Exploit Development (part 13) Turning a 3Com Exploit into a Metasploit Module

00:04

Okay, Now let's try and turn our three com exploit into a magic bullet model when ahead and finished up the three comb exploit You were supposed to do,

00:14

uh, actually size.

00:17

And so we have some shell code,

00:21

and we have Buffy being the shell code at the beginning.

00:26

And then I padded it with eight times. 473. Monitor link the buff. So 473 is the offset you should have found. Two

00:36

are

00:38

they've returned pointer over. Right,

00:40

So we need to make sure that that is 473 bites Total buff, plus some padding.

00:47

Otherwise, our return address here, which is a jump. Yes, I

00:52

in little Indian format will not be in the correct place that I padded it out to 500 with

00:59

23 C's. So originally my return address with Cem Bey's.

01:04

So that is our finished exploit their very similar to the public exploit. And I wanted you to do that as an exercise earlier in this module. So now I want to see if we can make this into a medicine late model.

01:19

So I want to go to user share medicine plate dash framework

01:26

and go into the module tree

01:27

modules and windows

01:33

on key. FTP

01:34

is no TFC be. It's a suitor. Did modules exploit then Windows? Then the FTP

01:44

windows are my exploits or other

01:47

Who's there? All the

01:48

trivial FTP

01:49

exploits for Windows There is actually one for this three comb already, but that would be a little too easy to use is a base. So here's one that's called future soft transfer mode,

02:02

so that should be a good start.

02:07

So we'll just use that one of the bay so copy feature soft transfer mode to my exploit Dollar B

02:16

and then we will end It might exploit.

02:22

So let's see the top up here. We have a couple includes statements. This is a remote UDP exploit. It is not, however,

02:30

structured exception. Handler will look at that next. That ought to be the last thing we see for exploit development before we move on to Mobile, who we can get rid of this structured exception Handler needed here

02:45

and then we have information about the module, its name description, who wrote it CV references. So if we were actually writing a model, we would need to change those accordingly. But we don't need to do that here.

03:00

I kind of just be a waste of time. Or certainly welcome, toe. Look up the relevancy information for this module

03:07

and change it accordingly to full options.

03:13

I can't just leave that. That's fine.

03:15

Payload. All right, so this is important. We do need to get the information about the payload medicine. Voigt will automatically

03:25

create the payload. Of course, we've seen that plenty of times about the class. So we need to tell it the relevant information so it can do that space. How much face we have for the payload? It will take up the full amount of space it will pad with *** equivalents.

03:40

It needs to. So we have 473 bites. The only bad character we have in the know so we can leave. That is stock adjustment.

03:52

We don't necessarily need most of the models I see have this in there. So it seems to be kind of a rule of thumb to put it there so we'll just leave the stock adjustment in there.

04:01

We saw a second dress mint earlier in our war. Ftp example.

04:08

Platform is indeed, Windows targets. If we were creating a medicine point model, we would.

04:14

It would behoove us at least two.

04:16

Find many targets as we could make a lot of virtual machines and try it out on different platforms.

04:26

But we only have one so we can get rid of

04:30

the 1st 3

04:47

So we'll just have the one target here on. We'll make it Windows

04:53

X, P S P. Three English and the Return address. We do not need it in little Indian format,

05:01

but I have for gotten when it waas.

05:05

So let's go back to just stop and look

05:12

become Exploit it. So here it is in little Indian format.

05:18

So look,

05:20

put it in

05:24

regular format and medicine will. It will take care of setting enough A little Indian.

05:30

That is our jump.

05:32

He is I. If he chose a different one from your Mona listing, that's perfectly fine.

05:38

Privilege. True disclosure date. We could just leave those. We should change the disclosure date to whatever it is for our particular exploit.

05:49

Remote port will be 69. That's good. So pretty simple. They're just giving it basic information about the payload is the main point

06:00

when we have connect UDP

06:02

the Prince status trying Target name. Since we only have one target, that's kind of extraneous, so you can just get rid of that.

06:12

And then our exploits string, and this is gonna be pretty different. It looks like since it does, you structured exception handlers. It's a little bit different than what we're used to.

06:23

I will again see that momentarily when we move on to structured exception handlers to end out this model. But let's see if we can find an example for T F D P that doesn't use structured exception handlers and see if we can use that as a base.

06:42

So I would say this and that. SEALs Just try this. 50 p d 32

06:50

no

06:53

long file named Darby. We go up to the top and look at the mix ins here. It does not have that structured exception handler. So it is

07:02

going to be safe. Return pointer over. I agree, Used Thio. We look at its exploits during

07:10

looks like it's reading a file instead of writing

07:13

and then said the file names. It looks like they're doing 100 and 20

07:18

character file name, avoiding the payload bad characters, and they're doing random text English. Anything that is the same every time is something that an intrusion detection system can pick up on. So good practice cheese, random text and let it change.

07:36

And then it looks like they're also doing a dot and then 135 characters. Again, this is a different server T F T p d 32. So we don't really know anything about this particular vulnerability.

