.

Trouble writing custom scanner in MSF

<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Wed Jul 28, 2010 4:04 pm

Trouble writing custom scanner in MSF

I'm working through the Metasploit Unleashed tutorial on the Offensive Security website.  I got to the point where you write a scanner and I'm having some difficulty getting it to work.

http://www.offensive-security.com/metasploit-unleashed/
Under 04 - Information Gathering // Writing your own scanner

I created the file with the code as follows:

  Code:
require 'msf/core'

class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize
super(
'Name' => 'TCP port scanner',
'Version' => '$Revision: 1 $',
'Description' => 'Quick TCP scanner',
'Author' => 'yatz',
'License' => MSF_LICENSE
)
register_options( [
Opt::RPORT(12345)
], self.class)
end
def run_host(ip)
connect()
sock.puts('HELLO SERVER')
data = sock.recv(1024)
print_status("Received #{data} from #{ip}")
disconnect()
end
end


...and then ran the netcat command on a linux machine as follows:

  Code:
nc -lnvp 12345 < response.txt


response.txt contains the text "hello"

Upon setting the RHOSTS to the linux IP and running the script, I get the following error:

  Code:
[-] Auxiliary failed: RuntimeError can't modify frozen string
[-] Call stack:
[-]   /opt/metasploit3/msf3/lib/rex/io/stream.rb:47:in `[]='
[-]   /opt/metasploit3/msf3/lib/rex/io/stream.rb:47:in `write'
[-]   (eval):20:in `puts'
[-]   (eval):20:in `run_host'
[-]   /opt/metasploit3/msf3/lib/msf/core/auxiliary/scanner.rb:92:in `block in run'
[*] Auxiliary module execution completed


Any idea what could be wrong?  I don't know ruby yet so I don't know if the code is wrong, but it is what was provided in the tutorial.

Hope this is an easy fix.

Thanks!
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Aug 02, 2010 10:46 am

Re: Trouble writing custom scanner in MSF

Can anyone help me on this?  I'm still stuck...
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Aug 02, 2010 11:46 am

Re: Trouble writing custom scanner in MSF

Give me a bit to tinker, yatz...  I jumped in, and tried it myself, with the same error.

I'll try to let you know, if my workload gives me enough time to debug, today.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Aug 02, 2010 2:06 pm

Re: Trouble writing custom scanner in MSF

While I'm still trying to understand the 'why' behind it (proving I'm not yet a Ruby guru... and any Ruby gurus out there can reply, please, to help me, too, while I continue to read up and see if I can find the understanding) it evidently has something to do with data 'freezing' and the difference between sock.put and sock.puts...  (note:  one ends in an s, the other does not)  I was looking through some of the existing MSF scanners, and noted in many examples I'd found, that they were doing a sock.put, rather than a sock.puts.  Simply changing that one piece will allow your script to run correctly, and receive the 'banner' that the text file is supposed to simulate.

HTH.

Tim
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Aug 02, 2010 2:12 pm

Re: Trouble writing custom scanner in MSF

As I read it, put and puts treat the data differently, one as more of an explicit conversion to string, one as a more implicit conversion to string.  I'm guessing (while still trying to learn this) that the puts method of passing the data is somehow freezing the data, while the other is not...
Last edited by hayabusa on Mon Aug 02, 2010 2:15 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Mon Aug 02, 2010 2:40 pm

Re: Trouble writing custom scanner in MSF

Hey thanks a lot hayabusa!  I will give that a shot.

I was investigating the sock.puts, but didn't see sock.put.  I did come across this http://www.ruby-forum.com/topic/62012 which kinda sounds similar but I didn't understand how that could have any bearing on the error message I was receiving.

Come to think about it, I should have just looked at other scanners...  ;)
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Aug 02, 2010 2:43 pm

Re: Trouble writing custom scanner in MSF

Yeah, like I said, I'm still 'learning' Ruby too... so I figured I'd cheat and check other examples.  Only other thing I can think of, right now, is that it's like a difference between p and puts (not sure if ruby treats p as a shortcut for put or not... trying to find documentation.)  In the case of p versus puts, I know puts appends a newline to it's data, as well (\n) and maybe somehow that 'freezes it,' thinking it's a literal value or something.  I dunno.  Rather than sound dumber with this particular topic than I already do ( ;D) I'll yield, and see if anyone else can give us a better understanding!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Aug 02, 2010 11:22 pm

