This post is the eighth in the series, "12 Days of HaXmas."
It’s that time of year again; when we all look to making resolutions to make changes in our lives. For some, it is eating healthy or exercising. Others decide to spend their time differently or change spending habits. Often these resolutions work for a few weeks, but then we quickly fall back into the old habits and break those resolutions. Me, I am resolving to write more Metasploit modules. You see, back in October, Rapid7 publicly (and responsibly) disclosed a bug I found in the HP SiteScope software. As part of that release, I wrote my first Metasploit module. While I would not call myself a programmer, or even proficient in Ruby, it was such a rewarding experience that I want to do it again.
The process started in June when I discovered the flaw. (You can read more about the disclosure here) I went ahead and started through the disclosure process (see here for Rapid7’s disclosure policy) and as part of the procedure, I decided to create a Metasploit module for the exploit. By nature, or by previous experience, I am a scripter. I love to write little one-off scripts that make my day to day life easier. When I was a Systems Administrator, my scripts would be written in PowerShell, Batch jobs, or Bash scripts. Once I started getting into security, I started using a more “grown up” language and learned Python. While I had a little experience with Ruby (Serpico), I had never attempted at learning or creating any tools using Ruby, so the thought of writing not only a Ruby script, but a Metasploit script, was a bit daunting. Luckily there are some great resources on Rapid7’s sites as well as awesome members of the Metasploit team that were willing to help me out. One site is the How to get started writing an exploit article on Github. Another is a Community series about writing exploits.
Before bothering with trying to write in Ruby, I created the exploit in a language I am familiar with. This would allow me to get the exploit written up quickly, as well as easily port to Ruby/Metasploit when finished. (I also figured if I wanted someone to help me, they would want to have a working script, or that it would at least be helpful) This process was invaluable to me. I was able to work through the process and get into the nitty-gritty of exploit development. It took a little while, but soon I had a working Python exploit. The next step was getting a working Metasploit module.
If you have never created a Metasploit module, or have not looked at the code of different modules, I would suggest you look at a few existing modules before attempting to write your own. That's what I did. I looked for similar exploits to the one I was creating, and looked at how they were written and what they did. I was able to copy out much of the existing modules, and modify the code to my own exploit. At first the module was clunky and ugly. I enlisted the help of one of the Metasploit team’s members, Juan Vazquez, who took a look at the exploit code, the module, and tested a bit against the system I stood up for him. Quicker than I can explain he got back to me information I needed to help develop the module better, and he even modified the code and added in some other features.
The day finally came, my exploit module was completed, the advisory went out, and the module was merged into Metasploit. What a relief it was for me to have that done and working.
Since then I have started looking into more modules and exploits. This year, my resolution is to continue to add to Metasploit and the information security community by creating modules for Metasploit. While getting started may seem like a daunting task, once you do you will find how rewarding an experience it is. I urge you to make a similar resolution.