LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 29th, 2014
Linux Security Week: August 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
What makes Metasploit tick? Print E-mail
User Rating:      How can I rate this item?
Posted by Administrator   
Features As a bonus to this week’s review of “Ruby By Example,” I'd like to give an applied security related example of Ruby by walking you through a chunk of code in the Metasploit Open Source Exploit Framework (www.metasploit.com). Metasploit is written entirely in Ruby and has gained critical acclaim as the standard for open source exploit frameworks and should be a vital tool in any security guru's box.


Eckie S.
The following it NOT an exploit walkthrough. This is simply a code analysis to point out parts of the framework which exude a certain amount of "Rubyness" and is a great research area to see why the developers of Metasploit chose Ruby as its language. I have taken code from both the actual framework as well as examples provided by the developer's documentation included in the source tarball of the download. This is meant to spark interest and curiosity - poke around the code to see if you find anything you could reuse or reimplement later on, whether it's security related or not. All examples assume you will be following on with Baird's 'Ruby by Example'. The Metasploit framework is a prime example of modularization in Ruby - there is a great hierarchial setup for the framework where much of the work has been done for you. Certain parts of the code can be extracted and used "as is", such as the NOP sled generator:
module Msf
module Nops
class Sample < Msf::Nop
   def initialize
      super(
         'Name'         => 'Sample NOP generator',
         'Version'      => '$Revision: 3215 $',
         'Description'  => 'Sample single-byte NOP generator',
         'Author'       => 'skape',
         'Arch'         => ARCH_X86)
   end
   #
   # Returns a string of 0x90's for the supplied length.
   #
   def generate_sled(length, opts)
      "\x90" * length
   end
end
end
end
Notice the use of super in this case in order to grab the features of the already written Nop class. This allows any user to pull methods out of this class and manipulate in any fashion, offering quick code reuse and innovation. Read the chapter on modules and inheritance to get an understanding of the ease of use how the developers organized their classes in the framework. Other parts of the framework leave it very simple to write your own module and include any exploits / shellcode you have written yourself:
module Msf
class Exploits::Sample < Msf::Exploit::Remote
   #
   # This exploit affects TCP servers, so we use the TCP client mixin.
   #
   include Exploit::Remote::Tcp
   def initialize(info = {})
      super(update_info(info,
         'Name'           => 'Sample exploit',
         'Description'    => %q{
            This exploit module illustrates how a vulnerability could 
            be exploited in an TCP server that has a parsing bug.
         },
         'Author'          => 'skape',
         'Version'         => '$Revision: 3215 $',
         'Payload'         =>
             {
                'Space'     => 1000,
                'BadChars' => "\x00",
             },
         'Targets'         =>
             [
                # Target 0: Windows All
                [
                   'Windows Universal',
                   {
                      'Platform' => 'win',
                      'Ret'       => 0x41424344
                   }
                ],
             ],
         'DefaultTarget' => 0))
   end
   #
   # The sample exploit just indicates that the remote host is always
   # vulnerable.
   #
   def check
      return Exploit::CheckCode::Vulnerable
   end
   #
   # The exploit method connects to the remote service and sends 1024 A's
   # followed by the fake return address and then the payload.
   #
   def exploit
      connect
      print_status("Sending #{payload.encoded.length} byte payload...")
      # Build the buffer for transmission
      buf = "A" * 1024
      buf += [ target.ret ].pack('V')
      buf += payload.encoded
      # Send it off
      sock.put(buf)
      sock.get
      handler
   end
end
end
When developing payloads one only has to insert values into the payload hash and deliver as is - Metasploit has done the work for you. You should look over chapters on hash declarations as well as symbols and strings to gain an understanding of how Ruby declares these variables. One might ask "Whats so special about this code? It does this, this, and this, anyone can see that". The fact that anyone can read through the code and simply understand it is the whole point of Ruby. There are no special tricks or isms when the developers wrote the code for Metasploit. From the classes to its modules, everything is very compartamentalized in a fashion which makes it simple to extend, hence it only being a framework. The fact that it can hide so much of its inner workings such as how it implements assembly code and methods:
  #
  # Assembles the supplied assembly and returns the raw opcodes.
  #
  def self.assemble(assembly)
    check

    # Open the temporary file
    tmp = Tempfile.new('nasmXXXX')
    tpath = tmp.path
    opath = tmp.path + '.out'

    # Write the assembly data to a file
    tmp.write("BITS 32\n" + assembly)
    tmp.flush()
    tmp.seek(0)

    # Run nasm
    if (system(@@nasm_path, '-f', 'bin', '-o', opath, tpath) == false)
      raise RuntimeError, "Assembler did not complete successfully: #{$?.exitstatus}"
    end

    # Read the assembled text
    rv = ::IO.read(opath)

    # Remove temporary files
    File.unlink(opath)
    tmp.close

    rv
  end
There are prerequisites for this method (such as sanity checks on your nasm environment) but one can see the subtle use of writing the candidate assembly code to a temporary file and applying nasm to obtain raw opcodes. Rather than key this in by hand over and over you can see that Metasploit provides an extremely convenient method to modularize this which the user will never see (unless you go digging through the source code!) Baird's book has chapters on heavier text processing which involves the use of manipulating files - perhaps the reader could expand the previous example by providing code blocks to the write or open commands? The second half of the book provides a wealth of examples featuring proc blocks and lambdas which make functional programming key in file handling procedures.

Metasploit is the leading open source exploit framework for a reason – its ease of application and streamlining of development makes it a vital addition to any IT security team's toolbox. The fact that is is written in Ruby gives anyone the chance to sit down and dig through this code. I highly encourage anyone wanting to get a nice grasp of both Ruby and exploit development to poke around and trace through the source code. Metaploit even supplies its own developer's documentation which I have taken samples from to further illustrate the usefulness of Ruby. Combining this with a few good books by your side (such as Ruby by Example!) and you're well on your way to learning through doing!

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.