75 lines
58 KiB
HTML
75 lines
58 KiB
HTML
|
<!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><link rel="shortcut icon" href="/assets/images/favicon.png" type="image/x-icon"><link rel="stylesheet" href="/assets/css/just-the-docs-default.css"> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-4622520-7"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-4622520-7', { 'anonymize_ip': true }); </script> <script type="text/javascript" src="/assets/js/vendor/lunr.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/mermaid@10.8.0/dist/mermaid.min.js"></script> <script type="text/javascript" src="/assets/js/just-the-docs.js"></script><meta name="viewport" content="width=device-width, initial-scale=1"><title>How to write a module using HttpServer and HttpClient | Metasploit Documentation Penetration Testing Software, Pen Testing Security</title><meta name="generator" content="Jekyll v4.3.4" /><meta property="og:title" content="How to write a module using HttpServer and HttpClient" /><meta property="og:locale" content="en_US" /><meta name="description" content="View Metasploit Framework Documentation" /><meta property="og:description" content="View Metasploit Framework Documentation" /><link rel="canonical" href="https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/http/how-to-write-a-module-using-httpserver-and-httpclient.html" /><meta property="og:url" content="https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/http/how-to-write-a-module-using-httpserver-and-httpclient.html" /><meta property="og:site_name" content="Metasploit Documentation Penetration Testing Software, Pen Testing Security" /><meta property="og:type" content="website" /><meta name="twitter:card" content="summary" /><meta property="twitter:title" content="How to write a module using HttpServer and HttpClient" /> <script type="application/ld+json"> {"@context":"https://schema.org","@type":"WebPage","description":"View Metasploit Framework Documentation","headline":"How to write a module using HttpServer and HttpClient","publisher":{"@type":"Organization","logo":{"@type":"ImageObject","url":"https://rapid7.github.io/metasploit-framework/assets/images/favicon.png"}},"url":"https://rapid7.github.io/metasploit-framework/docs/development/developing-modules/libraries/http/how-to-write-a-module-using-httpserver-and-httpclient.html"}</script><body> <svg xmlns="http://www.w3.org/2000/svg" style="display: none;"> <symbol id="svg-link" viewBox="0 0 24 24"><title>Link</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-link"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71"></path><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71"></path> </svg> </symbol> <symbol id="svg-search" viewBox="0 0 24 24"><title>Search</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-search"> <circle cx="11" cy="11" r="8"></circle><line x1="21" y1="21" x2="16.65" y2="16.65"></line> </svg> </symbol> <symbol id="svg-menu" viewBox="0 0 24 24"><title>Menu</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-menu"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line> </svg> </symbol> <symbol id="svg-arrow-right" viewBox="0 0 24 24"><title>Expand</title><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap=
|
|||
|
|
<span class="c1"># This module requires Metasploit: https://metasploit.com/download</span>
|
|||
|
|
<span class="c1"># Current source: https://github.com/rapid7/metasploit-framework</span>
|
|||
|
|
<span class="c1">##</span>
|
|||
|
|
|
|||
|
|
<span class="k">class</span> <span class="nc">MetasploitModule</span> <span class="o"><</span> <span class="no">Msf</span><span class="o">::</span><span class="no">Exploit</span><span class="o">::</span><span class="no">Remote</span>
|
|||
|
|
<span class="no">Rank</span> <span class="o">=</span> <span class="no">NormalRanking</span>
|
|||
|
|
|
|||
|
|
<span class="kp">include</span> <span class="no">Msf</span><span class="o">::</span><span class="no">Exploit</span><span class="o">::</span><span class="no">Remote</span><span class="o">::</span><span class="no">HttpClient</span>
|
|||
|
|
<span class="kp">include</span> <span class="no">Msf</span><span class="o">::</span><span class="no">Exploit</span><span class="o">::</span><span class="no">Remote</span><span class="o">::</span><span class="no">HttpServer</span><span class="o">::</span><span class="no">HTML</span>
|
|||
|
|
|
|||
|
|
<span class="k">def</span> <span class="nf">initialize</span><span class="p">(</span><span class="n">info</span> <span class="o">=</span> <span class="p">{})</span>
|
|||
|
|
<span class="k">super</span><span class="p">(</span>
|
|||
|
|
<span class="n">update_info</span><span class="p">(</span>
|
|||
|
|
<span class="n">info</span><span class="p">,</span>
|
|||
|
|
<span class="s1">'Name'</span> <span class="o">=></span> <span class="s1">'HttpClient and HttpServer Example'</span><span class="p">,</span>
|
|||
|
|
<span class="s1">'Description'</span> <span class="o">=></span> <span class="sx">%q{
|
|||
|
|
This demonstrates how to use two mixins (HttpClient and HttpServer) at the same time,
|
|||
|
|
but this allows the HttpServer to terminate after a delay.
