Presentation Material

Abstract

This talk shall focus on exploit development from vulnerabilities. We have seen many postings on security forums which vaguely describe a vulnerability, or sometimes provide a “proof-of-concept” exploit.

The Metasploit Framework is a powerful tool to assist in the process of vulnerability testing and exploit development. The framework can also be used as an engine to run exploits, with different payloads and post-exploitation mechanisms.

In this talk, we shall look at how we can construct exploits from published vulnerabilities, using facilities provided by the Metasploit framework. A Unix and a Windows vulnerability example shall be covered. Next we shall demonstrate how to write this exploit as a Metasploit plug-in, so that it can be integrated into the Metasploit Framework.

Participants shall get insights into discovery and verification of vulnerabilities, finding the entry points, gaining control of program flow, choices of shellcode and finally writing a working exploit for the vulnerability. Participants shall also get an overview of Metasploit’s internal modules and how to integrate custom exploits with the Metasploit framework.

Optional “bring-your-own-laptop”: This session can be designed to be quite interactive, if a local area network (wired or wireless) is available during the session. All along, participants can following the steps on their own laptops. I shall be hosting an exploit lab, which participants can connect to and try out their exploits.

AI Generated Summary^{may contain errors}

This content appears to be a transcript of a presentation or demo about using Metasploit, a popular penetration testing framework. The speaker is showcasing various features and capabilities of Metasploit, including:

1. Setting up a remote host and port number for an exploit.
2. Selecting a payload (e.g., Linux x86 reverse shell) and setting options such as the listening IP address and port.
3. Using different types of payloads, such as bind shells.
4. Utilizing Metasploit’s built-in features, including:
   • Rex (Root Extensions) and Peck (Pearl Extensions), which provide text processing and management routines.
   • Protocol-level utilities for creating packets (e.g., TCP, UDP, SSL).
   • Miscellaneous utilities (Effects Utils) for tasks like hash manipulation and format string generation.
5. Command-line utilities, including:
   • MSFCLI: a scriptable command-line interface.
   • MSFPayload: generates payloads from the command line.
   • MSFUpdate: live updates from Metasploit’s site.
   • MSFAimer: runs in client-server mode to help hack into machines.
6. Other features, such as opcode database lookup, Windows GUI interface using wxRuby, new payloads and encoders, shared code, Nasm shell backend, and database support.

The speaker is demonstrating how to use Metasploit’s various components to create exploits and payloads, and highlighting the benefits of using this framework for penetration testing.