In the last few days I’ve been doing some reading and playing around with exploits. This is a subject that has interested me for quite some time and although I’ve had a pretty good idea of how the attacks work, I’ve never actually bothered to sit down and read/learn much about it.
I found it pretty amazing how easy the entire process was, especially with some of the tools included in Backtrack. The texts I’ve been using are a few years old now (2007) which led to some interesting discoveries of my own. At first I attempted to recreate previous exploits that were written for older software. I installed a vulnerable SMTP server on my windows 7 64 bit box and followed through the documentation. My buffer overflow did overwrite EIP and I was able to manipulate it, find a “JMP ESP” address in a DLL and attempt an exploit. I used the metasploit framework to generate my shellcode to give me a reverse shell and wrote the whole thing out, supremely confident. Of course it didnd’t work… which resulted in my finding out about ASLR for the first time. From what I’ve read 32bit versions of windows are still fairly simple to exploit, even despite ASLR, but not wanting to jump too far ahead and to take things step by step I instead installed Windows XP on one of my boxes and put the vulnerable SMTP server on there. The end result was joy at a successful first exploit, followed rather quickly by frustration regarding ASLR which I know is going to result in a whole lot more reading on my part.
My spirits were lifted once I read that both ASLR and DEP were recently defeated on a fully patched 64bit Windows 7 machine by a hacker @ pwn2own. I realize I still have a long way to go before I get there, but I must say that setting up a pentest lab and going through the process of data gathering, enumeration, fuzzing and exploiting was great fun and an awesome learning experience. I’m really looking forward to learning more as I go and posting on any progress I am able to make. FWIW all of the pentests I carried out were on my own boxes and I would strongly discourage port-scanning or attempting to exploit a box that isn’t yours or that you don’t have explicit permission to practice on. I belive that learning about this will be a great time filler for when I have to wait for new electronic gear to get delivered/between projects :D