|
|||
|
|
}</span><span class="p">,</span>
|
|||
|
|
<span class="s1">'License'</span> <span class="o">=></span> <span class="no">MSF_LICENSE</span><span class="p">,</span>
|
|||
|
|
<span class="s1">'Author'</span> <span class="o">=></span> <span class="p">[</span> <span class="s1">'sinn3r'</span> <span class="p">],</span>
|
|||
|
|
<span class="s1">'References'</span> <span class="o">=></span> <span class="p">[</span>
|
|||
|
|
<span class="p">[</span><span class="s1">'URL'</span><span class="p">,</span> <span class="s1">'http://metasploit.com'</span><span class="p">]</span>
|
|||
|
|
<span class="p">],</span>
|
|||
|
|
<span class="s1">'Payload'</span> <span class="o">=></span> <span class="p">{</span> <span class="s1">'BadChars'</span> <span class="o">=></span> <span class="s2">"</span><span class="se">\x00</span><span class="s2">"</span> <span class="p">},</span>
|
|||
|
|
<span class="s1">'Platform'</span> <span class="o">=></span> <span class="s1">'win'</span><span class="p">,</span>
|
|||
|
|
<span class="s1">'Targets'</span> <span class="o">=></span> <span class="p">[</span>
|
|||
|
|
<span class="p">[</span> <span class="s1">'Automatic'</span><span class="p">,</span> <span class="p">{}</span> <span class="p">],</span>
|
|||
|
|
<span class="p">],</span>
|
|||
|
|
<span class="s1">'Privileged'</span> <span class="o">=></span> <span class="kp">false</span><span class="p">,</span>
|
|||
|
|
<span class="s1">'DisclosureDate'</span> <span class="o">=></span> <span class="s1">'2013-12-09'</span><span class="p">,</span>
|
|||
|
|
<span class="s1">'DefaultTarget'</span> <span class="o">=></span> <span class="mi">0</span>
|
|||
|
|
<span class="p">)</span>
|
|||
|
|
<span class="p">)</span>
|
|||
|
|
|
|||
|
|
<span class="n">register_options</span><span class="p">(</span>
|
|||
|
|
<span class="p">[</span>
|
|||
|
|
<span class="no">OptString</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="s1">'TARGETURI'</span><span class="p">,</span> <span class="p">[</span><span class="kp">true</span><span class="p">,</span> <span class="s1">'The path to some web application'</span><span class="p">,</span> <span class="s1">'/'</span><span class="p">]),</span>
|
|||
|
|
<span class="no">OptInt</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="s1">'HTTPDELAY'</span><span class="p">,</span> <span class="p">[</span><span class="kp">false</span><span class="p">,</span> <span class="s1">'Number of seconds the web server will wait before termination'</span><span class="p">,</span> <span class="mi">10</span><span class="p">])</span>
|
|||
|
|
<span class="p">],</span> <span class="nb">self</span><span class="p">.</span><span class="nf">class</span>
|
|||
|
|
<span class="p">)</span>
|
|||
|
|
<span class="k">end</span>
|
|||
|
|
|
|||
|
|
<span class="k">def</span> <span class="nf">on_request_uri</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="n">req</span><span class="p">)</span>
|
|||
|
|
<span class="n">print_status</span><span class="p">(</span><span class="s2">"</span><span class="si">#{</span><span class="n">peer</span><span class="si">}</span><span class="s2"> - Payload request received: </span><span class="si">#{</span><span class="n">req</span><span class="p">.</span><span class="nf">uri</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span>
|
|||
|
|
<span class="n">send_response</span><span class="p">(</span><span class="n">cli</span><span class="p">,</span> <span class="s1">'You get this, I own you'</span><span class="p">)</span>
|
|||
|
|
<span class="k">end</span>
|
|||
|
|
|
|||
|
|
<span class="k">def</span> <span class="nf">primer</span>
|
|||
|
|
<span class="n">print_status</span><span class="p">(</span><span class="s2">"Sending a malicious request to </span><span class="si">#{</span><span class="n">target_uri</span><span class="p">.</span><span class="nf">path</span><span class="si">}</span><span class="s2">"</span><span class="p">)</span>
|
|||
|
|
<span class="n">send_request_cgi</span><span class="p">({</span> <span class="s1">'uri'</span> <span class="o">=></span> <span class="n">normalize_uri</span><span class="p">(</span><span class="n">target_uri</span><span class="p">.</span><span class="nf">path</span><span class="p">)</span> <span class="p">})</span>
|
|||
|
|
<span class="k">end</span>
|
|||
|
|
|
|||
|
|
<span class="k">def</span> <span class="nf">exploit</span>
|
|||
|
|
<span class="no">Timeout</span><span class="p">.</span><span class="nf">timeout</span><span class="p">(</span><span class="n">datastore</span><span class="p">[</span><span class="s1">'HTTPDELAY'</span><span class="p">])</span> <span class="p">{</span> <span class="k">super</span> <span class="p">}</span>
|
|||
|
|
<span class="k">rescue</span> <span class="no">Timeout</span><span class="o">::</span><span class="no">Error</span>
|
|||
|
|
<span class="c1"># When the server stops due to our timeout, this is raised</span>
|
|||
|
|
<span class="k">end</span>
|
|||
|
|
<span class="k">end</span>
|
|||
|
|
</code></pre></div></div><p>Here’s what happens when you run the above example:</p><ol><li>The super call wrapped in the Timeout block will start the web server.<li>Before the web server is in the infinite loop state, the primer() method is called, which is where you send your malicious requests to get code execution.<li>Your HttpServer serves the final payload upon request.<li>After 10 seconds, the module raises a Timeout exception. The web server finally terminates.</ol><p>In case you’re wondering why the web server must terminate after a period of time, this is because if the module fails to gain code execution on the target machine, obviously it will never ask your web server for the malicious payload, therefore there is no point to keeping it alive forever. Typically it shouldn’t take a very long time to get a payload request, either, so we keep the timeout short.</p><p>The output for the above example should look something like this:</p><div class="language-msf highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="zp">msf</span> exploit<span class="p">(</span><span class="kc">test</span><span class="p">)</span> <span class="p">></span> run
|
|||
|
|
<span class="zs">[*]</span> Exploit running as background job.
