MetaSploit an Exploits Framework Build on Ruby [on Rails]

By | May 28, 2008

Ruby and Metasploit, you propably already notice one of that or maybe both of them. Ruby on Rails is one of Web Application Framework build on Ruby Language Programming which have MVC (Model-View-Controller) as it’s framework concept. How about Ruby?! Ruby is another kind of language programming, announce by ” ” in , Ruby is a Full Object Oriented language programming, supported by thousands component library called gems, supported by a large community around the world, and now have place in most country in the world as a web framework to build the new era web concept, Web 2.0. I think this enough to describe Ruby and Rails. now let’s talk about MetaSploit Framework.
MetaSploit Framework is one of most populer Penetration Test and Hacking Tools in this time, it consists hundreds exploits modules, with some payloads function and another customize auxiliary. and also MetaSploit is a ready to use and easy to use Hacking Tools, formerly it have several operate mode, Console, Web and know it have GUI version. Before current version realease, in earlier version, Metasploit build not with Ruby, but it’s Perl Powered Application, but in Framework 3, all module and application re-build in Ruby. all exploits modules re-build in Ruby.

[metasploit screen]
 
After I gave short description about Ruby on Rails and MetaSploit. know i will give explanation about Ruby on Rails which build MetaSploit Web Console Management.
[metasploit webrick booting up]
 
like the another rails project, the msfweb project have this structure :
–[root]
|
+—[app]
| +—[controllers]
| | +—application.rb
| | +—auxiliaries_controller.rb
| | +—console_controller.rb
| | +—encoders_controller.rb
| | +—exploits_controller.rb
| | +—ide_controller.rb
| | +—jobs_controller.rb
| | +—msf_controller.rb
| | +—nops_controller.rb
| | +—options_controller.rb
| | +—payloads_controller.rb
| | +—sessions_controller.rb
| +—[helpers]
| | +—application_helper.rb
| | +—auxiliaries_helper.rb
| | +—encoders_helper.rb
| | +—exploits_helper.rb
| | +—ide_helper.rb
| | +—jobs_helper.rb
| | +—msf_helper.rb
| | +—msfconsole_helper.rb
| | +—nops_helper.rb
| | +—payloads_helper.rb
| | +—sessions_helper.rb
| +—[models]
| | +—auxiliary.rb
| | +—encoder.rb
| | +—exploit.rb
| | +—job.rb
| | +—nop.rb
| | +—payload.rb
| | +—session.rb
| +—[views]
| +—[auxiliaries]
| +—[console]
| +—[encoders]
| +—[exploits]
| +—[ide]
| +—[jobs]
| +—[layouts]
| +—[msf]
| +—[nops]
| +—[options]
| +—[payloads]
| +—[sessions]
+—[components]
+—[config]
+—[doc]
+—[lib]
+—[log]
+—[public]
+—[script]
+—[tmp]
+—[vendor]
| +—[rails]
| +—[plugins]
+—Rakefile
from that structure, we know that msfweb consist 7 Models, have 11 Vews and Controllers. The because this just a web management for ready to use application ( MetaSploit Framework Completely build on Console Mode ), the Models don’t map to a database, note msfweb is a Rails App configured whitout database storage ( you can read Rails documentation when you want to create Rails App whitout database ), every model just consist few line :
app/models/auxiliary.rb
class Auxiliary
def self.find_all()
mods = []
$msframework.auxiliary.each_module { |n,m| mods << m.new }
mods
end
end
app/models/encoder.rb
class Encoder
def self.find_all()
mods = []
$msframework.encoders.each_module { |n,m| mods << m.new }
mods
end
end
app/models/exploit.rb
class Exploit
def self.find_all()
mods = []
$msframework.exploits.each_module { |n,m| mods << m.new }
mods
end
end
app/models/job.rb
class Job
def self.find_all()
$msframework.jobs
end
end
app/models/nop.rb
class Nop
def self.find_all()
mods = []
$msframework.nops.each_module { |n,m| mods << m.new }
mods
end
end
app/models/payload.rb
class Payload
def self.find_all()
mods = []
$msframework.payloads.each_module { |n,m| mods << m.new }
mods
end
def self.create(refname)
modinst = $msframework.payloads.create(refname)
modinst
end
end
app/models/session.rb
class Session
def self.find_all()
$msframework.sessions
end
end
and next about controller and view, because msfweb consists 11 Views & Controller, i just describe exploit View & Controller:
app/controllers/exploits_controller.rb
app/controllers/exploits_controller.rb
# Author: LMH
# Description: The exploit controller of msfweb v.3. Handles views, listing
# and other actions related to exploit modules. Code and processing goes here.
# Instance variables, final values, etc, go into views.
class ExploitsController < ApplicationController
layout ‘windows’
def list
end
def view
@tmod = get_view_for_module(”exploit”, params[:refname])
unless @tmod
render_text “Unknown module specified.”
end
end
def config
# Retrieve object to module with the given refname
@tmod = get_view_for_module(”exploit”, params[:refname])
unless @tmod
render_text “Unknown module specified.”
end
# Get target, using index given in ‘target’ parameter
@target = @tmod.targets[params[:target].to_i]
unless @target
render_text “Unknown target specified.”
end
@tmod.datastore[‘TARGET’] = params[:target].to_i
@cur_step = nil
if params[:step]
@cur_step = params[:step]
end
if (params[:payload])
if (params[:payload] =~ /^\d+$/ )
@payload_ref = @tmod.compatible_payloads[params[:payload].to_i]
else
@tmod.compatible_payloads.each_with_index do |ref, i|
if(ref[0] == params[:payload])
@payload_ref = ref
end
end
end
end
if @cur_step == “exploit”
# Always show the option page after an exploit is launched
@cur_step = “config”
unless @payload_ref
render_text “Unknown payload specified or not supported.”
end
@payload_name, @payload_class = @payload_ref
@payload_inst = @payload_class.new
# Create a new console driver instance
@cid = $msfweb.create_console()
@con = $msfweb.consoles[@cid]
# Use the selected module
@con.execute(”use exploit/#{@tmod.refname}”)
# Configure the target and payload
@exploit = @con.active_module
@exploit.datastore[‘PAYLOAD’] = @payload_name
@exploit.datastore[‘TARGET’] = params[:target].to_i
# Configure the selected options
params.each_key do |k|
eopt = k.to_s.match(/^eopt_/) ? true : false
popt = k.to_s.match(/^popt_/) ? true : false
name = k.to_s.gsub(/^.opt_/, ”)
if (eopt or popt)
if (params[k] and params[k].to_s.length > 0)
@exploit.datastore[name] = params[k].to_s
end
end
end
# Validate the exploit and payload options
@payload_inst.share_datastore(@exploit.datastore)
begin
@exploit.options.validate(@exploit.datastore)
@payload_inst.options.validate(@payload_inst.datastore)
@con.write(”exploit\n”)
@exploit_console = @cid
rescue ::Exception => e
$msfweb.destroy_console(@cid)
@exploit_error = e.to_s
end
end
if @cur_step == “config”
unless @payload_ref
render_text “Unknown payload specified or not supported.”
end
@payload_name, @payload_class = @payload_ref
@payload_inst = @payload_class.new
else
@payloads = @tmod.compatible_payloads
end
end
end
from exploits controller it can be split up into 4 different exploits-views, there are:
– view.rhtml -> exploit description view
– config.rhtml -> exploit configuration form
– configure payload
– configure exploit
– execute exploit
– list.rhtml -> window consist live search exploits modules
[list & view dialog]

