Code:
lib/msf/core/exploit/tcp.rb Provides TCP options and methods.
Defines RHOST, RPORT, ConnectTimeout
Provides connect(), disconnect()
Creates self.sock as the global socket
Offers SSL, Proxies, CPORT, CHOST
Evasion via small segment sends
Exposes user options as methods - rhost() rport() ssl()
Exploit::Remote::DCERPC Code:
lib/msf/core/exploit/dcerpc.rb
Inherits from the TCP mixin and has the following methods and options:
dcerpc_handle()
dcerpc_bind()
---<< Back|Track <<---
Supports IPS evasion methods with multi-context BIND requests and fragmented DCERPC calls
Exploit::Remote::SMB Code:
lib/msf/core/exploit/smb.rb
Inherits from the TCP mixin and provides the following methods and options:
smb_login()
smb_create()
smb_peer_os()
Provides the Options of SMBUser, SMBPass, and SMBDomain
Exposes IPS evasion methods such as: SMB::pipe_evasion, SMB::pad_data_level, SMB::file_data_level
Exploit::Remote::BruteTargets There are 2 source files of interest. Code:
lib/msf/core/exploit/brutetargets.rb Overloads the exploit() method.'
Calls exploit_target(target) for each Target
Handy for easy target iteration
Code:
lib/msf/core/exploit/brute.rb Overloads the exploit method.
Calls brute_exploit() for each stepping
Easily brute force and address range
The mixins listed above are just the tip of the iceberg as there are many more at your disposal when creating exploits. Some of the more interesting ones are:
Capture - sniff network packets
Lorcon - send raw WiFi frames
MSSQL - talk to Microsoft SQL servers
KernelMode - exploit kernel bugs
SEH - structured exception handling
NDMP - the network backup protocol
EggHunter - memory search
FTP - talk to FTP servers
---<< Back|Track <<---
Metasploit Exploit Targets
Exploits define a list of targets that includes a name, number, and options. Targets are specified by number when launched.
'Targets' => [ # Windows 2000 – TARGET = 0 [ 'Windows 2000 English', { 'Rets' => [ 0x773242e0 ], }, ], # Windows XP - TARGET = 1 [ 'Windows XP English', { 'Rets' => [ 0x7449bf1a ], }, ], ], 'DefaultTarget' => 0)) Target Options Block
The options block within the target section is nearly free-form although there are some special option names.
'Ret' is short-cutted as target.ret()
'Payload' overloads the exploits info block
Options are where you store target data. For example:
The return address for a Windows 2000 target
500 bytes of padding need to be added for Windows XP targets
Windows Vista NX bypass address
Accessing Target Information
The 'target' object inside the exploit is the users selected target and is accessed in the exploit as a hash.
target['padcount']
target['Rets'][0]
target['Payload']['BadChars']
target['opnum']
Adding and Fixing Exploit Targets
Sometimes you need new targets because a particular language pack changes addresses, a different version of the software is available, or the addresses are shifted due to hooks. Adding a new target only requires 3 steps.
---<< Back|Track <<---
Determine the type of return address you require. This could be a simple 'jmp esp', a jump to a specific register, or a 'pop/pop/ret'. Comments in the exploit code can help you determine what is required.
Obtain a copy of the target binaries
Use msfpescan to locate a suitable return address
If the exploit code doesn't explicitly tell you what type of return address is required but is good enough to tell you the dll name for the existing exploit, you can find out what type of return address you are looking for. Consider the following example that provides a return address for a Windows 2000 SP0-SP4 target.
'Windows 2000 SP0-SP4', {
'Ret' => 0x767a38f6, # umpnpmgr.dll }
To find out what type of return address the exploit currently uses, we just need to find a copy of umpnpmgr.dll from a Windows 2000 machine machine and run msfpescan with the provided address to determine the return type. In the example below, we can see that this exploit requires a
pop/pop/ret.
root@bt4:/pentest/exploits/framework3# ./msfpescan -D -a 0x767a38f6 win2000sp4.umpnpmgr.dll [win200sp4.umpnpmgr.dll] 0x767a38f6 5f5ec3558bec6aff68003c7a7668e427 00000000 5F pop edi 00000001 5E pop esi 00000002 C3 ret 00000003 55 push ebp 00000004 8BEC mov ebp,esp 00000006 6AFF push byte -0x1 00000008 68003C7A76 push 0x767a3c00 0000000D 68 db 0x68
0000000E E427 in al,0x27
Now, we just need to grab a copy of the target dll and use msfpescan to find a usable pop/pop/ret address for us.
root@bt4:/pentest/exploits/framework3# ./msfpescan -p targetos.umpnpmgr.dll [targetos.umpnpmgr.dll]
0x79001567 pop eax; pop esi; ret
0x79011e0b pop eax; pop esi; retn 0x0008 0x79012749 pop esi; pop ebp; retn 0x0010 0x7901285c pop edi; pop esi; retn 0x0004
Now that we've found a suitable return address, we add our new target to the exploit. 'Windows 2000 SP0-SP4 Russian Language',
{
'Ret' => 0x7901285c, # umpnpmgr.dll }
---<< Back|Track <<---
Metasploit Exploit Payloads
Select an encoder:
Must not touch certain registers
Must be under the max size
Must avoid BadChars
Encoders are ranked
Select a nop generator:
Tries the most random one first
Nops are also ranked
Encoding Example
The defined Payload Space is 900 bytes
The Payload is 300 bytes long
The Encoder stub adds another 40 bytes to the payload
The Nops will then fill in the remaining 560 bytes bringing the final payload.encoded size to 900 bytes
The nop padding can be avoided by adding 'DisableNops' => true to the exploit
Payload Block Options
As is the case for most things in the Framework, payloads can be tweaked by exploits.
'StackAdjustment' prefixes "sub esp" code
'MinNops', 'MaxNops', 'DisableNops'
'Prefix' places data before the payload
'PrefixEncoder' places it before the stub
These options can also go into the Targets block, allowing for different BadChars for targets and allows Targets to hit different architectures and OS.