boris/G4G0-2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8bc99d04975dbac4ee77e45fd01c579bb1c1cbfd
G4G0-2/Penetration Testing/Week 19/AI Summary.md
George Wilkinson 8bc99d0497 vault backup: 2025-01-30 09:27:31
2025-01-30 09:27:31 +00:00

53 lines
4.0 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

1. **Introduction**
- Definition and reminder of key concepts from the previous week:
- Buffer Overflow: A process using more memory than it has been allocated.
- The Stack: Last-In-First-Out (LIFO) data structure where CPU registers can be stored and retrieved.
- ESP (Extended Stack Pointer): Points to the top of the stack at a lower memory location.
- EIP (Extended Instruction Pointer): Stores the address of the next instruction to be executed.
2. **Fuzzing**
- Fuzzing involves sending malformed data into an application input and watching for unexpected crashes.
- It helps discover vulnerabilities by sending varying lengths of data to identify buffer overflow conditions.
- Fuzzing tools and resources: FuzzDB (https://github.com/fuzzdb-project/fuzzdb).
3. **Fuzzing Example: SLMail 5.5.0 Mail Server**
- Installed the vulnerable SLMail application.
- Used a Python fuzzer script (`fuzzer.py`) from Kali Linux to send varying-length passwords to the POP3 server.
- Employed Immunity Debugger to monitor the SLMail process and observe the stack overwrites.
4. **Controlling EIP (Extended Instruction Pointer)**
- Sent a unique, non-repeating string of 2900 bytes to identify the specific characters that overwrite the EIP register.
- Used Metasploits `pattern_create.rb` and `pattern_offset.rb` scripts to find the exact position of the overwritten EIP.
- Modified the buffer in the Python exploit script to control the EIP register: `buffer = "A" * 2606 + "B" * 4 + "C" * 90`.
5. **Find Space in Memory for Shellcode**
- Dumped the memory at the time of the crash to identify a suitable location for placing shellcode.
- Used Metasploits `msfvenom` tool to generate a payload for a reverse shell, ensuring it excluded bad characters identified earlier.
- Increased the length of the buffer to accommodate the generated shellcode.
6. **The Problem of Bad Characters**
- Identified bad characters (e.g., null byte `0x00`, newline `\n` `0x0A`, carriage return `\r` `0x0D`) that could truncate the shellcode or cause other issues.
- Sent all possible characters (0x00 to 0xff) as part of the buffer and observed how they were dealt with by the application after the crash.
7. **Generating the Shellcode Payload**
- Used Metasploits `msfvenom` tool to generate a shellcode payload with excluded bad characters.
- Included the generated shellcode payload into the Python exploit script.
8. **Redirecting the Execution Flow**
- Searched for a “JMP ESP” instruction or the two-instruction sequence “PUSH ESP; RET” within SLMails modules using Immunity Debugger and Mona.py script.
- Found a suitable JMP ESP instruction at address `5F4A358F` in the SLMFC.DLL module.
- Replaced the overwritten EIP ("B"s) with the discovered JMP ESP address in the exploit script.
9. **NOP Sled**
- Added a sequence of No Operation (NOP) instructions (`0x90`) at the beginning of the shellcode to create a “NOP sled.”
- This allowed for some flexibility in transferring execution to the shellcode without precisely controlling branching.
10. **Getting a Shell**
- Set up a netcat (nc) listener on the attacker machine to receive incoming connections from the exploited target.
- Ran the exploit script against the SLMail application, and upon successful exploitation, obtained a shell on the target machine.
11. **Assignment Task 1**
- Students were tasked to develop a working exploit for the `VulnNewApp.exe` application using the provided proof-of-concept script (`vulnapp_POC_script.txt`) and document their process in a report, including screenshots of each step.
Throughout the lecture slides, the document emphasizes hands-on learning and practical exercises using tools like Kali Linux, Immunity Debugger, Metasploit Framework, and Python scripting. It covers essential concepts in exploit development, buffer overflows, and fuzzing to help students understand and apply these techniques in network penetration testing.
Reference in New Issue View Git Blame Copy Permalink