infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Some files from the alpha release. 

git-svn-id: file:///home/svn/incoming/trunk@3382 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2006-01-16 04:00:36 +00:00
parent 22ec4bbdc8
commit 6f833ff1fb
3 changed files with 360 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README Normal file
View File

@ -0,0 +1,21 @@
This is an *alpha* release. Many bugs still exist and quite a few features
are still non-functional. The latest version can be obtained online from:
- http://metasploit.com/projects/Framework/msf3/
Licensing information can be found in ./documentation/COPYING
This release has only been tested on the following platforms:
- Linux x86 with Ruby 1.8.2, 1.8.3, and 1.8.4_rc2
- Mac OS X 10.3 with Ruby 1.8.3 from the fink package manager
This release *will not* work with the following platforms:
- Windows via Cygwin (openssl, readline, other issues)
- Windows via Native (stdin reads blocks the whole process)
- Mac OS X 10.4 with the standard Ruby install (Apple sucks)
Questions and suggestions can be sent to:
msfdev[at]metasploit.com
The framework-beta mailing list is the place to discuss features and
ask questions of the user-base. To subscribe, send a blank email to:
framework-beta-subscribe[at]metasploit.com

1
VERSION Normal file
View File

@ -0,0 +1 @@
3.0 Alpha Release 2

338
documentation/msfopcode.txt Normal file
View File

@ -0,0 +1,338 @@
Using the Opcode Database CLI (msfopcode)
The 3.0 version of the Metasploit Framework comes with a command line
interface to the Metasploit Opcode Database. This can be used instead
of the web-based wizard to easily search for portable opcode
addresses. The interface is provided through the msfopcode command
which is found in the root directory of the installation. This
interface is merely a front-end to a the
Rex::Exploitation::OpcodeDb::Client class interface that interfaces
with a HTTP-based XML protocol running on the Metasploit.com
web-server.
The interface itself provides a simplified interface to some of the
different aspects of the opcode database. When running the command
with no arguments, the following output is shown:
$ ./msfopcode
Usage: msfopcode command
SUPPORTED COMMANDS
stats Display database statistics
locales Display supported locales
metatypes Display supported opcode meta types (Ex: jmp reg)
groups Display supported opcode groups (Ex: esp => eip)
types Display supported opcode types (Ex: jmp esp)
platforms Display supported platforms
modules Display information about specific modules
search Search for opcodes given a set of criteria
The purpose of the stats command is to show the current database
statistics, such as the number of opcodes and modules currently
indexed by the database and the last time the database was updated.
The output to this command looks something like this:
$ ./msfopcode stats
Last Updated : Sat Sep 03 01:32:00 CDT 2005
Number of Opcodes : 12177419
Number of Opcode Types : 320
Number of Platforms : 14
Number of Architectures : 1
Number of Modules : 17683
Number of Module Segments: 71457
Number of Module Imports : 2065492
Number of Module Exports : 927637
The locales command lists the locales that are currently supported by
the database. In the future, more locales will be indexed to provided
a more complete view of opcode portability.
$ ./msfopcode locales
English
French
The metatypes command lists the opcode meta types currently supported
by the database. An opcode meta type is defined as a general
categorization of opcodes based on the action they perform, such as
jumping to a register, performing a pop/pop/ret, and so on. The meta
type helps categorize different specific types of opcodes.
$ ./msfopcode metatypes
pop/pop/ret
jmp reg
call reg
jmp [reg + offset]
call [reg + offset]
popad/ret
popaw/ret
push reg/ret
The groups command lists the opcode groups currently supported by the
database. The distinction between and opcode group and an opcode meta
type is that an opcode group associates opcodes based on the specific
action they perform, such as transitioning the instruction pointer to
the current value of a specific register, like esp.
$ ./msfopcode groups
eax => eip
ebx => eip
ecx => eip
edx => eip
edi => eip
esi => eip
ebp => eip
esp => eip
[esp + 8] => eip
[reg + offset] => eip
[esp + 0x10] => eip
[esp + 0x20] => eip
[reg] => eip
The types command lists all of the various specific opcode types
supported by the database. An opcode type is an instance of a specific
opcode or opcodes that form one logical instruction block, such as a
