Sunday, July 20, 2008

Adding your own exploits and modules in Metasploit

No not an exploit-dev 101 post but maybe an advanced tip for people new to using the Metasploit Framework. I see this question all the time so here is a little mini tutorial.

In Linux (For the love of god, don't run msf on Windows) when you install metasploit you get a hidden .msf(/home/$user/.msf) directory in your home directory.

It starts out empty, but this is where you want to place all updated exploit modules, auxiliary modules, meterpreter scripts, etc.

Why? Well if you start modifying exploits in the trunk when you do an update it will start bitching at you about it not being the same exploit and may possible overwrite your stuff and that's no fun.

Example time.

Say you want to add the "HP StorageWorks NSI Double Take Remote Overflow Exploit (meta)" exploit located on milworm. Its already in the trunk, so if you want to follow along you'll have to rm it.

What you have to do is create the same directory structure in your .msf folder as you have in your regular msf folder. So, looking at the exploit on milworm we see the path is:

class Exploits::Windows::Misc::Doubletake

So we cd into our .msf folder and create our modules folder (If you are lost, look at your regular msf folder and make a similar directory structure). Once we do that we need to create an exploits folder, a windows folder, and misc folder. Then we'll stick our doubletake.rb file into that folder.

cg@segfault:~/.msf3$ mkdir modules
cg@segfault:~/.msf3$ cd modules/
cg@segfault:~/.msf3/modules$ mkdir exploits
cg@segfault:~/.msf3/modules$ cd exploits/
cg@segfault:~/.msf3/modules/exploits$ mkdir windows
cg@segfault:~/.msf3/modules/exploits$ cd windows/
cg@segfault:~/.msf3/modules/exploits/windows$ mkdir misc
cg@segfault:~/.msf3/modules/exploits/windows$ cd misc
cg@segfault:~/.msf3/modules/exploits/windows/misc$ ls -l
total 4
-rw-r--r-- 1 cg cg 2277 2008-07-20 12:22 doubletake.rb

You don't need to mirror the directory structure completely, just add what you are adding. If you had Linux exploits you would add a linux folder in the exploits folder, since we don't its not necessary.

If everything worked right when you start the console you'll see one more exploit and you'll now be able use that exploit in the framework.


=[ msf v3.2-release
+ -- --=[ 302 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux


=[ msf v3.2-release
+ -- --=[ 303 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 73 aux

Now we can use the exploit.

msf > use exploit/windows/misc/doubletake
msf exploit(doubletake) > info

Name: doubletake Overflow
Version: 9
Platform: Windows
Privileged: No
License: Metasploit Framework License

Provided by:

Available targets:
Id Name
-- ----
0 doubletake 4.5.0
1 doubletake 4.4.2
2 doubletake

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 1100 yes The target port

Payload information:
Space: 500
Avoid: 1 characters

This Module Exploits a stack overflow in the authentication
mechanism of NSI Doubletake which is also rebranded as hp storage
works Vulnerability found by Titon of Bastard Labs.

msf exploit(doubletake) >

same thing goes for auxiliary modules, just make an auxiliary folder in the modules directory and populate it accordingly. Pretty much the same thing for meterpreter scripts except the scripts aren't in the modules directory they are in their own, so in this case we'd make our scripts/meterpreter directories in the main .msf directory.


Anonymous said...

303?! Good lord CG where do you get all your ohday :P

hogg said...

Is there a way to change a module and reload it without restarting MSF? I'm not leet enough to get it right on the first try, and Ruby loads slower than balls for me.

Anonymous said...

hogg, use the reload or rexploit (reload and exploit) command :]

Anonymous said...

CG, does this apply to loading just scripts and modules or does it work for library additions too?

Anonymous said...

Added your RSS to my feeds page, Thanks!

BTW, why not use this...
% mkdir -p modules/exploits/windows/misc


Anonymous said...

Followed the instructions EXACTLY and still can't add my own explots and auxs. I've been at this for 5 hours now editing code and playing around with it.

I should also note that my folder is .msf3, however i also created .msf just incase and no luck at all at getting metasploit to recognize new exploits.

back to googling i guess.

I have bookmarked this page so if anyone has any ideas, no matter how trivial, please post :)


Anonymous said...

Having same problem in BackTrack 3. I followed the instruction as written and no luck.

CG said...

if you had to create the .msf folder then i'm pretty sure metasploit wont know its there without editing something else.

not sure why its not working in BT, thats why i dont run it :-)

Anonymous said...

Be sure to make your filename/directory structure all lowercase and capitalize the first letter in each word for the class. I've seen this burn people.

Anonymous said...

I was having the same problem in BT3 adding the ms08_067_netapi.rb to my .msf3 folder. I keep getting the error, "/root/.msf3/modules/exploit/remote/ms08_067_netapi.rb: Loaded file, but no classes were registered"
I then ran msfupdate and now it no longer sees .rb files unless they are in the modules folder under .msf3. Any dir. created under modules with .rb files are not seen when I restart msfconsole. Any ideas?

Anonymous said...

Delete ~$user/.msf3/modcache
and run msfconsole (I'm using v3.2-stable)
msfconsole will return updated number of exploits.
You can see 'num_exploits' function in ~$user/.msf3/lib/msf/base/simple/statistics.rb.

Anonymous said...

i'm trying to install the adobe_exploit in metasploit framework v3.2 but i get some errors when i try to start the application.
I go to .mf3/modules folder and make new path: exploits/windows/fileformat/ and i add inside the adobe_utilprintf.rb. Then i add the line: require 'msf/core/exploit/fileformat' to msf3/lib/msf/core/expoit.rb and the fileformat.rb file in msf32/lib/msf/core/exploit folder. But when i try to start the application i got the error:
leformat.rb:3: uninitialized constant Msf::Exploit (NameError)

Does anyone knows how to fix this?

Unknown said...

excellent post. thanks.

BTW - look through the startup text carefully for error messages related to any new module you add or change. they will be printed at the top of the startup banners, and are kind of hard to see with all the other ascii art and such. took me a while to realize they were there :}