Monthly Archives: June 2015

//June

Metasploit: Final Exploit

Advanced Ethical Hacking Institute in Pune

So now we can see again the final exploit. This is all that is necessary to go from PoC to full Metasploit module in a few simple steps. We will be further expanding on this code in later sections going deeper into ways of making a better Metasploit module such as […]

By |June 30th, 2015|Metasploit|

Metasploit: Hosting the Javascript

Advanced Ethical Hacking Institute in Pune

In this section we are going add the listener and the javascript for the exploit. The changes to the exploit are highlighed.

Contents

1 On Request URI
2 Content
3 Send Response HTML

 

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework […]

By |June 30th, 2015|Metasploit|

Metasploit: Making a Log Entry

Advanced Ethical Hacking Institute in Pune

In this section we are going to take a look at sending a GET request to the target. This GET request will contain a User-Agent field with Javascript appended to connect back to Metasploit. The changes to the exploit are highlighed.

Contents

1 Register Options
2 Exploit Get Request
3 Exploit Headers
4 Exploit Data
5 Super

 

##
# […]

By |June 30th, 2015|Metasploit|

Metasploit: Skeleton Creation

Advanced Ethical Hacking Institute in Pune

In this section we are going to take a look at a skeleton exploit to start building our dotDefender PoC from.
We’ll start with some of the specific things in the skeleton that are required for this exploit to work. The descriptions aren’t necessary until the end so we won’t worry about […]

By |June 30th, 2015|Metasploit|

Metasploit: Analyzing the DotDefender Exploit

Advanced Ethical Hacking Institute in Pune
Preparing our Web Application Environment
First we have to install dotDefender on Metasploitable. This can be done by opening a command prompt and usingwget on the following url:
http://www.applicure.com/downloads/3.85/linux/dotDefender-3.8-5.Linux.i386.deb.bin.gz

Analyzing the DotDefender Exploit
Looking at the exploit closer we see what needs to be done to turn the DotDefender PoC into a full exploit.

For this attack […]

By |June 30th, 2015|Metasploit|

Metasploit: Porting Exploits

Advanced Ethical Hacking Institute in Pune
Porting Exploits to the Metasploit Framework
Although Metasploit is commercially owned, it is still an open source project and grows and thrives based on user-contributed modules. As there are only a handful of full-time developers on the team, there is a great opportunity to port existing public exploits to the Metasploit Framework. […]

By |June 30th, 2015|Metasploit|

Metasploit: Completing the Exploit

Advanced Ethical Hacking Institute in Pune
Completing our egghunter exploit
This is a standard SEH overflow. We can notice some of our user input a “pop, pop, ret” away from us on the stack. An interesting thing to notice from the screen shot is the fact that we sent a 2000 byte payload – however it seems that […]

By |June 30th, 2015|Metasploit|

Metasploit: Using the Egghunter Mixin

Advanced Ethical Hacking Institute in Pune
Going on an Egg-hunt
The MSF egghunter mixin is a wonderful module which can be of great use in exploit development. If you’re not familiar with the concepts of egghunters, read this.

A vulnerability in the Audacity Audio Editor presents us with an opportunity to examine this mixin in greater depth. In the […]

By |June 30th, 2015|Metasploit|

Metasploit: Getting a Shell

Advanced Ethical Hacking Institute in Pune
Writing an Exploit Module
With what we have learned, we write the exploit and save it to ‘windows/imap/surgemail_list.rb’. Let’s take a look at our new exploit module below:

 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for […]

By |June 30th, 2015|Metasploit|

Metasploit: Writing an Exploit

Advanced Ethical Hacking Institute in Pune
Improving our Exploit Development
Previously we looked at Fuzzing an IMAP server in the Simple IMAP Fuzzer section. At the end of that effort we found that we could overwrite EIP, making ESP the only register pointing to a memory location under our control (4 bytes after our return address). We can […]

By |June 28th, 2015|Metasploit|