Sunday, July 20, 2008
Adding your own exploits and modules in Metasploit
No not an exploit-dev 101 post but maybe an advanced tip for people new to using the Metasploit Framework. I see this question all the time so here is a little mini tutorial.
In Linux (For the love of god, don't run msf on Windows) when you install metasploit you get a hidden .msf(/home/$user/.msf) directory in your home directory.
It starts out empty, but this is where you want to place all updated exploit modules, auxiliary modules, meterpreter scripts, etc.
Why? Well if you start modifying exploits in the trunk when you do an update it will start bitching at you about it not being the same exploit and may possible overwrite your stuff and that's no fun.
Example time.
Say you want to add the "HP StorageWorks NSI Double Take Remote Overflow Exploit (meta)" exploit located on milworm. Its already in the trunk, so if you want to follow along you'll have to rm it.
What you have to do is create the same directory structure in your .msf folder as you have in your regular msf folder. So, looking at the exploit on milworm we see the path is:
class Exploits::Windows::Misc::Doubletake
So we cd into our .msf folder and create our modules folder (If you are lost, look at your regular msf folder and make a similar directory structure). Once we do that we need to create an exploits folder, a windows folder, and misc folder. Then we'll stick our doubletake.rb file into that folder.
cg@segfault:~/.msf3$ mkdir modules
cg@segfault:~/.msf3$ cd modules/
cg@segfault:~/.msf3/modules$ mkdir exploits (注意:建的目录是exploits,使用的是:use exploit/.......后面没有s)
cg@segfault:~/.msf3/modules$ cd exploits/
cg@segfault:~/.msf3/modules/exploits$ mkdir windows
cg@segfault:~/.msf3/modules/exploits$ cd windows/
cg@segfault:~/.msf3/modules/exploits/windows$ mkdir misc
cg@segfault:~/.msf3/modules/exploits/windows$ cd misc
cg@segfault:~/.msf3/modules/exploits/windows/misc$ ls -l
total 4
-rw-r--r-- 1 cg cg 2277 2008-07-20 12:22 doubletake.rb
You don't need to mirror the directory structure completely, just add what you are adding. If you had Linux exploits you would add a linux folder in the exploits folder, since we don't its not necessary.
If everything worked right when you start the console you'll see one more exploit and you'll now be able use that exploit in the framework.
Before:
=[ msf v3.2-release
+ -- --=[ 302 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux
After:
=[ msf v3.2-release
+ -- --=[ 303 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux
Now we can use the exploit.
msf > use exploit/windows/misc/doubletake
msf exploit(doubletake) > info
Name: doubletake Overflow
Version: 9
Platform: Windows
Privileged: No
License: Metasploit Framework License
Provided by:
ri0t
Available targets:
Id Name
-- ----
0 doubletake 4.5.0
1 doubletake 4.4.2
2 doubletake 4.5.0.1819
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1100 yes The target port
Payload information:
Space: 500
Avoid: 1 characters
Description:
This Module Exploits a stack overflow in the authentication
mechanism of NSI Doubletake which is also rebranded as hp storage
works Vulnerability found by Titon of Bastard Labs.
msf exploit(doubletake) >
same thing goes for auxiliary modules, just make an auxiliary folder in the modules directory and populate it accordingly. Pretty much the same thing for meterpreter scripts except the scripts aren't in the modules directory they are in their own, so in this case we'd make our scripts/meterpreter directories in the main .msf directory.