Modifying the Code to Fit the Environment

00:01

modifying the code to fit the environment

00:04

are learning objective is to demonstrate how to analyze and then modify code to fit the environment.

00:10

So I've spoken about this before when we find exploit code and exploit DB or wherever it may be,

00:15

whoever authored that code doesn't know the environment we're working in. They will leave I. P. Addresses, whatever exploit that worked for them. They'll leave I. P. Addresses and assume that we know to change it to our environment. They leave ports

00:30

like FTP 21 whereas in our environment it could be port 5000, Who knows?

00:36

But in some cases you'll see the exploit code. They actually give us in the comments that it's a hard coded iP address.

00:43

Um even in pen test monkeys. PHP reverse shell.

00:47

You know, he'll say change this, change this. Very nice of him to do that.

00:52

But not everybody does that.

00:54

And that's the same with web requests. So Wordpress maybe in a directory called Wordpress and maybe in the root directory or it may be in some other name. Directory like WP.

01:04

So when you run your exploit, it may not work because you didn't have the correct directory structure. It's also the same with WP scan, right? If I use WP scan against a host, it will say it couldn't find wordpress. But if I specify the directory wordpress,

01:21

then it will find that you have to help these tools and these exploits and guide them

01:26

to find the right directory. And there have been times where I've missed a hard coded I. P. Address or I've missed a port or I've missed the correct directory structure and my exploit won't work. So with that in mind let's go to a demo.

01:41

So I'm gonna do my end map scan here

01:45

and I'm not going to do the full port scan because that will take a while. But I notice a few open ports so it may not just be that there's one open port and that's our vulnerable service. There could be many open ports and we have to kind of sift through that information and determine what's the lowest hanging fruit

02:02

because we could try to do things like brute force,

02:07

SMB

02:08

or RDP but I see here that FTP has anonymous login allowed and that is Konica Minolta FTp utility.

02:16

I wanna of course manually verify that FTP is allowed with anonymous login.

02:29

I can see that I logged in here

02:32

but I can also like I said google dork. So I would I would take the Konica Minolta

02:38

FTp utility information

02:44

and you could do something like google

02:50

site

02:52

exploit

02:54

db dot com

03:06

and we see that we have three here but let's choose the first one.

03:08

I can either download this directly from the website

03:12

Or I see it's 392 and five. I could use search split as well

03:17

so I could use search exploit

03:20

attack em

03:21

392 and five and that will download that to my desktop.

03:25

So if I analyze the code I'll open it with mouse pad now

03:30

be a little different than g edit

03:34

like I said it's very nice that we have the comments up here

03:37

and this is a buffer overflow so we should be used to seeing this code

03:42

this buffer here that this may look like our pattern create that we did in our

03:46

in our module

03:50

but we don't have to go through that whole process. Right. We already have a lot done for us by the author of this exploit.

03:55

We do see an MSF venom payload

03:59

that will have to change the L. Host to us.

04:02

We can we can leave the airport as well if we wanted to to 4444. We already see that all the bad characters are picked out here.

04:11

If we keep reading the code, we see that we have in hard coded ip and the author was kind enough to tell us that.

04:16

So we need to change this

04:19

to our host

04:21

And we know it's on Port 21 so we don't have to change that. And we also know anonymous login is allowed so we can leave that as well.

04:29

So now what we need to do is MSF venom.

04:40

So I will change this to us.

04:50

You'll see the architecture X 86. That might be different in our case. So

04:56

pay attention to that as well.

04:59

Sometimes it works, sometimes it won't work.

05:02

So I will change this code in here,

05:06

paste

05:24

now I'll split this vertically. I'll do Net Cat.

05:28

And what we'll see here is do we know if this is Python two or 3?

05:33

I could try to execute this and you'll see it's giving me all these errors.

05:40

Also, maybe I didn't commit it correctly. I didn't seem odd.

05:45

Plus X

05:49

39

05:51

So that might be the problem. Again, I have an error.

05:55

I have to figure out is this python two or 3?

05:58

I could do python to just because it looks like Python 2 to me

06:05

and we see it sent the buffer and now we've got our shell.

06:13

So that's how to find public, exploit code,

06:15

download it

06:17

modified to fit our environment. And ultimately led us to get us to get a shell and also understanding the version of python. Right then why our system may or may not work or we have to debug why something is or isn't working.