How to compile/execute exploit code
I am not going to go into too much detail here for obvious reasons but it is important to understand what exploits are and how they are (generally) used. OK, let's say that a hacker finds out that a particular function call made in some script that doesn't do any input bounds checking allows commands to be run on the server running the application or he finds a buffer overflow vulnerability in some software that might allow commands to be run with system privileges or maybe just crash the system. This hacker might write some code to aid him in the task of exploiting these vulnerabilities. The script/program written to help exploit the vulnerability is called...you got it, an exploit. Generally hackers will release these exploits as proof of concept tools...just to prove it can be done and that they figured out how. There are bugtraq lists on the net that list known vulnerabilities and the associated exploits on just about anything you can think of. Now for simplicities sake I am going to only illustrate a few exploits and how to compile and use them. One of the first things to consider when using exploits is you want to make sure you are running the correct exploit for the target you are trying to crack. If you are trying to crack an Apache web server then an IIS exploit wont do you much good will it ;) Grab some banners and do some research for version numbers etc so you can be more surgical.
The first exploit I am going to discuss here is the IIShack by ryan@eEye.com. What it does and how it works is discussed in the source. You can get the source here
. Most exploits are either coded in C or Perl. We will discuss C for now. Now depending on the h4x0r who discovered the vulnerability and coded the exploit you could run across code developed under Linux or Win etc..so it's good to have a variety of C compilers at your disposal. If you are running the average Windows NT box you should get Microsofts C/C++ compiler also get Borland's C/C++ compiler. Now, you can install Cygwin and get a Linux bash shell and gcc to compile C code developed on a UNIX/Linux platform. This particular code was compiled using Borland's command line compiler v5 on a Win32 box.
Now that you have your code and have compiled it you are ready to run the exploit. These are generally called from the command line like any DOS tool. If the coder was thoughtful it might have comments and a usage function to help others understand how it works. See below image of IIShack usage and at work...this server was patched so this wasn't too exciting.
If you are curious as to what an attack like this looks like in the web server logs you can click here
for an example. NOTE: If you want to mess around with running various exploits and learning how they work then you should set up a test box for that purpose. Also you might want to know that the shell code provided with the iisHack exploit simply writes a file on the servers C: drive...this is quite a calling card to a server admin. Here
is a version of IIShack that is based on jill by Dark Spyrit that does much more. Now some exploits are pretty straight forward and others can be a little more involved. In the case of jill by Dark Spyrit you will need to set up a netcat listener on your machine and feed your IP (or the IP of the machine running the listener) to the server via the exploit. The vulnerable server will shell out a command shell to your listener...from there you will control the server. For an example click here
Now at least I'll show you a couple more examples. First I will use a UNIX Perl script that crashes the serve U FTP daemon (DoS exploit). Windows users will need to install Cygwin with the associated Perl packages in order to run Perl script coded in UNIX Perl.
The results can be seen in the below image.
The next exploit will give the attacker full administrative privileges of the website forum program called DCboard. NOTE This exploit does NOT work on the newer versions of DCboard. The website below has been contacted about this vulnerability. This exploit also is coded in UNIX Perl and can be found here
In the below image you will see the word 'Administrator' circled in red for clarity. To see the Admin panel and what the attacker would be able to do to this website forum just click here
for screenshot. The avenues for attack here could be severe, from posting offensive material to mailing all the subscribers a letter informing them of this "free new banking software" or whatever...you see where I am heading with this.
This type of cracking is easier to pull off then one might think. Searching for easy targets is simple and quick using the search engines...for instance just go to Google and search for sites containing the term (or the file): dcboard.cgi. Remember, learn and have fun but don't be a jerk!