software helps security and IT professionals identify security issues, verify vulnerability mitigations, and manage expert-driven security assessments, providing true security risk intelligence. Capabilities include smart exploitation, password auditing, web application scanning, and social engineering. Teams can collaborate in Metasploit and present their findings in consolidated reports. Metasploit editions range from a free edition to professional enterprise editions, all based on the Metasploit Framework, an open source software development kit with the world's largest, public collection of quality-assured exploits. http://www.metasploit.com/about/what-is-it/ My words: It´s is a most powerful tool to HELP a pentesters do their job, just HELP, not to do the work for him!
of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. http://hakipedia.com/index.php/Local_File_Inclusion A bad code: <?php ... include($_GET[“path”]); ... ... ?> LFI / Traversal
in the target server with webserver user permissions . 2- In some cases, when the webserver has a .php file with phpinfo(); is possible get a shell. (InsomniaSec paper). 3- Using PHP streams is possible get any .php source code. 4- If any daemon in server has weak permissions in your logs, an attacker can use it to write php codes in log and include it, after execute SO commands. 5- In old linux servers is possible use /proc/self how attack vector. LFI / Traversal
session riding and abbreviated as or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. Examples/Impact: The online banking webapplication of ING Direct was vulnerable for a CSRF attack that allowed illicit money transfers. Popular video website YouTube was also vulnerable to CSRF in 2008 and this allowed any attacker to perform nearly all actions of any user. Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank. McAfee was also vulnerable to CSRF and it allowed attackers to change their company system. https://en.wikipedia.org/wiki/Cross-site_request_forgery CSRF
flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. Examples/Impact: DEMO https://en.wikipedia.org/wiki/Privilege_escalation Priv. Escalation
an attacker's ability to execute any commands of the attacker's choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. Examples/Impact: DEMO https://en.wikipedia.org/wiki/Arbitrary_code_execution Arbitrary Cod Exec
Let´s ask to oracle! No! No is the Database! Is the Google! Ok, that is not a good joke! No! Metasploit hasnt a module to exploit it! Can I write a module? Which way? Let´s ask the oracle again!
of course. 2- Know the bug trigger and how bug works. 3- Know a little bit ruby. 4- Metasploit APIs. 5- Know about the way to post it for metasploit team. 6- Time and patience Building the module
coder! Im not an expert!) Following some ruby knowledg sources and references to start. http://www.ruby-lang.org/pt/ http://www.slideshare.net/zagari/introduo-linguagem-ruby http://akitaonrails.com/ Well, its good to start! Building the module
easier! PLEASE! Do not try to create your module(s) without consult these links. https://rapid7.github.io/metasploit-framework/api/Msf.html https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit- Development-Environment Building the module
the resources used in module require 'msf/core' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE The Initialize Function – Here will stay the generic information about the module: Name Description License Author References Payload Platform Arch Targets DisclosureDate
username to authenticate as', 'sample']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) ], self.class) Some vars are loaded automatically they are included in main class. E.g: RHOSTS , VHOST
use: User interaction variables must be defined in register_options / register_advanced_options. For each variable you must define correct type. Opt::RPORT -> Default host port. OptEnum.new -> Array options OptString.new -> Strings OptInt.new -> Int OptRegexp.new -> Regular Expressions OptPath.new -> Paths and files path
use: You can use print_status and vprint_status: print_status -> To show useful information on screen vprint_status - > For detailed information – It will works when user sets DEBUG as true. vprint_status('Trying to login...') vprint_status('Found Windows installation - Setting appropriated PATH')
use: Cheking if the target is vulnerable: print_good(‘App Vulnerable’) Exploit::CheckCode::Appears print_error(‘App Not Vulnerable’) Exploit::CheckCode::Safe
use: To write loots in a file: File.open(filename, 'w') {|f| f.write(something) } loot = store_loot("lfi.data","text/plain",rhost, res.body,fname) Tip: In linux store_loot will save the files in: /home/<username>/.msf4/loot/ Tip: In windows store_loot will save the files in: C:\Users\<username>\.msf4\loot\
before submit it: After finish your module / exploit , you should run msftidy and rubocop to find any formatting issues. When it comes to developing a memory corruption exploit, you need to be aware that a hard-coded address (such as a RET, or a ROP gadget) may change due to: ASLR, module getting rebased, service pack, new patches, etc. And system addresses tend to suffer reliability issues. Consult other modules, maybe you can reuse some codes. If you need a help, not contact me, try hdm instead!!!! (Joke) You can visit the #metasploit @ freenode Review your code many times before to post. Run your module several times against the target machine.
framework/wiki/Setting-Up-a-Metasploit-Development- Environment And/or (Local copy docs): run 'rdoc' from the msf root or gem install sdoc and run sdoc
https://github.com/rapid7/metasploit- framework Dont use your master branch. Creat a new branch for each exploit. -> My recomendation! Elaborate an appropriate description for the bug. Building the module
exploits, modules and suggestions all day long, so, you must have patience after send your exploit/module. They (msf devels and contributors) will review your code and suggest improvements. You can suggest improvements in others modules. as well. Building the module
techspacekrk
hamadakoji
datachain
dayjournal
eida
takumakouno
ohbarye
taka_aki
nssv
logica0419
tkikuchi
panda_program
oracle4engineer
shpigford
sachag
mojombo
aleyda
pauljervisheath
nonsquared
orderedlist
gr2m
mongodb
lara
stephaniewalter
ammeep
![Contacts @crashbrz [email protected] blog.dclabs.com.br](https://files.speakerdeck.com/presentations/c21016a7a84d445d87c7229d6aaa7039/slide_33.jpg){kind=link}