Today I want to go through something even I have been struggling with for a while ; creating PoC’s is a good thing but creating actionable exploits for frameworks like metasploit was really something else; takes a lot more discipline. Why would we do this? well interactive shells are everyone’s joy.
PS: yes I had to learn abit of ruby to get the hang of things; so yes this is going to seem like a web development class. 😀 . So to dig into my life lesson we will be porting our previous exploit which can be downloaded on github. If you missed the journey on how that came to be read more about it here.
Here is what we need:
- Clean MSF instance that we will use to test
- Victim
- Some knowledge of ruby; I found out this isn’t as hard if you have been through the other “hostile” languages.
To start us off we need to plan since metasploit has actionable methods.
Planning
- What should our module Be able to do? Check if a target has the vulnerable script; Run an attack against it.
- What’s our expected result? Meterpreter shell that will atleast give us interactivity and more options against the host.
So from this we gather we will need 3 methods:
- initialize – simple method thats standard to tell users what the module is about
- check – simple method (optional) to just confirm a target is vulnerable
- exploit – simple method that will generate the payload; launch an attack against the target and give us a meterpreter shell
The Basics (initialize Method)
We will develop the methods in the order they are placed ; starting with the info. What we have is something like this:
Metasploit information method
I am not rewriting that code on this post but I will explain it ; it’s more efficient.
- Line 5 loads the metasploit core libraries
- Line 6 is a declaration of our class that inherits from the super class Msf::Exploit::Remote (Helps us with different methods to ease in development of exploits that involve compromising of machines over a network connection.)
- Line 7 is very important ; how to rank your exploit is detailed on the github link.
- Line 8 is calling the wordpress classes. It just makes it more convenient in dealing with wordpress; the key thing we will be using it for though is getting wordpress paths especially to the plugins folder ; it makes the journey less painful.
- Line 9 is the File Dropper class which will help us with handling sessions on attacking the target; it also contributes to the initialize method such that if we have new options or variables that we would like to introduce it would handle them well.
- Line 10-38 are standard key value pairs for information about the exploit ; we do not need to register any new options for this particular exploit but they can be registered under the declaration super on line 11 which is an override method.
One thing to note as of this point ; is this is ruby and not python; so in all mannerisms those are not indents but spaces; we will get into more details of this when done with the exploit but just to explain the difference.
Tabs vs Spaces in Programming
In the next article we will build the exploit.
