Working with exploits

This section is mostly about local exploits, because they're annoying. Remote python exploits are usually point-and-shoot and web exploits have their own section.

Compiling exploits

First, the usual warning about randomly downloading exploits from the internet: watch out for backdoors. Exploit-DB is reliable.

Second, always read the exploit comments carefully:

  • Compiler options to use

  • Architecture of the victim machine (32-bit or 64-bit)

  • Steps to complete on the victim machine

  • Code modifications

Third, if you get error messages during compilation or runtime, google them. Usually this is because the binary was compiled on the attack machine and there are quirks in architecture that can be solved by modifying compile options.

Basic technique

For Linux exploits, the compile command looks like this:

gcc filename.c -o executablename

Before you can run it, you'll need to transfer it to the victim machine and give it the right permissions:

chmod u+x executablename

To run the executable:

./executablename

32-bit exploits

Sometimes the victim machine will be 32-bit and can't accept a 64-bit compiled binary. To determine the architecture of your target on Linux:

uname -a
cat /proc/version
dpkg --print-architecture
arch
file /sbin/init

32-bit is usually represented by i686 and 64-bit is usually represented by x86_64.

If a C compiler is missing or inaccessible on your victim machine, you can compile the exploits on your Kali machine but you need some extra libraries on Kali:

apt-get install gcc-multilib
apt-get install g++-multilib

You will also need to add the -m32 flag to your compile command.

Cross-compiling

You'll probably discover at some point that you can't just compile Windows C exploits on a Kali machine and expect them to work. This is where cross-compiling tools come in, but don't expect them to work perfectly. There are all sorts of dumb platform quirks that still get in the way, like missing libraries. When cross-compiling, be prepared to google a lot of error messages.

Download and install a cross-compiler for Linux:

apt-get install mingw-w64

To compile code for a 64-bit Windows target:

x86_64-w64-mingw32-gcc shell.c -o shell.exe

To compile code for a 32-bit Windows target:

i686-w64-mingw32-gcc shell.c -o shell.exe

Python exploits

On Linux, running python exploits is pretty easy:

python exploit.py

Python on Windows

Interestingly, some popular Windows exploits, such as MS11-080, are written in python (why?). To use these, you'll need to create a standalone executable from the python file. This is done by installing PyWin32 on a Windows machine and then the PyInstaller module.

Create a Windows PE executable:

python pyinstaller.py --onefile ms11-080.py

The executable can then be transferred to the victim machine and run.

Further reading