As a bonus to this week
Eckie S. |
The following it NOT an exploit walkthrough. This is simply a code analysis to point out parts of the framework which exude a certain amount of "Rubyness" and is a great research area to see why the developers of Metasploit chose Ruby as its language. I have taken code from both the actual framework as well as examples provided by the developer's documentation included in the source tarball of the download. This is meant to spark interest and curiosity - poke around the code to see if you find anything you could reuse or reimplement later on, whether it's security related or not. All examples assume you will be following on with Baird's 'Ruby by Example'. The Metasploit framework is a prime example of modularization in Ruby - there is a great hierarchial setup for the framework where much of the work has been done for you. Certain parts of the code can be extracted and used "as is", such as the NOP sled generator:
module Msf module Nops class Sample < Msf::Nop def initialize super( 'Name' => 'Sample NOP generator', 'Version' => '$Revision: 3215 $', 'Description' => 'Sample single-byte NOP generator', 'Author' => 'skape', 'Arch' => ARCH_X86) end # # Returns a string of 0x90's for the supplied length. # def generate_sled(length, opts) "\x90" * length end end end end
Notice the use of super in this case in order to grab the features of the already written Nop class. This allows any user to pull methods out of this class and manipulate in any fashion, offering quick code reuse and innovation. Read the chapter on modules and inheritance to get an understanding of the ease of use how the developers organized their classes in the framework. Other parts of the framework leave it very simple to write your own module and include any exploits / shellcode you have written yourself:
module Msf class Exploits::Sample < Msf::Exploit::Remote # # This exploit affects TCP servers, so we use the TCP client mixin. # include Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Sample exploit', 'Description' => %q{ This exploit module illustrates how a vulnerability could be exploited in an TCP server that has a parsing bug. }, 'Author' => 'skape', 'Version' => '$Revision: 3215 $', 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", }, 'Targets' => [ # Target 0: Windows All [ 'Windows Universal', { 'Platform' => 'win', 'Ret' => 0x41424344 } ], ], 'DefaultTarget' => 0)) end # # The sample exploit just indicates that the remote host is always # vulnerable. # def check return Exploit::CheckCode::Vulnerable end # # The exploit method connects to the remote service and sends 1024 A's # followed by the fake return address and then the payload. # def exploit connect print_status("Sending #{payload.encoded.length} byte payload...") # Build the buffer for transmission buf = "A" * 1024 buf += [ target.ret ].pack('V') buf += payload.encoded # Send it off sock.put(buf) sock.get handler end end end
When developing payloads one only has to insert values into the payload hash and deliver as is - Metasploit has done the work for you. You should look over chapters on hash declarations as well as symbols and strings to gain an understanding of how Ruby declares these variables. One might ask "Whats so special about this code? It does this, this, and this, anyone can see that". The fact that anyone can read through the code and simply understand it is the whole point of Ruby. There are no special tricks or isms when the developers wrote the code for Metasploit. From the classes to its modules, everything is very compartamentalized in a fashion which makes it simple to extend, hence it only being a framework. The fact that it can hide so much of its inner workings such as how it implements assembly code and methods:
# # Assembles the supplied assembly and returns the raw opcodes. # def self.assemble(assembly) check # Open the temporary file tmp = Tempfile.new('nasmXXXX') tpath = tmp.path opath = tmp.path + '.out' # Write the assembly data to a file tmp.write("BITS 32\n" + assembly) tmp.flush() tmp.seek(0) # Run nasm if (system(@@nasm_path, '-f', 'bin', '-o', opath, tpath) == false) raise RuntimeError, "Assembler did not complete successfully: #{$?.exitstatus}" end # Read the assembled text rv = ::IO.read(opath) # Remove temporary files File.unlink(opath) tmp.close rv end
There are prerequisites for this method (such as sanity checks on your nasm environment) but one can see the subtle use of writing the candidate assembly code to a temporary file and applying nasm to obtain raw opcodes. Rather than key this in by hand over and over you can see that Metasploit provides an extremely convenient method to modularize this which the user will never see (unless you go digging through the source code!) Baird's book has chapters on heavier text processing which involves the use of manipulating files - perhaps the reader could expand the previous example by providing code blocks to the write or open commands? The second half of the book provides a wealth of examples featuring proc blocks and lambdas which make functional programming key in file handling procedures.
Metasploit is the leading open source exploit framework for a reason