07:53

And then target not ready. So the return address for the chosen target packed in little Indian format, then payload that encoded right after it and then untold light. So it looks like they're not even finishing the entire packet. It looks like we just have a long file name. And then they stopped. And that's good enough.

08:11

That seems

08:11

okay. Well, again, we don't really know anything about this story it, But we can certainly use this as a base for our exploit. All this. Copy that and then go back to my exploit

08:26

and come down to my

08:28

definition of exploit and

08:33

switch out this exploit string

08:35

for the one we just copied and will make changes to it. of course.

08:41

All right. So we wanted to write. So we want to do a 00 to 2. Right?

08:50

And we used the name Georgia, which is really know how long. My name is seven characters. So just to be consistent will tell it we want random text English seven characters and we do want to avoid the bad characters.

09:05

We don't need this dot but we do need a null to specify the end of the file. Name

09:13

on. Then we want

09:15

We don't need this extra random text here. Not sure why They have a two part filing with the daughter, and it will again, that's a different vulnerability. That's actually put this all in one line. It looks kind of silly like that

09:37

on. Then we want target dot red dot pack the so that should be

09:43

after our payload. Remember, we have

09:46

payload than padding and medicine. It will automatically pad up to the length we tell it. Which was that? 473 lights.

09:56

So we want our payload dot encoded first.

10:01

So right after the know at the beginning of the mode, we want payload dot encoded.

10:09

And then we want our target,

10:11

not red

10:13

and little Indian form out.

10:16

And then finally, we want the know by it.

10:24

So if we wanted to be a little bit nicer, we could do exploit plus equals and break it up in the multiple lines so it wouldn't be so long like this and run off screen. We've got +0002

10:37

A file name?

10:39

No, I just did seven characters because that's what we used in our original ones that we know it works, then annulled by it in the file name,

10:46

then payload right at the beginning of our mode, just like we did in our exploit. We have the same thing here. 000 to the name Georgia, hard coded in a no bite.

10:58

And then buffer, which is shell code padding return address and then some extra padding at the end, which we dropped off here, a little still work. We could put it in as well. We wanted Thio

11:13

who could do random text of 23 characters.

11:18

So then we have the payload at the beginning, and that will pad out to 473. What we put for space. It will fill all of that space on then we have

11:33

target dot rhett. It's packed into a little Indian format, and then we have a novel to finish the packet

11:41

and we could leave the rest of it. There does put

11:46

in the UDP socket, are exploit and sets up the handler.

11:50

So, assuming I haven't made any mistakes and since I just grabbed us basically from two different modules and made a couple of changes, shouldn't expect that there's anything there. I think that's the easiest way to do it. You can certainly start with the base, exploit skeleton and fill it in, but I think it's easier, and I'm less likely to make mistakes if I just

12:11

stick with something that's already there and make changes to it.

12:13

All right, we'll start up in myself console.

12:18

I'm probably going to complain that database isn't running with this. OK, we can live with that.

12:26

What is going to load up Our model three here simply won't take too long.

12:37

We'll probably take even longer because it's going to try and attach to the database, and I don't think the database is listening

12:50

awhile that's running. Let's go ahead and

13:18

okay, so Here we go. Let's see

13:22

if we got any errors.

13:24

We did not. So it should have lived at the models is fine. If there was an error, it would have told us as it loaded. So we should be able to use

13:35

exploit.

13:35

When those TFT my exploit

13:41

who share our options,

13:43

we need to set our host. That's going to be Windows ex pay as usual

13:50

and it doesn't have a target that automatically we could have

13:54

set

13:56

default target them. Probably be a good idea. So we set target zero, and

14:03

we sure are. Payloads automatically pull up our medicine payload system.

14:11

And let's make sure our t ftp servers actually running Good to see windows and open the controller and start

14:26

the payload windows mutter bitter

14:31

reverse TCP

14:39

that l host for $90. 681.77

14:46

on. We'll see if it works. Exploit about the stage. That's a start. Oh, look, Interpreter. So the benefit of using medicine. Boy, we get the medicine payload system. We can share it with others easily, so that makes it pretty nice.

15:03

All right, so one last thing. If we do want to

15:07

submit this the medicine, Lloyd. So it's just good

15:11

and quit.

15:16

We do want to submit this to the Medicis later repositories, which obviously we don't hear what three written the model that's already there.

15:24

But if we do, if we go thio, believe it in tools.

15:31

Yes, there's innocent. Tidy that RV. We want to submit this missive tidy will check for trailing new lines and other errors that aren't going to be syntax errors. Consul will find out, but it will find like formatting errors. They like everything to be the same.

15:48

So if you run in a sec, tidy against your model little find,

15:52

like again trailing white space and stuff like that, that will cause your module to get bounced back for silly reasons, really? So you just run into stuff tidy against it. You can clean that stuff up before you submit it, but again, we're not going to submit anything here. We need