编写您的第一个Metasploit模块可能是一项艰巨的任务,特别是如果您没有定期在Ruby中编写代码。幸运的是,语言的语法足够直观,对于任何拥有编程知识和脚本知识的人来说,都可以进行转换(例如从Python)到Ruby。
在深入研究模块构建和开发之前,我们先快速浏览一下当前的一些模块。这些文件可以用作我们的基础,用于重新创建对几种不同的支持协议的攻击,或制作自己的自定义模块。
root@kali:/usr/share/metasploit-framework/lib/msf/core/exploit# ls
afp.rb dect_coa.rb mixins.rb smb
arkeia.rb dhcp.rb mssql_commands.rb smb.rb
browser_autopwn.rb dialup.rb mssql.rb smtp_deliver.rb
brute.rb egghunter.rb mssql_sqli.rb smtp.rb
brutetargets.rb exe.rb mysql.rb snmp.rb
capture.rb file_dropper.rb ndmp.rb sunrpc.rb
cmdstager_bourne.rb fileformat.rb ntlm.rb tcp.rb
cmdstager_debug_asm.rb fmtstr.rb omelet.rb telnet.rb
cmdstager_debug_write.rb ftp.rb oracle.rb tftp.rb
cmdstager_echo.rb ftpserver.rb pdf_parse.rb tns.rb
cmdstager_printf.rb http pdf.rb udp.rb
cmdstager.rb imap.rb php_exe.rb vim_soap.rb
cmdstager_tftp.rb ip.rb pop2.rb wbemexec.rb
cmdstager_vbs_adodb.rb ipv6.rb postgres.rb wdbrpc_client.rb
cmdstager_vbs.rb java.rb powershell.rb wdbrpc.rb
db2.rb kernel_mode.rb realport.rb web.rb
dcerpc_epm.rb local remote winrm.rb
dcerpc_lsa.rb local.rb riff.rb
dcerpc_mgmt.rb lorcon2.rb ropdb.rb
dcerpc.rb lorcon.rb seh.rb
在这里我们看到几个感兴趣的模块,例如Microsoft的SQL,HTTP,TCP,FTP,SMTP,SNMP,Oracle等的预打包协议。这些文件经历不断的更改和更新,随着时间的推移添加新的功能。
让我们从一个非常简单的程序开始,导航到/ usr / share / metasploit-framework / modules / auxiliary / scanner / mssql并在您的主目录下创建所需的Metasploit文件夹结构来存储您的自定义模块。Metasploit会自动查找此文件夹结构,因此无需执行额外步骤即可找到您的模块。
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner/mssql# mkdir -p ~/.msf4/modules/auxiliary/scanner/mssql
然后做一个快速的cp mssql_ping.rb〜/ .msf4 / modules / auxiliary / scanner / mssql / ihaz_sql.rb
root@kali:/usr/share/metasploit-framework/modules/auxiliary/scanner/mssql# cp mssql_ping.rb ~/.msf4/modules/auxiliary/scanner/mssql/ihaz_sql.rb
使用您最喜欢的编辑器打开新创建的文件,我们将开始制作我们的示例模块,遍历每一行以及它的含义:
##
# $Id: ihaz_sql.rb 7243 2009-12-04 21:13:15Z rel1k $ >--- automatically gets set for us when we check in
##
##
# This file is part of the Metasploit Framework and may be subject to >---- licensing agreement, keep standard
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core' >--- use the msf core library
class MetasploitModule < Msf::Auxiliary >---- its going to be an auxiliary module
include Msf::Exploit::Remote::MSSQL >----- we are using remote MSSQL right?
include Msf::Auxiliary::Scanner >----------- it use to be a SQL scanner
def initialize >---- initialize the main section
super(
'Name' => 'I HAZ SQL Utility', >------- name of the exploit
'Version' => '$Revision: 7243 $', >------- svn number
'Description' => 'This just prints some funny stuff.', >------------ description of the exploit
'Author' => 'THE AUTHOR', >--- thats you
'License' => MSF_LICENSE >---- keep standard
)
deregister_options('RPORT', 'RHOST') >---- do not specify RPORT or RHOST
end
def run_host(ip) >--- define the main function
begin >---begin the function
puts "I HAZ SQL!!!!" >---- print to screen i haz SQL!!!
end >--- close
end >---- close
end >---- close
现在你已经对模块有了一个基本概念,保存上面的代码(没有> - 注释字符串),让我们在msfconsole中运行它。
msf > search ihaz
[*] Searching loaded modules for pattern 'ihaz'...
Auxiliary
=========
Name Description
---- -----------
scanner/mssql/ihaz_sql MSSQL Ping Utility
msf > use scanner/mssql/ihaz_sql
msf auxiliary(ihaz_sql) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
HEX2BINARY /pentest/exploits/framework3/data/exploits/mssql/h2b no The path to the hex2binary script on the disk
MSSQL_PASS no The password for the specified username
MSSQL_USER sa no The username to authenticate as
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads
msf auxiliary(ihaz_sql) > set RHOSTS doesntmatter
RHOSTS => doesntmatter
msf auxiliary(ihaz_sql) > exploit
I HAZ SQL!!!!
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
成功!我们的模块已添加!现在我们已经对如何添加模块有了基本的了解,下面我们来仔细看看为Metasploit框架编写的MSSQL模块。