Sometimes, the CVE is playing a role as HTTP server and the victim is the browser which visiting the malicious web site and download payload to execute. At this situation, you can leverage toolkit SimpleHttpClient.groovy to played as a browser. Here we will explain how to write a simple HTTP client to download the payload the metasploit framework. Here our target is CVE 2012-0266:
Exploit Script Analysis
Before writing our http client script, first step is to analyze the exploit script and know what it is going to exploit. You can look for the script name by search cve from the msfconsole with below command:
Which means there should be an exploit script located at /usr/share/metasploit-framework/modules/exploit/windows/browser/ntr_activex_check_bof.rb.
Let's open it and you can find out it includes below modules:
- include Msf::Exploit::Remote::HttpServer::HTML
- include Msf::Exploit::RopDb
- def on_request_uri(cli, request)
- agent = request.headers['User-Agent']
- print_status("User-agent: #{agent}")
- my_target = get_target(agent)
- # Avoid the attack if the victim doesn't have a setup we're targeting
- if my_target.nil?
- print_error("Browser not supported: #{agent}")
- send_not_found(cli)
- return
- end
- ...
- end
- def get_target(agent)
- #If the user is already specified by the user, we'll just use that
- return target if target.name != 'Automatic'
- if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
- return targets[1] #IE 6 on Windows XP SP3
- elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
- return targets[2] #IE 7 on Windows XP SP3
- elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
- return targets[3] #IE 7 on Windows XP SP3
- elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
- return targets[4] #IE 7 on Windows Vista SP2
- elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/
- return targets[5] #IE 7 on Windows Vista SP2
- elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
- return targets[6] #IE 7 on Windows 7 SP1
- elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
- return targets[7] #IE 7 on Windows 7 SP1
- else
- return nil
- end
- end
Writing Custom HttpClient Case
Now we know the behavior of exploit script, to write our custom HttpClient Case, first we create a .groovy which extends DefaultHandler
- CVE2012_0266_2.groovy (v1)
- package ibm.iss.xf.tk.client.cve.http
- import org.apache.http.HttpResponse
- import org.apache.http.client.methods.HttpGet
- import org.apache.http.client.methods.HttpUriRequest
- class CVE2012_0266_2 extends DefaultHandler{
- public CVE2012_0266_2(){}
- /**
- * Callback of HTTP response.
- * @param request: Request of HTTP response
- * @param response: HTTP response
- * @param bodyBuf: Body buffer of HTTP response.
- * @return HttpUriRequest object - Next HTTP request. Null to stop framework.
- */
- @Override
- public HttpUriRequest handleCallback(HttpUriRequest request,
- HttpResponse response, StringBuffer bodyBuf)
- {
- // Based on HttpResponse from Server, customize our action here.
- return null;
- }
- }
The "172.16.58.1" should be the IP address which our case script can reach. From above message, we know "http://172.16.58.1:8080/0qDJ348ofOgx/CkQ6q2Dtf0" is the URL for use to browse from our case script. Let run case script through SimpleHttpClient:
Here we use command argument "-i" to indicate the case script. From the message, we know that we miss a argument "-u" to give the seed URL generated from the exploit script. Let's complete the command this time:
It seems that the payload from exploit is not sent out. Let's check the msfconsole output:
Now it's clear that the reason is our "User-Agent" isn't exploitable. So we have to modify our case script to make it workable. Fortunately, the DefaultHandler has a field called headers (A hash table) which can be used to modify and customize our request header(s). Let's change our "User-Agent" from the constructor in our case script to be one of the exploitable target:
- CVE2012_0266_2.groovy (v1)
- ...
- public CVE2012_0266_2()
- {
- headers["User-Agent"]="NT 5.1 MSIE 6"
- }
- ...
If you want to save the payload into file, you can use API:savePayload(payload_name, payload_content). For example:
- CVE2012_0266_2.groovy (v3)
- @Override
- public HttpUriRequest handleCallback(HttpUriRequest request,
- HttpResponse response, StringBuffer bodyBuf)
- {
- savePayload("payload_name", bodyBuf.toString())
- }
沒有留言:
張貼留言