Watch this tutorial to take a look at the exploits-db database and look at an exploit that affects the PCMan FTP server. Download both the exploit and the vulnerable application, and run the exploit.
- [Teacher] Offensive Security, the providers of the Kali Linux system, maintains a large database of exploits, over 35,000 currently, as we can see here. The home page shows the latest set of exploits for the four categories of remote exploits, web application exploits, privilege escalation, and denial of service. It also maintains lists for exploit shellcode and security papers. The exploits database can be downloaded or we can browse it online.
To browse it I'll select the exploits menu item, which provides four exploit categories to choose from. I'll select remote exploits. The list shows the date that the exploit was registered and the three columns, D, A, and V. The D column is a download of the exploit code and the A column allows us to download the application. The V column indicates whether the exploit has been verified.
Let's take a look at one. I'll select the PCMan FTP CHMOD exploit. The exploit code is displayed. We can see from the first line that this is a python script and from the notes and the comments that it's been developed for Windows XP service pack three. We can see an address ret being set, that we want to use to override the stack return address. And some machine code which we want to be included as the payload. The exploit then initializes a buffer with 30 no operation instructions followed by the shellcode.
We then have 2001 bites which we set to hexadecimal 41, which is the character A. Then we insert the jump address and we follow this with the number of bites set to hexadecimal 43, or the character C. The exploit has a hard coded target address of 1921681150. The exploit uses an anonymous login and then sends a CHMOD command to the target with the buffer as the parameter. Let's see this working.
I'll download the exploit by clicking the green down arrow and I'll save it into my downloads folder. I'll come back to this shortly. I've downloaded the PCMan FTP Server application from Exploit DB and installed it on my Windows 7 system. We can see it's running and online. Back in Kali, I'll drop down to my downloads folder and look at the exploit. We can see that we've got a python script called 40713.py. This is the CHMOD exploit.
I'll open it up to edit it. I'll scroll down to the point at which the socket is created and change the IP address to my Windows system, 10.0.2.6. Okay we can close that now. And now I'll run this. When I look at my Windows system, I can see this exploit has caused the FTP server to crash. The downloaded code was intended for Windows XP so a full exploit didn't occur but we have been able to demonstrate the server vulnerability.
We'll come back to this.
Note: Learning about ethical hacking for exploits is part of the Malware competency from the Certified Ethical Hacker (CEH) body of knowledge.
- Writing assembler programs
- Using debugging programs
- Controlling flow
- Executing code from the data section
- Ethical attacking to identify vulnerabilities
- State-sponsored attacks
- Using Metasploit
- Adding new exploits to Metasploit
- Using Armitage