The Metasploit Framework is such a versatile asset in every pentesters toolkit, it is no shock to see it being expanded on constantly. Due to the openness of the Framework, as new technologies and exploits surface they are very rapidly incorporated into the msf svn trunk or end users write their own modules and share them as they see fit.
We will be talking about Backdooring EXE Files, Karmetasploit, and targeting Mac OS X.
The Internet is littered with improperly coded web applications with multiple vulnerabilities being disclosed on a daily basis. One of the more critical vulnerabilities is Remote File Inclusion (RFI) that allows an attacker to force PHP code of his/her choosing to be executed by the remote site even though it is stored on a different site. Recently, Metasploit published not only a php_include module but also a PHP Meterpreter payload. The php_include module is very versatile as it can be used against any number of vulnerable webapps and is not product-specific.
In order to make use of the file inclusion exploit module, you will need to know the exact path to the vulnerable site. Loading the module in Metasploit, we can see a great number of options available to us.
Backdooring EXE Files
Creating customized backdoored executables often took a long period of time to do manually as attackers. The ability to embed a Metasploit Payload in any executable that you want is simply brilliant. When we say any executable, it means any executable. You want to backdoor something you download from the internet? How about iexplorer? Or explorer.exe or putty, any of these would work. The best part about it is its extremely simple. We begin by first downloading our legitimate executable, in this case, the popular PuTTY client.
Karmetasploit is a great function within Metasploit, allowing you to fake access points, capture passwords, harvest data, and conduct browser attacks against clients.
There is a bit of setup required to get Karmetasploit up and going. The first step is to obtain the run control file for Karmetasploit:
Karmetasploit In Action
Now, with everything ready, all that is left is to run Karmetasploit! We start up Metasploit, feeding it our run control file.
Wow! That was a lot of output! Please take some time to read through the output, and try to understand what is happening.
Let’s break down some of the output a bit here.
MSF vs OS X
One of the more interesting things about the Mac platform is how cameras are built into all of the laptops. This fact has not gone unnoticed by Metasploit developers, as there is a very interesting module that will take a picture with the built in camera.
Amongst its many tricks, Metasploit also allows us to generate and handle Java based shells to gain remote access to a system. There are a great deal of poorly written web applications out there that can allow you to upload an arbitrary file of your choosing and have it run just by calling it in a browser. We begin by first generating a reverse-connecting jsp shell and set up our payload listener.
Building A Module
Writing your first Metasploit module can be a daunting task, especially if one does not code in Ruby on a regular basis. Fortunately the language’s syntax is intuitive enough, for anyone with prior programming and scripting knowledge, to make the transition (from Python for example) to Ruby.
Before taking the plunge into module construction and development, lets us take a quick look at the some of the modules currently in place. These files can be used as our base for re-creating an attack on several different supported protocols, or crafting ones own custom module.
Payloads Through MSSQL
In the previous section, we created a very basic module to get a better understanding of the principales behind a build. This section briefly explains passing payloads using the MSSQL module. The code presented currently works on the following installations of Microsoft’s SQL server which are 2000, 2005 and 2008. We will first walkthrough the code and explain how this attack vector works before making our own from the ground up.
When an administrator first installs MSSQL they have the option of using either mixed mode authentication or SQL based authentication. Using the latter, a password for the ‘sa’ account must be specified by the administrator. The ‘sa’ account is the systems administrator for the SQL server and has most, if not all, permissions on the system. Guessing this password, either using social engineering or other means, one can leverage this attack vector using Metasploit and perform additional actions. In a previous module, we discussed discovering which TCP port MSSQL is using by querying UDP port 1434 and executing dictionary attacks for guess the ‘sa’ password.
For our purposes, we’ll assume we are aware of the SQL system administrator’s account password. If you wish to recreate this attack, you will need to have a working copy of Microsoft Windows as well as any of the previously mentioned versions of MSSQL.
Creating Our Auxiliary Module
We will be looking at three different files, they should be relatively familar from prior sections.
The Guts Behind It
Looking int the ‘mssql.rb’ file using a text editor, locate the ‘mssql_upload_exec’. We should be presented with the following: