits integrated and and use it.

26. Metasploit Quick Background
• Exploitation framework
• Is made of lots of different
modules and tools that work
together
• First written in PERL
• Then changed to Ruby (HELL
YEAH!)
• 4 Versions – Pro, Express ,
Community (Free), Development
(Free)
• On the last year more then 1
million downloads were made
• Open sauce

27. Metasploit Architecture
Mad Paint Skillz

28. Metasploit
• There is a world of functionality within metasploit, however today we will focus only on
meterpreter and a bit of metasm!
• If I was to talk of all the funcionality within metasploit I would need at least a 2 hour slot
only to grasp the top features of this amazing framework.

29. Meterpreter
• Meterpreter is what you could call Shell Ultimate Gold Over 9000 level edition!
• The best way in my opinion to show you the power of meterpreter is to do a demo!
Explaining this Francisco Guerreiro style

30. DEMO 6 - Payload Generation - Normal
DEMO 6.1 - Session established
DEMO 6.2 - Meterpreter First

31. Meterpreter
• This is all really cool ! However not a real scenario, so lets up the stakes a bit!

32. DEMO 7 - METASM SHIZZLE
DEMO 7.1 - Meterpreter windows 7

33. Meterpreter
• There are a few other things about meterpreter I didn’t show you:
• post/windows/gather/smart_hashdump – This module sumps local accounts from SAM Database, if
the target is a Domain Controller it will dump the Domain Account Database.
• post/windows/gather/screen_spy – Get your popcorn, this module makes an almost real time movie
of the targets screen.
• post/windows/gather/enum_shares – This script will enumerate all the shares that are currently
configured on the target
• post/windows/gather/enum_services – This script will enumerate all the services that are currently
configured on the target
• post/windows/gather/enum_computers – This script will enumerate all the computers that are
included in the primary Domain
And my favourites:
post/windows/gather/bitcoin_jacker – Downloads any Bitcoin wallet.dat on the target system.
post/windows/manage/autoroute - Allows you to attack other machines via our first compromised machine (PIVOTING).

34. Wrapping things up
Typical questions

35. F.A.Q.
• Want to attack: Windows ?
Linux ?

36. F.A.Q.
• Want to attack: Solaris?
FreeBSD?
Want to attack virtualization stuff?
Vmauthd_version
Scada? Yup! Esx_fingerprint
OS X ? Yup! Vmauthd_login
Netware? Yup Vmware_enum_users
Irix? Yup Vmware_enum_vms
Poweroff_vm /Poweron_vm

37. F.A.Q.
• IPv6 Fully Compatible
• And most important….

38. F.A.Q.
How does Mona deal with:
ASLR:
Mona will, by default, only query non-ASLR and non-rebase modules.
If you can find a memory leak, you can still query ASLR/rebase modules .
For partial overwrite : say you need to overwrite half of the saved return pointer and make
it point to jmp eax from module1.dll, which has base 0xAABB0000, then you could search
for these pointers using
!mona find –type instr –s “jmp eax” –b 0xAABB0000 -t 0xAABBFFFF
This will get you all pointers from that memory region, so you can use the last 2 bytes in the
partial overwrite

39. F.A.Q.
How does Mona deal with:
DEP:
Mona will attempt to automatically generate ROP chains
Also, Usually, people only think about bad chars when creating payload… but especially in
case of ROP chains, a lot of the payload may be pointers
So… when using mona, you can use for example –cpb ‘x00x0ax0dx20’ to exclude
pointers that have those bad chars
(this option is available for any command)
Mona will also create a stackpivot file, which you can use in case of SEH overwrite

40. Becoming a vuln researcher
1st – Corelan.be – Read through the exploit development tutorial - Learn a scripting
language and ASM
2nd – Read “ A Bug Hunter’s diary” – Side by side: Learn how to use tools of the trade such
as: Immunity Dbg, Scapy, WinDbg, IDA.
3rd – Read Metasploit book
4th – Proceed to learn about fuzzing and other techniques.
For extra directions go to: http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html

41. References
1. Corelan.be – AMAZING Team and you can learn so much on their website and IRC chan
2. https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/ - Mona stuff
3. www.metasploit.com/modules/
4. http://www.offensive-security.com/metasploit-unleashed/