Hi My name is Sumit tiwari and in this post, I will show you how to create a simple Metasploit module. For demonstration purpose,
let's explain bug
I will use ManageEngine Exchange Reporter Plus server which is vulnerable to unauthenticated remote code execution. I hope you will like it. First, let's explain bug. Java servlet `ADSHACluster` takes two parameters: `BCP_RLL` and `BCP_EXE`. Received data are converted from hex encoding and save inside bin directory. That's the way how `bcp.rll` and `bcp.exe` files are created. What is more interesting, `bcp.exe` file is executed using `exec` function.
privileges
So it's a classic example where software vendor forgets about checking current user privileges. Why? Because this functionality should be available only for administrator. Now, I will show you exploit written in python language. To simplify the whole situation, the vulnerable application is installed on the same computer where exploit code is running. As you can see exploit code is very small. First, it reads the calc.exe file and converts its content into hex encoding. Encoded data is sent to the vulnerable server. This request doesn't require any authentication. Calculator pops on the screen. This assures us that exploit is working correctly
first module
. It's time for creating our first module. We need to install Metasploit. I will be using Windows system so I download official MSI installation package. Metasploit tries to find custom modules inside specific directories. In our case it's: `.msf4\modules\exploits\test`. I download example module structure file from GitHub. Now, we can run Metasploit. Initialization can take some time. In order to use new module, we need to use command `reload_all` which reloads all framework files. Because we save file into exploits dir we can use the command: `use exploit/test/` and module name without extension, in our case: `test_module`. The example works just fine. It's time for modifications. We need to have a function which converts the whole file into a hex string. Because Metasploit is written in Ruby I found a solution on StackOverflow forum. Next, the encoded payload is sent to the server using POST request. For this I use `send_request_cgi` function.
HttpClient module
This functionality is located inside HttpClient module, so we need to import it. The server can be located at multiple locations. Because of that, I use `normalize_uri` function which joins PATH parameter from the user and servlet URL. `BCP_EXE` parameter will contain encoded calculator. The second parameter can contain anything. It's time for testing our exploit. In order to see our last changes, we need to execute `reload` command. Then, we are passing RHOST parameter which points to a vulnerable server. RPORT is also required because by default Manage Engine listens on port 8181. Poping calculator proofs that exploit is working correctly but a lot of pentesters are using Metasploit because of Meterpreter functionality. It's some kind of shell which allows executing quite complex commands on the attacked machine. For example, you can download passwords from multiple browsers.
meterpreter payload
Sending meterpreter payload is very simple. Just replace calculator variable with `generate_payload_exe` and add proper import. How is this working? Using Metasploit we can choose which payload will be sent to the attacked server. For this, we are using `set payload` command. In our case, we are looking for windows architecture. Each time `TAB` key can be used to display a full list of available payloads. I will use `windows/meterpreter/reverse_tcp`. This payload requires LHOST - which means IP of the Metasploit server and LPORT - a listening port. The framework takes all those payload parameters and generates exe file which is available for modules as a single variable. Let's check new module version. We get successful meterpreter shell. Now we can execute multiple commands. For example `getuid` will display the user that runs payload. Next thing to change is a `check` function. Sometimes, we don't want to execute payload on the attacked machine, especially if it's a very important production server. Most of the modules contain a simple function which allows checking if given server is vulnerable without executing the real payload.
In our case, we will use `GetProductVersion` servlet which returns JSON. Inside `BUILD_NUMER` field there is version number available. If it's lower or equal than 5216 it's very likely vulnerable. And we assume this without executing real exploit. Also, we are testing if the server returns JSON with a status argument so we can check if exploit is working correctly. The last thing is to change header data. I put proper name, description, and author. It's quite important because we can search those data using `search` command`
.created
Congratulations. You just created the first metasploit module. And that's all I want to show you in this post. To sum up: rewriting exploit from python to ruby is not so hard. I encourage you to take a quick look at existing modules. It's a great place for finding solutions for common problems and to discover framework functionality. tku for reading tell the end