Exploit Format

From Metasploit Unleashed
Jump to: navigation, search

The format of an Exploit in Metasploit is similar to that of an Auxiliary but there are more fields.

  • There is always a Payload information block. An Exploit without a Payload is simply an Auxiliary module.
  • A listing of available Targets is outlined.
  • Instead of defining run(), exploit() and check() are used.


Exploit Skeleton


class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::Remote::TCP

      def initialize
           super(
               'Name'          => 'Simplified Exploit Module',
               'Description'   => 'This module sends a payload',
               'Author'        => 'My Name Here',
               'Payload'       => {'Space' => 1024, 'BadChars' => “\x00”},
               'Targets'       => [ ['Automatic', {} ] ],
               'Platform'      => 'win',
           )
           register_options( [
               Opt::RPORT(12345)
           ], self.class)
      end

      # Connect to port, send the payload, handle it, disconnect
      def exploit
           connect()
           sock.put(payload.encoded)
           handler()
           disconnect()
      end
end

Defining Vulnerability Tests


Although it is rarely implemented, a method called check() should be defined in your exploit modules whenever possible.

  • The check() method verifies all options except for payloads.
  • The purpose of doing the check is to determine is the target is vulnerable or not.
  • Returns a defined Check value.

The return values for check() are:

  • CheckCode::Safe - not exploitable
  • CheckCode::Detected - service detected
  • CheckCode::Appears - vulnerable version
  • CheckCode::Vulnerable - confirmed
  • CheckCode::Unsupported - check is not supported for this module.


Sample check() Method


def check
     # connect to get the FTP banner
     connect

     # disconnect since have cached it as self.banner
     disconnect
    
     case banner
          when /Serv-U FTP Server v4\.1/
               print_status('Found version 4.1.0.3, exploitable')
               return Exploit::CheckCode::Vulnerable

          when /Serv-U FTP Server/
               print_status('Found an unknown version, try it!');
               return Exploit::CheckCode::Detected

          else
               print_status('We could not recognize the server banner')
               return Exploit::CheckCode::Safe
     end

     return Exploit::CheckCode::Safe
end


Exploit Development > Exploit Format

Exploit Design Goals | Exploit Format | Exploit Mixins | Exploit Targets | Exploit Payloads | Writing An Exploit | Using The Egghunter Mixin | Porting Exploits

Retrieved from "http://www.offensive-security.com/w/index.php?title=Exploit_Format&oldid=1315"