Metasploit Framework.pdf

Chapter 12

Writing Exploits III

Solutions in this Chapter:

■

Using the Metasploit Framework

■

Exploit Development with Metasploit

■

Integrating Exploits into the Framework

■

Related Chapters: Chapter 10, Chapter 11

Summary

Solutions Fast Track

Frequently Asked Questions

491

492

Chapter 12 • Writing Exploits III

Introduction

In 2003, a new security tool called the Metasploit Framework (MSF) was released to the

public.This tool was the ﬁrst open-source and freely available exploit development

framework, and in the year following its release, MSF rapidly grew to be one of the

security community’s most popular tools.The solid reputation of the framework is due

to the efforts of the core development team along with external contributors, and their

hard work has resulted in over 45 dependable exploits against many of the most popular

operating systems and applications. Released under the GNU GPL and artistic license,

the Metasploit Framework continues to add new exploits and cutting-edge security fea-

tures with every release.

We will begin this chapter by discussing how to use the Metasploit Framework as an

exploitation platform.The focus of this section will be the use of msfconsole, the most

powerful and ﬂexible of the three available interfaces. Next, the chapter will cover one

of the most powerful aspects of Metasploit that tends to be overlooked by most users: its

ability to signiﬁcantly reduce the amount of time and background knowledge necessary

to develop functional exploits. By working through a real-world vulnerability against a

popular closed-source Web server, the reader will learn how to use the tools and features

of MSF to quickly build a reliable buffer overﬂow attack as a stand-alone exploit.The

chapter will also explain how to integrate an exploit directly into the Metasploit

Framework by providing a line-by-line analysis of an integrated exploit module. Details

as to how the Metasploit engine drives the behind-the-scenes exploitation process will

be covered, and along the way the reader will come to understand the advantages of

exploitation frameworks.

This text is intended neither for beginners nor for experts. Its aim is to detail the use-

fulness of the Metasploit project tools while bridging the gap between exploitation theory

and practice.To get the most out of this chapter, one should have an understanding of the

theory behind buffer overﬂows as well as some basic programming experience.

Using the Metasploit Framework

The Metasploit Framework is written in the Perl scripting language and can be run on

almost any UNIX-like platform, including the Cygwin environment for Windows.The

framework provides the user with three interfaces: msfcli, msfweb, and msfconsole.The

msfcli interface is useful for scripting because all exploit options are speciﬁed as argu-

ments in a single command-line statement.The msfweb interface can be accessed via a

Web browser and serves as an excellent medium for vulnerability demonstrations.The

msfconsole interface is an interactive command-line shell that is the preferred interface

for exploit development.

N OTE

The various Metasploit interfaces available are all built over a common API

exported by the Metasploit engine. It is easy to extend the engine to any

medium such as IRC, where it would be an ideal environment for teaming, col-

Writing Exploits III • Chapter 12

493

laboration, and training. There is an unreleased IRC interface that has already

been developed, and it is rumored that an instant messaging interface may be

in development.

The msfconsole interactive command-line interface provides a command set that

allows the user to manipulate the framework environment, set exploit options, and ulti-

mately deploy the exploit. Unrecognized commands are passed to the underlying oper-

ating system; in this way, a user can run reconnaissance tools without having to leave the

console. A demonstration of how to use msfconsole will be performed by walking

through the exploitation of a Windows NT 4 IIS 4.0 host that has been patched to

Service Pack 5.

As seen in Figure 12.1, the help menu can be accessed at any time with the question

mark ( ? ) or help command.

Figure 12.1 The msfconsole Help Menu

First, the user lists the available exploits with the show exploits command (see

Figure 12.2).

The IIS 4.0 .HTR Buffer Overﬂow exploit appears promising because our target

runs IIS 4.0. Using the info command, the user retrieves information about the different

aspects of the exploit, including target platforms, targeting requirements, payload

speciﬁcs, a description of the exploit, and references to external information sources.

Notice in Figure 12.3 that the available targets include Windows NT4 SP5, the same as

our target platform.

Next, the user instructs the framework to select the IIS 4.0 exploit by entering the

use iis40_htr command. With tab-completion, which is enabled by default, the user can

simply type iis4 and then press the Tab key to complete the exploit name. As seen in

Figure 12.4, the command-line prompt reﬂects the selection.

494

Chapter 12 • Writing Exploits III

Figure 12.2 The msfconsole Exploit Listing

Figure 12.3 Retrieving Exploit Information

Figure 12.4 Selecting an Exploit

When an exploit is selected, the msfconsole interface changes from main mode to

exploit mode, and the list of available commands reﬂects exploit mode options. As an

example, the show command now displays speciﬁc information about the module instead

Writing Exploits III • Chapter 12

495

of a list of available exploits, encoders, or nops.Typing ? or the help command will dis-

play the list of exploit mode commands (see Figure 12.5).

Figure 12.5 The Exploit Mode Command List

Next, the user examines the list of available targets. In Metasploit, each target speci-

ﬁes a different remote platform that the vulnerable application runs over. Each exploit

stores unique exploit details based on the targeted host. Picking the wrong target can

prevent the exploit from working and potentially crash the vulnerable service.

Because the remote target is running Window NT 4 Service Pack 5, the user sets

the target platform with the set TARGET 2 command (see Figure 12.6).

Figure 12.6 Setting the Target Platform

After selecting the target, the user must provide additional information about the

remote host to the framework.This information is supplied through framework environ-

ment variables. A list of required environment variables can be retrieved with the show

options command.The result of the show options command in Figure 12.7 indicates that

the RHOST and RPORT environment variables must be set prior to running the

exploit.To set the remote host environment variable, RHOST, the user enters the com-

mand set RHOST 192.168.119.136 where the IP address of the target machine is

192.168.119.136.The remote port, RPORT, already has a default value that is consistent

with our target.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: