Milw0rm exploits
Z WiKi AIRdump.CZ
Can someone shed some insight on this for me please. I have a milw0rm exploit that I am trying to use but haven't been able to figure out how to call the exploit. I updated milw0rm using the BackTrack script. The updates are local at /pentest/milw0rm/exploits, I just can't figure out how to use them. Does metasploit call the milw0rm exploits? Also, the exploit I am using has a file extension on ".c", and metasploit uses ".pm". I tried copying the file from /pentest/exploits/milw0rm/... to metasploits framework-2.5 directory and renaming to ".pm". No go though.
03-31-2006, 12:38 PM
Typically exploits are written in C or perl. They aren't executable through metasploit unless you add them. Which is beyond teaching :)
What you can do to the .c file is compile them. You would need to type something to the affect of make exploit.c in order for it to compile. It may just be an executable so try ./exploit.c
perl is perl exploit.pl to run it.
If it does not run right, its due to the hacker community putting some bogus characters in it (usually simple) in order to keep script kiddies from running with scissors.
In this case you would need to edit the .c file and look for improper statements, usually its something as simple as not commenting out a certain line.
First go to the directory, highlight the exploit you want to use, then type:
cp exploit-name.c tmp
Go to tmp directory:
cd /tmp
Then copile the exploit:
gcc -o exploit-name.c newexploit-name (no extension)
Then just run the new file you just created:
./newexploit-name
P.S. These instructions are only if you are running BackTrack off of CD.
---
Which exploit exactly are you trying to use? Give me the full path to it and I'll check it for deliberate errors.
All of the exploits in the securityfocus or packetstorm or milworm directories should be standalone executables, therefore should not need installing with
configure/make/make install.
They should all work with the commands given above:
cp exploit.c /tmp cd /tmp gcc -o outputname exploit.c ./outputname
Thanks for all of the replies. Well I was able to compile the exploit without any issues. Although I think there may be some lines "rem'ed" out, or maybe I am just not doing this correctly. ;) the url is
http://milw0rm.com/exploits/24
I compile the exploit, try to execute it, and it prompts -
root@slax:/tmp# ./sendmail ./sendmail <target ip> <target number> Sendmail 8.12.8 prescan() exploit by bysin
Target Addr OS ------------------------------------------- * 0 0xbfbfdad1 FreeBSD 4.7-RELEASE
root@slax:/tmp#
So I then enter ./sendmail 62.246.XX.XXX 24 and get the same response. I thought "target number" would be the port, but maybe not.
---
exploiting sendmail would be port 25 but i dont think that is what it is asking for..
root@slax:/tmp# ./sendmail ./sendmail <target ip> <target number> Sendmail 8.12.8 prescan() exploit by bysin
Target Addr OS ------------------------------------------- * 0 0xbfbfdad1 FreeBSD 4.7-RELEASE
root@slax:/tmp#
no, I think it is asking for an arbitrary number assigned by the coder to the target, it says at the bottom that the target is 0 - freeBSD. Try:
./sendmail 62.246.XX.XXX 0
--
Take this for what it is, friendly advise. I would not compile and run code like this without looking at it, and understanding what it does. In this specific case, with unmodified code, any option other than "0" will simple execute the function "printtargets()" and exit. The "printtargets()" function essentially prints out the text that you see.
--
I never use code that I have obtained from anywhere without checking what it is trying to achieve. Even with a little basic c knowledge, you can work out the jist of most code. Doing anything else is quite dangerous as you don't know what it is doing, even to your own machine! I also test it in a VMWare machine first!
Fortunately I do penetration testing for a living and we have some real geeky coders in the company, they check the code for me! he he he.
--
Thanks guys for the input. armedpilot, point understood and taken. :D It's more of just a learning curve that I am trying to understand, the whole exploting thing that is.
--
Also keep in mind that if the target box is not FreeBSD, then this exploit is a no go. Since the target is only FreeBSD.
