Upgrade to Pro — share decks privately, control downloads, hide ads and more …

From bug to Metasploit module - Ewerson (Crash)...

From bug to Metasploit module - Ewerson (Crash) Guimaraes

OWASP meetup 10/09/2015

Tech Space guests

September 10, 2015
Tweet

More Decks by Tech Space guests

Other Decks in Technology

Transcript

  1. The Way What is Metasploit? Local File Inclusion (LFI) Traversal

    Priv. Escalation, CSRF,Command exec Old bugs Basic steps to building modules. Demo and QA.
  2. A collaboration between the open source community and Rapid7, Metasploit

    software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world's largest, public collection of quality-assured exploits. http://www.metasploit.com/about/what-is-it/ My words: It´s is a most powerful tool to HELP a pentesters do their job, just HELP, not to do the work for him!
  3. Local File Inclusion (also known as LFI) is the process

    of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. http://hakipedia.com/index.php/Local_File_Inclusion A bad code: <?php ... include($_GET[“path”]); ... ... ?> LFI / Traversal
  4. The impact: 1- A malicious user can read sensitive files

    in the target server with webserver user permissions . 2- In some cases, when the webserver has a .php file with phpinfo(); is possible get a shell. (InsomniaSec paper). 3- Using PHP streams is possible get any .php source code. 4- If any daemon in server has weak permissions in your logs, an attacker can use it to write php codes in log and include it, after execute SO commands. 5- In old linux servers is possible use /proc/self how attack vector. LFI / Traversal
  5. Cross-site request forgery, also known as a one-click attack or

    session riding and abbreviated as or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. Examples/Impact: The online banking webapplication of ING Direct was vulnerable for a CSRF attack that allowed illicit money transfers. Popular video website YouTube was also vulnerable to CSRF in 2008 and this allowed any attacker to perform nearly all actions of any user. Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank. McAfee was also vulnerable to CSRF and it allowed attackers to change their company system. https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF
  6. Privilege escalation is the act of exploiting a bug, design

    flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. Examples/Impact: DEMO https://en.wikipedia.org/wiki/Privilege_escalation Priv. Escalation
  7. In computer security, arbitrary code execution is used to describe

    an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. Examples/Impact: DEMO https://en.wikipedia.org/wiki/Arbitrary_code_execution Arbitrary Cod Exec
  8. How can I automatize this attack? How can I do

    an effetive exploitation? Old bugs, new vuln apps
  9. Old bugs, new exploits Has mestasploit a module for it?

    Let´s ask to oracle! No! No is the Database! Is the Google! Ok, that is not a good joke! No! Metasploit hasnt a module to exploit it! Can I write a module? Which way? Let´s ask the oracle again!
  10. What we need before begin: 1- One or more bug(s),

    of course. 2- Know the bug trigger and how bug works. 3- Know a little bit ruby. 4- Metasploit APIs. 5- Know about the way to post it for metasploit team. 6- Time and patience Building the module
  11. 1- One bug or more bugs, of course. - You

    can start a research - If you are lazy: http://www.exploit-db.com is a nice place to start. Where are the BUGS?
  12. 2- Know the bug trigger and how the bug works.

    - Download the vulnerable app - Set up the Env. - Try harder and have Fun Building the module
  13. 3- Know the ruby language .(Not must be a expert

    coder! Im not an expert!) Following some ruby knowledg sources and references to start. http://www.ruby-lang.org/pt/ http://www.slideshare.net/zagari/introduo-linguagem-ruby http://akitaonrails.com/ Well, its good to start! Building the module
  14. 4- Know about metasploit APIs. This link makes you job

    easier! PLEASE! Do not try to create your module(s) without consult these links. https://rapid7.github.io/metasploit-framework/api/Msf.html https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit- Development-Environment Building the module
  15. Building the module Start – Here you will set up

    the resources used in module require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE The Initialize Function – Here will stay the generic information about the module: Name Description License Author References Payload Platform Arch Targets DisclosureDate
  16. def initialize(info = {}) super(update_info(info, 'Name' => 'Uptime Version 7.4.0