jmp esp. Opcode types are grouped together through the use of opcode
groups and meta types. A sampling of the output is shown below:
$ ./msfopcode types
jmp esp
call esp
push esp, ret
jmp ebp
call ebp
push ebp, ret
jmp eax
...
The platforms command lists the currently supported operating system
versions broken down by major version and service pack. At this point,
the database supports Windows NT SP3 through Windows 2003 Server SP1.
The database does not take into account hot fixes. Optionally,
platforms can be filtered by specifying the -p option with an argument
that includes a text portion of the operating system name or version
to filter. For instance, specifying -p 2000 will return only Windows
2000 versions.
$ ./msfopcode platforms
Windows NT 4.0.3.0 SP3 (IA32)
Windows NT 4.0.4.0 SP4 (IA32)
Windows NT 4.0.5.0 SP5 (IA32)
Windows NT 4.0.6.0 SP6 (IA32)
Windows 2000 5.0.0.0 SP0 (IA32)
Windows 2000 5.0.1.0 SP1 (IA32)
Windows 2000 5.0.2.0 SP2 (IA32)
Windows 2000 5.0.3.0 SP3 (IA32)
Windows 2000 5.0.4.0 SP4 (IA32)
Windows XP 5.1.0.0 SP0 (IA32)
Windows XP 5.1.1.0 SP1 (IA32)
Windows XP 5.1.2.0 SP2 (IA32)
Windows 2003 Server 5.2.0.0 SP0 (IA32)
Windows 2003 Server 5.2.1.0 SP1 (IA32)
One of the major features of the opcode database is that it indexes
detailed information about modules. For instance, the opcode database
currently contains information about imports, exports, segments, and
specific module attributes for every imported module in the database.
This makes it possible to cross reference different modules and do all
sorts of fun things. To extract information about modules, the modules
command can be used. The usage for this command is shown below:
$ ./msfopcode modules -h
Usage: msfopcode modules
OPTIONS:
-E Include module export information
-I Include module import information
-S Include module segment information
-d Display detailed output
-h Help banner
-l A comma separated list of locales to filter (Ex: English)
-m A comma separated list of module names to filter (Ex: kernel32.dll,use
r32.dll)
-p A comma separated list of operating system names to filter (Ex: 2000,X
P)
-x Dump the raw XML response
The explanation in the usage for each option is fairly self
explanatory, but the basic idea is that it's possible to search the
database for modules with the ability to filter based on file name,
locale, and operating system version. For the results that are
returned, information about the module imports, exports, segments, and
detailed information can be displayed. For example, to see all of the
versions of kernel32.dll currently indexed in the database, the
following command would be run:
$ ./msfopcode modules -m kernel32.dll
Matching Modules
================
Name Base Address Size Version Timestamp
Locale
---- ------------ ---- ------- ---------
------
kernel32.dll 0x77e70000 790528 5.0.2191.1 Tue Dec 14 17:20:09 CST 1999 French
kernel32.dll 0x77e40000 1056768 5.2.3790.1830031 Thu Mar 24 20:30:42 CST 2005 English
kernel32.dll 0x77e40000 999424 5.2.3790.3 Tue Mar 25 03:42:44 CST 2003 English
kernel32.dll 0x77f00000 385024 4.0.0.0 Fri Apr 25 15:33:31 CDT 1997 English
kernel32.dll 0x77ef0000 421888 4.0.0.0 Mon Mar 29 18:10:58 CST 1999 English
kernel32.dll 0x77f00000 385024 4.0.0.0 Sun Feb 28 17:49:07 CST 1999 English
kernel32.dll 0x77f00000 385024 4.0.0.0 Tue Jul 20 18:19:59 CDT 1999 English
kernel32.dll 0x77e80000 745472 5.0.2191.1 Wed Dec 01 01:37:24 CST 1999 English
kernel32.dll 0x77e80000 741376 5.0.2195.1600 Fri Jun 09 21:03:14 CDT 2000 English
kernel32.dll 0x77e80000 741376 5.0.2195.2778 Fri May 04 17:34:08 CDT 2001 English
kernel32.dll 0x77e80000 745472 5.0.2195.5400 Tue Jul 23 03:13:13 CDT 2002 English
kernel32.dll 0x7c4e0000 757760 5.0.2195.6688 Thu Jun 19 22:43:40 CDT 2003 English
kernel32.dll 0x77e60000 937984 5.1.2600.0 Sat Aug 18 01:33:02 CDT 2001 English
kernel32.dll 0x77e60000 942080 5.1.2600.11061 Thu Aug 29 06:40:40 CDT 2002 English
kernel32.dll 0x7c800000 999424 5.1.2600.21802 Wed Aug 04 03:56:36 CDT 2004 English
If only the versions of kernel32.dll on Windows XP running on the
English locale were of concern, the results could be limited by
specifying more limiting parameters:
$ ./msfopcode modules -m kernel32.dll -p XP -l English
Matching Modules
================
Name Base Address Size Version Timestamp
Locale
---- ------------ ---- ------- ---------
------
kernel32.dll 0x77e60000 937984 5.1.2600.0 Sat Aug 18 01:33:02 CDT 2001 English
kernel32.dll 0x77e60000 942080 5.1.2600.11061 Thu Aug 29 06:40:40 CDT 2002 English
kernel32.dll 0x7c800000 999424 5.1.2600.21802 Wed Aug 04 03:56:36 CDT 2004 English
