Trouble writing custom scanner in MSF

[yatz]

I’m working through the Metasploit Unleashed tutorial on the Offensive Security website.  I got to the point where you write a scanner and I’m having some difficulty getting it to work.

http://www.offensive-security.com/metasploit-unleashed/
Under 04 – Information Gathering // Writing your own scanner

I created the file with the code as follows:

require 'msf/core'



class Metasploit3 < Msf::Auxiliary

include Msf::Exploit::Remote::Tcp

include Msf::Auxiliary::Scanner

def initialize

super(

'Name' => 'TCP port scanner',

'Version' => '$Revision: 1 $',

'Description' => 'Quick TCP scanner',

'Author' => 'yatz',

'License' => MSF_LICENSE

)

register_options( [

Opt::RPORT(12345)

], self.class)

end

def run_host(ip)

connect()

sock.puts('HELLO SERVER')

data = sock.recv(1024)

print_status("Received #{data} from #{ip}")

disconnect()

end

end

…and then ran the netcat command on a linux machine as follows:

nc -lnvp 12345 < response.txt

response.txt contains the text "hello"

Upon setting the RHOSTS to the linux IP and running the script, I get the following error:

[-] Auxiliary failed: RuntimeError can't modify frozen string

[-] Call stack:

[-]   /opt/metasploit3/msf3/lib/rex/io/stream.rb:47:in `[]='

[-]   /opt/metasploit3/msf3/lib/rex/io/stream.rb:47:in `write'

[-]   (eval):20:in `puts'

[-]   (eval):20:in `run_host'

[-]   /opt/metasploit3/msf3/lib/msf/core/auxiliary/scanner.rb:92:in `block in run'

[*] Auxiliary module execution completed

Any idea what could be wrong?  I don't know ruby yet so I don't know if the code is wrong, but it is what was provided in the tutorial.

Hope this is an easy fix.

Thanks!

[yatz]

Can anyone help me on this?  I’m still stuck…

[hayabusa]

Give me a bit to tinker, yatz…  I jumped in, and tried it myself, with the same error.

I’ll try to let you know, if my workload gives me enough time to debug, today.

[hayabusa]

While I’m still trying to understand the ‘why’ behind it (proving I’m not yet a Ruby guru… and any Ruby gurus out there can reply, please, to help me, too, while I continue to read up and see if I can find the understanding) it evidently has something to do with data ‘freezing’ and the difference between sock.put and sock.puts…  (note:  one ends in an s, the other does not)  I was looking through some of the existing MSF scanners, and noted in many examples I’d found, that they were doing a sock.put, rather than a sock.puts.  Simply changing that one piece will allow your script to run correctly, and receive the ‘banner’ that the text file is supposed to simulate.

HTH.

Tim

[hayabusa]

As I read it, put and puts treat the data differently, one as more of an explicit conversion to string, one as a more implicit conversion to string.  I’m guessing (while still trying to learn this) that the puts method of passing the data is somehow freezing the data, while the other is not…

[yatz]

Hey thanks a lot hayabusa!  I will give that a shot.

I was investigating the sock.puts, but didn’t see sock.put.  I did come across this http://www.ruby-forum.com/topic/62012 which kinda sounds similar but I didn’t understand how that could have any bearing on the error message I was receiving.

Come to think about it, I should have just looked at other scanners…  😉

[hayabusa]

Yeah, like I said, I’m still ‘learning’ Ruby too… so I figured I’d cheat and check other examples.  Only other thing I can think of, right now, is that it’s like a difference between p and puts (not sure if ruby treats p as a shortcut for put or not… trying to find documentation.)  In the case of p versus puts, I know puts appends a newline to it’s data, as well (n) and maybe somehow that ‘freezes it,’ thinking it’s a literal value or something.  I dunno.  Rather than sound dumber with this particular topic than I already do ( ;D) I’ll yield, and see if anyone else can give us a better understanding!

[apollo]

I believe the core part of the problem is that puts append a new line and somewhere down the line it may be doing an append of “n” somewhere along the line.  Metasploit seems to have encountered this in the past as about everything I’ve seen uses put for dealing with sockets.  Switching it from sock.puts to sock.put fixes the problem for me. 

[alan]

not sure this is going to solve this, but it mentions using print_line instead of puts in this doc:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9745/entry/HACKING

EDIT: that doesn’t work, totally wrong context!

put works as apollo says

[hayabusa]

As I read further, last night, the issue seemed to have sprung from a Rex update, in the past.  (Rex is ‘included’ in some of the msf modules, which are included in the ‘simple_tcp.rb scanner’ exercise.)  Evidently, at some point, puts would’ve worked, and perhaps, in older ruby versions and older msf (quite possibly the previous versions that existed when the tutorial was originally written,) puts might’ve worked ok.  But now, as we’ve noted, it seems the proper / best / working option is to use put, instead.

Cheers, gents!

[yatz]

Thanks for the help everyone!

There were a few other sections in the unleashed series that referenced commands that no longer function with the same syntax so everything you say makes sense.  For example, to use a module it says to issue the command

use scanner/portscan/syn

when the correct syntax is

use auxiliary/scanner/portscan/syn

[apollo]

Technically both of those are legit.  Metasploit will only really do tab completion for fully qualified contexts but inside Metasploit it mostly addresses the modules outside of the context of aux/exploit/payload. 

So if you know what you are going after:

windows/dcerpc/ms03_026_dcom

is functionally equivalent to:

use exploit/windows/dcerpc/ms03_026_dcom

Even payloads are addressable in a similar way (and through the generate command you can now do almost everything you can through msfencode/msfpayload now that my patch got in)

so you could:

use payload/windows/meterpreter/reverse_tcp

or
[quote[use windows/meterpreter/reverse_tcp[/quote]

set your LHOST

then :

generate -E -i 5 -t exe -f /tmp/reverse_tcp.exe

in order to create your reverse_tcp windows exploit using any encoder that works works and encoding the payload 5 times.

[apollo]

Oh.. another awesome way to do it that I learned about just last week.  If you have a single match for something and are lazy :

use .*scanner.*syn

and it will auto expand to:

use auxiliary/scnaner/portscan/syn

I thought that was neat

[hayabusa]

@apollo wrote:

Even payloads are addressable in a similar way (and through the generate command you can now do almost everything you can through msfencode/msfpayload now that my patch got in)

so you could:

use payload/windows/meterpreter/reverse_tcp

or
[quote[use windows/meterpreter/reverse_tcp

set your LHOST

then :

generate -E -i 5 -t exe -f /tmp/reverse_tcp.exe

in order to create your reverse_tcp windows exploit using any encoder that works works and encoding the payload 5 times.

[/quote]

Nice, I hadn’t realized this could be done for the payloads, too.  Thanks!

[UNIX]

For completeness:

Once again, we have a few exciting updates we would like to inform you about. First and foremost, our Metasploit Unleashed Free Training course is going through a major overhaul, and will be updated and maintained on a monthly basis. You can expect a whole lot of new content being added onto the Metasploit Unleashed Wiki in the next few months. For now, we’ve added 9 new sections. We will keep you updated through our new “metasploit-unleashed” category – which will focus on the wiki changelog.

S: http://www.offensive-security.com/metasploit-unleashed-training/metasploit-unleashed-updates/

[Author]

Posts