    / 7.5.0 Upload and Exec file', 'Description' => ' This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0 By supplying a specially crafted request is possible to upload file and execute arbitrary commands through privilege escalation. ', 'License' => MSF_LICENSE, 'Author' => [ 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', 'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>' ], 'References' => [ ['EDB', '37888'] ], 'Payload' => { 'Space' => 100_000, 'DisableNops' => true }, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [ ['Automatic', {}] ], 'DefaultOptions' => { 'SSL' => false }, 'Privileged' => 'True', 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 6 2015' ))
  17. Building the module Register options: register_options([ Opt::RPORT(9999), OptString.new('USERNAME', [true, 'The

    username to authenticate as', 'sample']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) ], self.class) Some vars are loaded automatically they are included in main class. E.g: RHOSTS , VHOST
  18. Building the module What we can and what we can’t

    use: User interaction variables must be defined in register_options / register_advanced_options. For each variable you must define correct type. Opt::RPORT -> Default host port. OptEnum.new -> Array options OptString.new -> Strings OptInt.new -> Int OptRegexp.new -> Regular Expressions OptPath.new -> Paths and files path
  19. Building the module What we can and what we can’t

    use: puts "Exploit #{var} Running... " vprint_status("Running exploit: #{var}...") puts "File #{var} Blocked“ print_error("WRITE seems unlikely") puts "Pwned!!!" print_good(“The server was PWNED")
  20. Building the module What we can and what we can’t

    use: You can use print_status and vprint_status: print_status -> To show useful information on screen vprint_status - > For detailed information – It will works when user sets DEBUG as true. vprint_status('Trying to login...') vprint_status('Found Windows installation - Setting appropriated PATH')
  21. Building the module What we can and what we can’t

    use: Cheking if the target is vulnerable: print_good(‘App Vulnerable’) Exploit::CheckCode::Appears print_error(‘App Not Vulnerable’) Exploit::CheckCode::Safe
  22. Building the module What we can and what we can’t

    use: HTTP connections: require 'socket' hostname = 'localhost' port = 80 s = TCPSocket.open(host, port) while line = s.gets puts line.chop s.close send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'section' => 'RunERDCInstance', 'subsection' => 'view', 'id' => mon_get_id, 'name' => 'Exploit' } )
  23. Building the module What we can and what we can’t

    use: To write loots in a file: File.open(filename, 'w') {|f| f.write(something) } loot = store_loot("lfi.data","text/plain",rhost, res.body,fname) Tip: In linux store_loot will save the files in: /home/<username>/.msf4/loot/ Tip: In windows store_loot will save the files in: C:\Users\<username>\.msf4\loot\
  24. Building the module Good! The module is done! Some tips

    before submit it: After finish your module / exploit , you should run msftidy and rubocop to find any formatting issues. When it comes to developing a memory corruption exploit, you need to be aware that a hard-coded address (such as a RET, or a ROP gadget) may change due to: ASLR, module getting rebased, service pack, new patches, etc. And system addresses tend to suffer reliability issues. Consult other modules, maybe you can reuse some codes. If you need a help, not contact me, try hdm instead!!!! (Joke) You can visit the #metasploit @ freenode Review your code many times before to post. Run your module several times against the target machine.
  25. Building the module You can get more tips here: https://github.com/rapid7/metasploit-

    framework/wiki/Setting-Up-a-Metasploit-Development- Environment And/or (Local copy docs): run 'rdoc' from the msf root or gem install sdoc and run sdoc
  26. 5- How to post it for metasploit team. GITHUB -

    https://github.com/rapid7/metasploit- framework Dont use your master branch. Creat a new branch for each exploit. -> My recomendation! Elaborate an appropriate description for the bug. Building the module
  27. 6-Time and patience The MSF team receive a lots of

    exploits, modules and suggestions all day long, so, you must have patience after send your exploit/module. They (msf devels and contributors) will review your code and suggest improvements. You can suggest improvements in others modules. as well. Building the module