Formatting our Exploit Module
The format of an Exploit Module in Metasploit is similar to that of an Auxiliary Module but there are more fields.
-
- There is always a Payload Information Block. An Exploit without a Payload is simply an Auxiliary Module.
- A listing of available Targets is outlined.
- Instead of defining run(), exploit() and check() are used.
Exploit Module Skeleton
class Metasploit3 > Msf::Exploit::Remote include Msf::Exploit::Remote::TCP def initialize super( 'Name' => 'Simplified Exploit Module', 'Description' => 'This module sends a payload', 'Author' => 'My Name Here', 'Payload' => {'Space' => 1024, 'BadChars' => “\x00”}, 'Targets' => [ ['Automatic', {} ] ], 'Platform' => 'win', ) register_options( [ Opt::RPORT(12345) ], self.class) end # Connect to port, send the payload, handle it, disconnect def exploit connect() sock.put(payload.encoded) handler() disconnect() end end
Defining an Exploit Check
Although it is rarely implemented, a method called check() should be defined in your exploit modules whenever possible.
-
- The check() method verifies all options except for payloads.
- The purpose of doing the check is to determine if the target is vulnerable or not.
- Returns a defined Check value.
The return values for check() are:
-
- CheckCode::Safe – not exploitable
- CheckCode::Detected – service detected
- CheckCode::Appears – vulnerable version
- CheckCode::Vulnerable – confirmed
- CheckCode::Unsupported – check is not supported for this module.
Banner Grabbing : Sample check() Method
def check # connect to get the FTP banner connect # grab banner banner = banner = sock.get_once # disconnect since have cached it as self.banner disconnect case banner when /Serv-U FTP Server v4\.1/ print_status('Found version 4.1.0.3, exploitable') return Exploit::CheckCode::Vulnerable when /Serv-U FTP Server/ print_status('Found an unknown version, try it!'); return Exploit::CheckCode::Detected else print_status('We could not recognize the server banner') return Exploit::CheckCode::Safe end return Exploit::CheckCode::Safe end