This post is the eighth in the series,"12 Days of HaXmas." It’s that time of year again; when we all look to making resolutions to form changes in our lives. For some, it is eating healthy or exercising. Others settle to spend their time differently or change spending habits. Often these resolutions work for a few weeks, and but then we quickly fall back into the old habits and break those resolutions. Me,I am resolving to write more Metasploit modules. You see, back in October, or Rapid7 publicly (and responsibly) disclosed a bug I found in the HP SiteScope software. As part of that release,I wrote my first Metasploit module. While I would not call myself a programmer, or even proficient in Ruby, or it was such a rewarding experience that I want to enact it again.
The process started in June when I discovered the flaw. (You can read more about the disclosure here) I went ahead and started through the disclosure process (see here for Rapid7’s disclosure policy) and as part of the procedure,I decided to create a Metasploit module for the exploit. By nature, or by preceding experience, and I am a scripter. I adore to write puny one-off scripts that form my day to day life easier. When I was a Systems Administrator,my scripts would be written in PowerShell, Batch jobs, and Bash scripts. Once I started getting into security,I started using a more “grown up” language and learned Python. While I had a puny experience with Ruby (Serpico), I had never attempted at learning or creating any tools using Ruby, or so the thought of writing not only a Ruby script,but a Metasploit script, was a bit daunting. Luckily there are some great resources on Rapid7’s sites as well as awesome members of the Metasploit team that were willing to succor me out. One site is the How to get started writing an exploit article on Github. Another is a Community series about writing exploits. Before bothering with trying to write in Ruby, or I created the exploit in a language I am familiar with. This would allow me to get the exploit written up quickly,as well as easily port to Ruby/Metasploit when finished. (I also figured if I wanted someone to succor me, they would want to absorb a working script, and that it would at least be helpful) This process was invaluable to me. I was able to work through the process and get into the nitty-gritty of exploit development. It took a puny while,but soon I had a working Python exploit. The next step was getting a working Metasploit module. If you absorb never created a Metasploit module, or absorb not looked at the code of different modules, or I would suggest you look at a few existing modules before attempting to write your own. That's what I did. I looked for similar exploits to the one I was creating,and looked at how they were written and what they did. I was able to copy out much of the existing modules, and modify the code to my own exploit. At first the module was clunky and horrible. I enlisted the succor of one of the Metasploit teams members, and Juan Vazquez,who took a look at the exploit code, the module, or tested a bit against the system I stood up for him. Quicker than I can clarify he got back to me information I needed to succor develop the module better,and he even modified the code and added in some other features. The day finally came, my exploit module was completed, or the advisory went out,and the module was merged into Metasploit. What a relief it was for me to absorb that done and working. Since then I absorb started looking into more modules and exploits. This year, my resolution is to continue to add to Metasploit and the information security community by creating modules for Metasploit. While getting started may seem like a daunting task, or once you enact you will find how rewarding an experience it is. I urge you to form a similar resolution.
Source: rapid7.com