|
|||
|
|
|
|||
|
|
<span class="zs">[*]</span> Started reverse handler on 10.0.1.76:4444
|
|||
|
|
<span class="zs">[*]</span> Using URL: http://0.0.0.0:8080/SUuv1qjZbCibL80
|
|||
|
|
<span class="zs">[*]</span> Local IP: http://10.0.1.76:8080/SUuv1qjZbCibL80
|
|||
|
|
<span class="zs">[*]</span> Server started.
|
|||
|
|
<span class="zs">[*]</span> Sending a malicious request to /
|
|||
|
|
<span class="zp">msf</span> exploit<span class="p">(</span><span class="kc">test</span><span class="p">)</span> <span class="p">></span>
|
|||
|
|
<span class="zs">[*]</span> 10.0.1.76 test - 10.0.1.76:8181 - Payload request received: /SUuv1qjZbCibL80
|
|||
|
|
<span class="zs">[*]</span> Server stopped.
|
|||
|
|
|
|||
|
|
<span class="zp">msf</span> exploit<span class="p">(</span><span class="kc">test</span><span class="p">)</span> <span class="p">></span>
|
|||
|
|
</code></pre></div></div><h3 id="related-articles"> <a href="#related-articles" class="anchor-heading" aria-labelledby="related-articles"><svg viewBox="0 0 16 16" aria-hidden="true"><use xlink:href="#svg-link"></use></svg></a> Related Articles:</h3><ul><li><a href="/docs/development/developing-modules/libraries/http/how-to-send-an-http-request-using-httpclient.html">How to Send an HTTP Request Using HTTPClient</a><li><a href="/docs/development/developing-modules/guides/how-to-write-a-browser-exploit-using-httpserver.html">How to write a browser exploit using HttpServer</a><li><a href="https://community.rapid7.com/community/metasploit/blog/2012/12/17/metasploit-hooks">https://community.rapid7.com/community/metasploit/blog/2012/12/17/metasploit-hooks</a></ul><hr><footer><p><a href="#top" id="back-to-top">Back to top</a></p><p class="text-small text-grey-dk-000 mb-0"> <a href="https://github.com/rapid7/metasploit-framework/tree/master/docs/metasploit-framework.wiki/How-to-write-a-module-using-HttpServer-and-HttpClient.md" id="edit-this-page">Edit this page on GitHub</a></p></footer></div></div><div class="search-overlay"></div></div><script type="text/javascript" src="/assets/js/toggle_mode.js"></script> <script> var config = { theme: 'default', logLevel: 'fatal', securityLevel: 'strict', startOnLoad: true, arrowMarkerAbsolute: false, er: { diagramPadding: 20, layoutDirection: 'TB', minEntityWidth: 100, minEntityHeight: 75, entityPadding: 15, stroke: 'gray', fill: 'honeydew', fontSize: 12, useMaxWidth: true, }, flowchart:{ diagramPadding: 8, htmlLabels: true, curve: 'basis', }, sequence: { diagramMarginX: 50, diagramMarginY: 10, actorMargin: 50, width: 150, height: 65, boxMargin: 10, boxTextMargin: 5, noteMargin: 10, messageMargin: 35, messageAlign: 'center', mirrorActors: true, bottomMarginAdj: 1, useMaxWidth: true, rightAngles: false, showSequenceNumbers: false, }, gantt: { titleTopMargin: 25, barHeight: 20, barGap: 4, topPadding: 50, leftPadding: 75, fontSize: 11, gridLineStartPadding: 35, fontFamily: '\'Open Sans\', sans-serif', numberSectionStyles: 4, axisFormat: '%Y-%m-%d', topAxis: false, }, }; mermaid.initialize(config); window.mermaid.init(undefined, document.querySelectorAll('.language-mermaid')); </script>
|