Re: Trouble writing custom scanner in MSF

I believe the core part of the problem is that puts append a new line and somewhere down the line it may be doing an append of "\n" somewhere along the line.  Metasploit seems to have encountered this in the past as about everything I've seen uses put for dealing with sockets.  Switching it from sock.puts to sock.put fixes the problem for me. 
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

alan

User avatar

Newbie
Newbie

Posts: 48

Joined: Sat Dec 27, 2008 11:55 pm

Post Mon Aug 02, 2010 11:36 pm

Re: Trouble writing custom scanner in MSF

not sure this is going to solve this, but it mentions using print_line instead of puts in this doc:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9745/entry/HACKING

EDIT: that doesn't work, totally wrong context!

put works as apollo says
Last edited by alan on Mon Aug 02, 2010 11:57 pm, edited 1 time in total.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 03, 2010 5:34 am

Re: Trouble writing custom scanner in MSF

As I read further, last night, the issue seemed to have sprung from a Rex update, in the past.  (Rex is 'included' in some of the msf modules, which are included in the 'simple_tcp.rb scanner' exercise.)  Evidently, at some point, puts would've worked, and perhaps, in older ruby versions and older msf (quite possibly the previous versions that existed when the tutorial was originally written,) puts might've worked ok.  But now, as we've noted, it seems the proper / best / working option is to use put, instead.

Cheers, gents!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Tue Aug 03, 2010 8:13 am

Re: Trouble writing custom scanner in MSF

Thanks for the help everyone!

There were a few other sections in the unleashed series that referenced commands that no longer function with the same syntax so everything you say makes sense.  For example, to use a module it says to issue the command
  Code:
use scanner/portscan/syn

when the correct syntax is
  Code:
use auxiliary/scanner/portscan/syn
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Tue Aug 03, 2010 8:50 am

Re: Trouble writing custom scanner in MSF

Technically both of those are legit.  Metasploit will only really do tab completion for fully qualified contexts but inside Metasploit it mostly addresses the modules outside of the context of aux/exploit/payload. 

So if you know what you are going after:
windows/dcerpc/ms03_026_dcom


is functionally equivalent to:
use exploit/windows/dcerpc/ms03_026_dcom


Even payloads are addressable in a similar way (and through the generate command you can now do almost everything you can through msfencode/msfpayload now that my patch got in)

so you could:
use payload/windows/meterpreter/reverse_tcp

or
[quote[use windows/meterpreter/reverse_tcp[/quote]

set your LHOST

then :
generate -E -i 5 -t exe -f /tmp/reverse_tcp.exe


in order to create your reverse_tcp windows exploit using any encoder that works works and encoding the payload 5 times.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Tue Aug 03, 2010 8:59 am

Re: Trouble writing custom scanner in MSF

Oh.. another awesome way to do it that I learned about just last week.  If you have a single match for something and are lazy :
use .*scanner.*syn<tab>


and it will auto expand to:
use auxiliary/scnaner/portscan/syn


I thought that was neat
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Tue Aug 03, 2010 11:04 am

Re: Trouble writing custom scanner in MSF

apollo wrote:Even payloads are addressable in a similar way (and through the generate command you can now do almost everything you can through msfencode/msfpayload now that my patch got in)

so you could:
use payload/windows/meterpreter/reverse_tcp

or
[quote[use windows/meterpreter/reverse_tcp


set your LHOST

then :
generate -E -i 5 -t exe -f /tmp/reverse_tcp.exe


in order to create your reverse_tcp windows exploit using any encoder that works works and encoding the payload 5 times.

[/quote]

Nice, I hadn't realized this could be done for the payloads, too.  Thanks!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Aug 27, 2010 1:08 am

Re: Trouble writing custom scanner in MSF

For completeness:

Once again, we have a few exciting updates we would like to inform you about. First and foremost, our Metasploit Unleashed Free Training course is going through a major overhaul, and will be updated and maintained on a monthly basis. You can expect a whole lot of new content being added onto the Metasploit Unleashed Wiki in the next few months. For now, we’ve added 9 new sections. We will keep you updated through our new “metasploit-unleashed” category – which will focus on the wiki changelog.


S: http://www.offensive-security.com/metas ... d-updates/

Return to Tools

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software