To display detailed information about modules that match, the -d
parameter can be specified:
$ ./msfopcode modules -m kernel32.dll -p XP -l English -d
.-============================================
Name : kernel32.dll
Base Address: 0x77e60000
Size : 937984
Version : 5.1.2600.0
Timestamp : Sat Aug 18 01:33:02 CDT 2001
Locale : English
Platforms :
Windows XP 5.1.0.0 SP0 (IA32)
.-============================================
Name : kernel32.dll
Base Address: 0x77e60000
Size : 942080
Version : 5.1.2600.11061
Timestamp : Thu Aug 29 06:40:40 CDT 2002
Locale : English
Platforms :
Windows XP 5.1.1.0 SP1 (IA32)
.-============================================
Name : kernel32.dll
Base Address: 0x7c800000
Size : 999424
Version : 5.1.2600.21802
Timestamp : Wed Aug 04 03:56:36 CDT 2004
Locale : English
Platforms :
Windows XP 5.1.2.0 SP2 (IA32)
The real purpose behind the opcode database, however, is the ability
to search for specific opcodes across different operating system
versions with the ability to cross reference results in order to
determine return address portability. For that reason, the msfopcode
script provides the search command:
$ ./msfopcode search -h
Usage: msfopcode search
OPTIONS:
-M A comma separated list of opcode meta types to filter (Ex: jmp reg)
-P Results must span more than one operating system version
-a A comma separated list of addresses to filter (Ex: 0x41424344)
-g A comma separated list of opcode groups to filter (Ex: esp => eip)
-h Help banner
-l A comma separated list of locales to filter (Ex: English)
-m A comma separated list of module names to filter (Ex: kernel32.dll,user32.dll)
-p A comma separated list of operating system names to filter (Ex: 2000,XP)
-t A semi-colon separated list of opcode types to filter (Ex: jmp esp,call esp)
-x Dump the raw XML response
Like the modules command, the search command provides a way of
limiting the results that come back as a result of the search. In this
case, opcode results can be limited based on meta type, group, type,
operating system, module, locale, and even address. This makes it
possible to get fairly granular results in an intuitive manner.
Furthermore, the server can be instructed to only return results that
are portable in the event that the -P option is specified, although
there are currently some issues with this option being accurate.
To search for all occurrences of a ecx => eip opcode group in
ws2help.dll on Windows 2000 and XP, the following command could be
issued:
$ ./msfopcode search -p 2000,XP -m ws2help.dll -g "ecx => eip"
Opcodes
=======
Address Type OS
------- ---- --
0x74fa3112 call ecx Windows 2000 5.0.0.0 SP0 (IA32) (ws2help.dll)
Windows 2000 5.0.1.0 SP1 (IA32) (ws2help.dll)
Windows 2000 5.0.2.0 SP2 (IA32) (ws2help.dll)
Windows 2000 5.0.4.0 SP4 (IA32) (ws2help.dll)
0x71aa1224 push ecx, ret Windows XP 5.1.0.0 SP0 (IA32) (ws2help.dll)
Windows XP 5.1.1.0 SP1 (IA32) (ws2help.dll)
0x71aa396d call ecx Windows XP 5.1.0.0 SP0 (IA32) (ws2help.dll)
Windows XP 5.1.1.0 SP1 (IA32) (ws2help.dll)
0x71aa3de3 call ecx Windows XP 5.1.2.0 SP2 (IA32) (ws2help.dll)
0x71aa163b push ecx, ret Windows XP 5.1.2.0 SP2 (IA32) (ws2help.dll)
0x75023112 call ecx Windows 2000 5.0.0.0 SP0 (IA32) (ws2help.dll)
Windows 2000 5.0.1.0 SP1 (IA32) (ws2help.dll)
Windows 2000 5.0.2.0 SP2 (IA32) (ws2help.dll)
Windows 2000 5.0.3.0 SP3 (IA32) (ws2help.dll)
Windows 2000 5.0.4.0 SP4 (IA32) (ws2help.dll)
To limit the results to portable ones only, the -P option can be
tagged on producing output like that shown below:
$ ./msfopcode search -p 2000,XP -m ws2help.dll -g "ecx => eip" -P
Opcodes
=======
Address Type OS
------- ---- --
0x74fa3112 call ecx Windows 2000 5.0.0.0 SP0 (IA32) (ws2help.dll)
Windows 2000 5.0.1.0 SP1 (IA32) (ws2help.dll)
Windows 2000 5.0.2.0 SP2 (IA32) (ws2help.dll)
Windows 2000 5.0.4.0 SP4 (IA32) (ws2help.dll)
0x71aa1224 push ecx, ret Windows XP 5.1.0.0 SP0 (IA32) (ws2help.dll)
Windows XP 5.1.1.0 SP1 (IA32) (ws2help.dll)
0x71aa396d call ecx Windows XP 5.1.0.0 SP0 (IA32) (ws2help.dll)
Windows XP 5.1.1.0 SP1 (IA32) (ws2help.dll)
0x75023112 call ecx Windows 2000 5.0.0.0 SP0 (IA32) (ws2help.dll)
Windows 2000 5.0.1.0 SP1 (IA32) (ws2help.dll)
Windows 2000 5.0.2.0 SP2 (IA32) (ws2help.dll)
Windows 2000 5.0.3.0 SP3 (IA32) (ws2help.dll)
Windows 2000 5.0.4.0 SP4 (IA32) (ws2help.dll)
For custom development purposes, the script can also be told to dump
results in raw XML format such that extensions can be written to the
interface in the future by third parties. This can be accomplished by
specifying the -x parameter.
More information online at: http://metasploit.com/projects/Framework/msf3/