 
[list & config dialog]

i think this enough to explain msfweb application structure, next i’ll explain about the dialog style of msfweb. msfweb use modal dialog style, use the web 2.0 technique, using CSS and AJAX (JavaScript) it can produce multiple windows dialog just like desktop based application. the recipe behind the layout noted on line 7 in controller file.
1 # Author: LMH
2 # Description: The exploit controller of msfweb v.3. Handles views, listing
3 # and other actions related to exploit modules. Code and processing goes here.
4 # Instance variables, final values, etc, go into views.
5
6 class ExploitsController < ApplicationController
7 layout ‘windows’
8
9 def list
10 end
on that code it’s note that it use ‘windows’ layout, from this, we can look at layouts directory in app/views. it contains window.rhtml, the code is like this :
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN”
“http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml” xml:lang=”en” lang=”eng”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=ISO-8859-1″ />
<meta name=”Author” content=”LMH (lmh@info-pull.com)” />
<meta name=”Copyright” content=”(c) 2006, LMH (lmh@info-pull.com)” />
<% [“prototype”,”effects”,”dragdrop”,”controls”,”application”,”cookiecheck”].each do |js| %>
<%= javascript_include_tag js %><% end %>
<script>
document.writeln(’<link rel=”stylesheet” type=”text/css” href=”‘ + contentStyle +’”>’); // Window content stylesheet
</script>
</head>
<body>
<%= @content_for_layout %>
</body>
</html>
with the power of JavaScript and CSS, Rails have integrated JavaScript library for effect, layouting, Ajax it’s use prototypejs and scriptaculous.
on that code it can be describe that, this layout can have more than one template skins, because it use dynamic stylesheet. in msfweb you can choose 4 template skins (default, luminous, saloon, wooden).
for javascript collection you can look at public/javascripts, it consist a few js file:
– application.js -> the main code of the layout and effect
– console.js -> the code to emulate the console window
– cookiecheck.js -> the code to check the cookie
– debug.js
– extended_debug.js
– tooltip.js -> Ajax Library
– window.js -> window dialog producer
– window_ext.js
—-script.aculo.us , effect & layout script + ajax
– controls.js
– dragdrop.js
– effects.js
—-prototypejs.org, effect & layout script + ajax
– prototype.js
[default skin]
 
[luminous skin]
 
——————
dani_wafaul_falah
http://wafa.id

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.