From time to time we find a server with vulnerabilities in its operating system, in a library the web application uses, in an active service or there may be another security issue which is not exploitable from the browser or the web proxy. In these cases, we could use Metasploit's exploit collection or, if what we need is not in Metasploit, we could search for it in Exploit-DB.
Kali Linux includes a copy of the exploits contained in Exploit-DB for offline use; in this recipe, we will use the commands Kali includes to explore the database and find the exploit we need.
- Open a terminal.
- Type the following command:
searchsploit heartbleed
- The next step is to copy the exploit to a place where we can modify it, if necessary, and then compile it, as demonstrated:
mkdir heartbleed cd heartbleed cp /usr/share/exploitdb/platforms/multiple/remote/32998.c .
- Usually, the exploits have some information about themselves and how to use them in the first few lines, as shown here:
head -n 30 32998.c
- In this case, the exploit is in C so we need to compile it for it to work. The compilation command shown in the file (
gcc -lssl -lssl3 -lcrypto heartbleed.c -o heartbleed) doesn't work correctly in Kali Linux so we need to use the following one instead:gcc 32998.c -o heartbleed -Wl,-Bstatic -lssl -Wl,-Bdynamic -lssl3 -lcrypto
The searchsploit command is the interface to the local copy of Exploit-DB installed on Kali Linux and it looks for a string in the exploit's title and description and displays the results.
Exploits are located in the /usr/share/exploitdb/platforms directory. The exploit path shown by searchsploit is relative to that directory which is why, when we copied the file, we used the full path. Exploit files are also named after the exploit number they were assigned when they were submitted to Exploit-DB.
The compilation step was done differently to how it was recommended in the source code because the OpenSSL libraries in Debian-based distributions lack functionality due to the way in which they are built at source.
It is very important to monitor the effect and impact of an exploit before we use it in a live system. Usually, exploits in Exploit-DB are trustworthy, even though they often need some adjustment to work in a specific situation, but there are some of them that may not do what they say; because of that we need to check the source code and test it in our laboratory prior to using them in a real-life pentest.
Besides Exploit-DB (www.exploit-db.com), there are other sites where we can look for known vulnerabilities in our target systems and exploits: