Trouble writing custom scanner in MSF

Viewing 14 reply threads
  • Author
    Posts
    • #5398
      yatz
      Participant

      I’m working through the Metasploit Unleashed tutorial on the Offensive Security website.  I got to the point where you write a scanner and I’m having some difficulty getting it to work.

      http://www.offensive-security.com/metasploit-unleashed/
      Under 04 – Information Gathering // Writing your own scanner

      I created the file with the code as follows:

      require 'msf/core'

      class Metasploit3 < Msf::Auxiliary
      include Msf::Exploit::Remote::Tcp
      include Msf::Auxiliary::Scanner
      def initialize
      super(
      'Name' => 'TCP port scanner',
      'Version' => '$Revision: 1 $',
      'Description' => 'Quick TCP scanner',
      'Author' => 'yatz',
      'License' => MSF_LICENSE
      )
      register_options( [
      Opt::RPORT(12345)
      ], self.class)
      end
      def run_host(ip)
      connect()
      sock.puts('HELLO SERVER')
      data = sock.recv(1024)
      print_status("Received #{data} from #{ip}")
      disconnect()
      end
      end

      …and then ran the netcat command on a linux machine as follows:

      nc -lnvp 12345 < response.txt

      response.txt contains the text "hello"

      Upon setting the RHOSTS to the linux IP and running the script, I get the following error:

      [-] Auxiliary failed: RuntimeError can't modify frozen string
      [-] Call stack:
      [-]  /opt/metasploit3/msf3/lib/rex/io/stream.rb:47:in `[]='
      [-]  /opt/metasploit3/msf3/lib/rex/io/stream.rb:47:in `write'
      [-]  (eval):20:in `puts'
      [-]  (eval):20:in `run_host'
      [-]  /opt/metasploit3/msf3/lib/msf/core/auxiliary/scanner.rb:92:in `block in run'
      [*] Auxiliary module execution completed

      Any idea what could be wrong?  I don't know ruby yet so I don't know if the code is wrong, but it is what was provided in the tutorial.

      Hope this is an easy fix.

      Thanks!

    • #34106
      yatz
      Participant

      Can anyone help me on this?  I’m still stuck…

    • #34107
      hayabusa
      Participant

      Give me a bit to tinker, yatz…  I jumped in, and tried it myself, with the same error.

      I’ll try to let you know, if my workload gives me enough time to debug, today.

    • #34108
      hayabusa
      Participant

      While I’m still trying to understand the ‘why’ behind it (proving I’m not yet a Ruby guru… and any Ruby gurus out there can reply, please, to help me, too, while I continue to read up and see if I can find the understanding) it evidently has something to do with data ‘freezing’ and the difference between sock.put and sock.puts…  (note:  one ends in an s, the other does not)  I was looking through some of the existing MSF scanners, and noted in many examples I’d found, that they were doing a sock.put, rather than a sock.puts.  Simply changing that one piece will allow your script to run correctly, and receive the ‘banner’ that the text file is supposed to simulate.

      HTH.

      Tim

    • #34109
      hayabusa
      Participant

      As I read it, put and puts treat the data differently, one as more of an explicit conversion to string, one as a more implicit conversion to string.  I’m guessing (while still trying to learn this) that the puts method of passing the data is somehow freezing the data, while the other is not…

    • #34110
      yatz
      Participant

      Hey thanks a lot hayabusa!  I will give that a shot.

      I was investigating the sock.puts, but didn’t see sock.put.  I did come across this http://www.ruby-forum.com/topic/62012 which kinda sounds similar but I didn’t understand how that could have any bearing on the error message I was receiving.

      Come to think about it, I should have just looked at other scanners…  😉

    • #34111
      hayabusa
      Participant

      Yeah, like I said, I’m still ‘learning’ Ruby too… so I figured I’d cheat and check other examples.  Only other thing I can think of, right now, is that it’s like a difference between p and puts (not sure if ruby treats p as a shortcut for put or not… trying to find documentation.)  In the case of p versus puts, I know puts appends a newline to it’s data, as well (n) and maybe somehow that ‘freezes it,’ thinking it’s a literal value or something.  I dunno.  Rather than sound dumber with this particular topic than I already do ( ;D) I’ll yield, and see if anyone else can give us a better understanding!

