An exploit (from the English verb to exploit, meaning "to use something to one’s own advantage") is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.
- Immunity Debugger
- GDB
- Ollydbg
- IDA pro
- Windbg
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, or failing built-in code assertions or for finding potential memory leaks. Typically, fuzzers are used to test programs that take structured inputs.
- Mona.py
Mona is an amazing tool with tons of features which will help us to do rapid and reliable exploit development. I won’t be discussing all the options here, we’ll get to them during the following parts of the tutorial. Download it and put it in Immunity’s PyCommands folder.
- Pvefindaddr.py
Pvefindaddr is Mona’s predecessor. I know it’s a bit outdated but it’s still useful since there are some features that haven’t been ported to Mona yet. Download it and put it in Immunity’s PyCommands folder.
- Metasploit Framework
We are going to use the Metasploit Framework extensively. Most of all we are going to be generating shellcode for our exploits but we are also going to need a platform that can receive any connections we might get back from the programs we are exploiting. I suggest you use Backtrack since it has everything we need but feel free to set up metasploit in any way you see fit.
- Virtualization Software
Basically there are two options here VirtualBox which is free and Vmware which isn't. If its possible I would suggest using Vmware; a clever person might not need to pay for it ;)). Coupled with this we will need several (32-bit) operating systems to develop our exploits on (you will get the most use out of WindowsXP PRO SP3 and any Windows7).
For the purpose of these tutorials I think it’s important to keep things as simple or difficult as they need to be. In general when we write an exploit we need to find an overflow in a program. Commonly these bugs will be either Buffer Overflows (a memory location receives more data than it was meant to) or Stack Overflows (usually a Buffer Overflow that writes beyond the end of the stack). When such an overflow occurs there are two things we are looking for; (1) our buffer needs to overwrite EIP (Current Instruction Pointer) and (2) one of the CPU registers needs to contain our buffer. You can see a list of x86 CPU registers below with their separate functions. All we need to remember is that any of these registers can store our buffer (and shellcode).
EAX
- Main register used in arithmetic calculations. Also known as accumulator, as it holds results of arithmetic operations and function return values.EBX
- The Base Register. Pointer to data in the DS segment. Used to store the base address of the program.ECX
- The Counter register is often used to hold a value representing the number of times a process is to be repeated. Used for loop and string operations.EDX
- A general purpose registers. Also used for I/O operations. Helps extend EAX to 64-bits.ESI
- Source Index register. Pointer to data in the segment pointed to by the DS register. Used as an offset address in string and array operations. It holds the address from where to read data.EDI
- Destination Index register. Pointer to data (or destination) in the segment pointed to by the ES register. Used as an offset address in string and array operations. It holds the implied write address of all string operations.EBP
- Base Pointer. Pointer to data on the stack (in the SS segment). It points to the bottom of the current stack frame. It is used to reference local variables.ESP
- Stack Pointer (in the SS segment). It points to the top of the current stack frame. It is used to reference local variables.EIP
- Instruction Pointer (holds the address of the next instruction to be executed).
Basically (1) we get a program to store an overly long string, (2) this string overwrites EIP and part of it is stored in a CPU register, (3) we find a pointer that points to the register that contains our buffer, (4) we put that pointer in the correct place in our buffer so it overwrites EIP, (5) when the program reaches our pointer it executes the instruction and jumps to the register that contains our buffer and finally (6) we place our shellcode in the part of the buffer that is stored in the CPU register. In essence we hijack the execution flow and point it to an area of memory that we control. If we are able to do that we can have to remote machine execute any instructions we place there. This is a bit simplistic but it should give you a basic idea of how exploits work.