From Bug to MSF Module – Ewerson Guimaraes (Crash) 

About Ewerson(Crash): 2 

The Way What is Metasploit? Local File Inclusion (LFI) Traversal Priv. Escalation, CSRF,Command exec Old bugs Basic steps to building modules. Demo and QA. 

A collaboration between the open source community and Rapid7, Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world's largest, public collection of quality-assured exploits. http://www.metasploit.com/about/what-is-it/ My words: It´s is a most powerful tool to HELP a pentesters do their job, just HELP, not to do the work for him! 

Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. http://hakipedia.com/index.php/Local_File_Inclusion A bad code: LFI / Traversal 

The impact: 1- A malicious user can read sensitive files in the target server with webserver user permissions . 2- In some cases, when the webserver has a .php file with phpinfo(); is possible get a shell. (InsomniaSec paper). 3- Using PHP streams is possible get any .php source code. 4- If any daemon in server has weak permissions in your logs, an attacker can use it to write php codes in log and include it, after execute SO commands. 5- In old linux servers is possible use /proc/self how attack vector. LFI / Traversal 

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. Examples/Impact: The online banking webapplication of ING Direct was vulnerable for a CSRF attack that allowed illicit money transfers. Popular video website YouTube was also vulnerable to CSRF in 2008 and this allowed any attacker to perform nearly all actions of any user. Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank. McAfee was also vulnerable to CSRF and it allowed attackers to change their company system. https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF 

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. Examples/Impact: DEMO https://en.wikipedia.org/wiki/Privilege_escalation Priv. Escalation 

In computer security, arbitrary code execution is used to describe an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. Examples/Impact: DEMO https://en.wikipedia.org/wiki/Arbitrary_code_execution Arbitrary Cod Exec 

How can I automatize this attack? How can I do an effetive exploitation? Old bugs, new vuln apps 

Old bugs, new exploits Has mestasploit a module for it? Let´s ask to oracle! No! No is the Database! Is the Google! Ok, that is not a good joke! No! Metasploit hasnt a module to exploit it! Can I write a module? Which way? Let´s ask the oracle again! 

What we need before begin: 1- One or more bug(s), of course. 2- Know the bug trigger and how bug works. 3- Know a little bit ruby. 4- Metasploit APIs. 5- Know about the way to post it for metasploit team. 6- Time and patience Building the module 

1- One bug or more bugs, of course. - You can start a research - If you are lazy: http://www.exploit-db.com is a nice place to start. Where are the BUGS? 

2- Know the bug trigger and how the bug works. - Download the vulnerable app - Set up the Env. - Try harder and have Fun Building the module 

3- Know the ruby language .(Not must be a expert coder! Im not an expert!) Following some ruby knowledg sources and references to start. http://www.ruby-lang.org/pt/ http://www.slideshare.net/zagari/introduo-linguagem-ruby http://akitaonrails.com/ Well, its good to start! Building the module 

4- Know about metasploit APIs. This link makes you job easier! PLEASE! Do not try to create your module(s) without consult these links. https://rapid7.github.io/metasploit-framework/api/Msf.html https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit- Development-Environment Building the module 

Building the module 

Building the module Start – Here you will set up the resources used in module require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE The Initialize Function – Here will stay the generic information about the module: Name Description License Author References Payload Platform Arch Targets DisclosureDate 

def initialize(info = {}) super(update_info(info, 'Name' => 'Uptime Version 7.4.0 / 7.5.0 Upload and Exec file', 'Description' => ' This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0 By supplying a specially crafted request is possible to upload file and execute arbitrary commands through privilege escalation. ', 'License' => MSF_LICENSE, 'Author' => [ 'Ewerson Guimaraes(Crash) ', 'Gjoko Krstic(LiquidWorm) ' ], 'References' => [ ['EDB', '37888'] ], 'Payload' => { 'Space' => 100_000, 'DisableNops' => true }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic', {}] ], 'DefaultOptions' => { 'SSL' => false }, 'Privileged' => 'True', 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 6 2015' )) 

Building the module Register options: register_options([ Opt::RPORT(9999), OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) ], self.class) Some vars are loaded automatically they are included in main class. E.g: RHOSTS , VHOST 

Building the module What we can and what we can’t use: User interaction variables must be defined in register_options / register_advanced_options. For each variable you must define correct type. Opt::RPORT -> Default host port. OptEnum.new -> Array options OptString.new -> Strings OptInt.new -> Int OptRegexp.new -> Regular Expressions OptPath.new -> Paths and files path 

Building the module What we can and what we can’t use: puts "Exploit #{var} Running... " vprint_status("Running exploit: #{var}...") puts "File #{var} Blocked“ print_error("WRITE seems unlikely") puts "Pwned!!!" print_good(“The server was PWNED") 

Building the module What we can and what we can’t use: You can use print_status and vprint_status: print_status -> To show useful information on screen vprint_status - > For detailed information – It will works when user sets DEBUG as true. vprint_status('Trying to login...') vprint_status('Found Windows installation - Setting appropriated PATH') 

Building the module What we can and what we can’t use: Cheking if the target is vulnerable: print_good(‘App Vulnerable’) Exploit::CheckCode::Appears print_error(‘App Not Vulnerable’) Exploit::CheckCode::Safe 

Building the module What we can and what we can’t use: HTTP connections: require 'socket' hostname = 'localhost' port = 80 s = TCPSocket.open(host, port) while line = s.gets puts line.chop s.close send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'section' => 'RunERDCInstance', 'subsection' => 'view', 'id' => mon_get_id, 'name' => 'Exploit' } ) 

Building the module What we can and what we can’t use: To write loots in a file: File.open(filename, 'w') {|f| f.write(something) } loot = store_loot("lfi.data","text/plain",rhost, res.body,fname) Tip: In linux store_loot will save the files in: /home//.msf4/loot/ Tip: In windows store_loot will save the files in: C:\Users\\.msf4\loot\ 

Building the module Good! The module is done! Some tips before submit it: After finish your module / exploit , you should run msftidy and rubocop to find any formatting issues. When it comes to developing a memory corruption exploit, you need to be aware that a hard-coded address (such as a RET, or a ROP gadget) may change due to: ASLR, module getting rebased, service pack, new patches, etc. And system addresses tend to suffer reliability issues. Consult other modules, maybe you can reuse some codes. If you need a help, not contact me, try hdm instead!!!! (Joke) You can visit the #metasploit @ freenode Review your code many times before to post. Run your module several times against the target machine. 

Building the module You can get more tips here: https://github.com/rapid7/metasploit- framework/wiki/Setting-Up-a-Metasploit-Development- Environment And/or (Local copy docs): run 'rdoc' from the msf root or gem install sdoc and run sdoc 

5- How to post it for metasploit team. GITHUB - https://github.com/rapid7/metasploit- framework Dont use your master branch. Creat a new branch for each exploit. -> My recomendation! Elaborate an appropriate description for the bug. Building the module 

6-Time and patience The MSF team receive a lots of exploits, modules and suggestions all day long, so, you must have patience after send your exploit/module. They (msf devels and contributors) will review your code and suggest improvements. You can suggest improvements in others modules. as well. Building the module 

Explointing... Let´s see the module working... 

Thanks: Roberto Espreto - @espreto Busterbcook - @busterbcook HD Moore - @hdmoore OWASP KRAKOW TECHSPACE 

Please, say your name before to ask! Question? Fly kicks? Punches ? 

Contacts @crashbrz [email protected] blog.dclabs.com.br