    • #34112
      apollo
      Participant

      I believe the core part of the problem is that puts append a new line and somewhere down the line it may be doing an append of “n” somewhere along the line.  Metasploit seems to have encountered this in the past as about everything I’ve seen uses put for dealing with sockets.  Switching it from sock.puts to sock.put fixes the problem for me. 

    • #34113
      alan
      Participant

      not sure this is going to solve this, but it mentions using print_line instead of puts in this doc:

      http://www.metasploit.com/redmine/projects/framework/repository/revisions/9745/entry/HACKING

      EDIT: that doesn’t work, totally wrong context!

      put works as apollo says

    • #34114
      hayabusa
      Participant

      As I read further, last night, the issue seemed to have sprung from a Rex update, in the past.  (Rex is ‘included’ in some of the msf modules, which are included in the ‘simple_tcp.rb scanner’ exercise.)  Evidently, at some point, puts would’ve worked, and perhaps, in older ruby versions and older msf (quite possibly the previous versions that existed when the tutorial was originally written,) puts might’ve worked ok.  But now, as we’ve noted, it seems the proper / best / working option is to use put, instead.

      Cheers, gents!

    • #34115
      yatz
      Participant

      Thanks for the help everyone!

      There were a few other sections in the unleashed series that referenced commands that no longer function with the same syntax so everything you say makes sense.  For example, to use a module it says to issue the command

      use scanner/portscan/syn

      when the correct syntax is

      use auxiliary/scanner/portscan/syn
    • #34116
      apollo
      Participant

      Technically both of those are legit.  Metasploit will only really do tab completion for fully qualified contexts but inside Metasploit it mostly addresses the modules outside of the context of aux/exploit/payload. 

      So if you know what you are going after:

      windows/dcerpc/ms03_026_dcom

      is functionally equivalent to:

      use exploit/windows/dcerpc/ms03_026_dcom

      Even payloads are addressable in a similar way (and through the generate command you can now do almost everything you can through msfencode/msfpayload now that my patch got in)

      so you could:

      use payload/windows/meterpreter/reverse_tcp

      or
      [quote[use windows/meterpreter/reverse_tcp[/quote]

      set your LHOST

      then :

      generate -E -i 5 -t exe -f /tmp/reverse_tcp.exe

      in order to create your reverse_tcp windows exploit using any encoder that works works and encoding the payload 5 times.

    • #34117
      apollo
      Participant

      Oh.. another awesome way to do it that I learned about just last week.  If you have a single match for something and are lazy :

      use .*scanner.*syn

      and it will auto expand to:

      use auxiliary/scnaner/portscan/syn

      I thought that was neat

    • #34118
      hayabusa
      Participant

      @apollo wrote:

      Even payloads are addressable in a similar way (and through the generate command you can now do almost everything you can through msfencode/msfpayload now that my patch got in)

      so you could:

      use payload/windows/meterpreter/reverse_tcp

      or
      [quote[use windows/meterpreter/reverse_tcp

      set your LHOST

      then :

      generate -E -i 5 -t exe -f /tmp/reverse_tcp.exe

      in order to create your reverse_tcp windows exploit using any encoder that works works and encoding the payload 5 times.

      [/quote]

      Nice, I hadn’t realized this could be done for the payloads, too.  Thanks!

    • #34119
      UNIX
      Participant

      For completeness:

      Once again, we have a few exciting updates we would like to inform you about. First and foremost, our Metasploit Unleashed Free Training course is going through a major overhaul, and will be updated and maintained on a monthly basis. You can expect a whole lot of new content being added onto the Metasploit Unleashed Wiki in the next few months. For now, we’ve added 9 new sections. We will keep you updated through our new “metasploit-unleashed” category – which will focus on the wiki changelog.

      S: http://www.offensive-security.com/metasploit-unleashed-training/metasploit-unleashed-updates/

Viewing 14 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?