0

I want to use follwing ruby code written using net/http as metasploit auxiliary.

I want to know which one will help me to convert it easily either librex or any other metasploit API that supports file reading/writing and string manipulation using gsub:

My code is foloowing:

require 'net/http'
require 'uri'

puts "Enter Target:\n"
target = URI(gets())
Net::HTTP.start(target.host, target.port) do |http|
request = Net::HTTP::Get.new target.request_uri
response = http.request request 
puts response.body
end
a = target
puts "File contents:\n"
f= File.open("fuzz.txt","r")
outfile = File.new('out.txt','w')
while line = f.gets do
    line1 = URI.escape("#{line}")
    puts "\n---------------------------------------------\nAttack value: #{line1}"
    newuri = a.to_s.gsub('fuzz',"#{line1}\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~")
    puts "Attack Request:\n\n#{newuri}\n"
    nuri = URI.parse("#{newuri}")
    outfile.puts "\nAttack Value:#{line1}\nRequest:#{newuri}\n####################\n\n"
    Net::HTTP.start(nuri.host, nuri.port) do |http|
    request = Net::HTTP::Get.new nuri.request_uri
    response = http.request request 
    puts "Attack Response \n\n####################\n\n"
    puts response.body
    outfile.puts response.body
end

end

Charles
  • 50,943
  • 13
  • 104
  • 142
Akash Panchal
  • 205
  • 1
  • 6
  • 20
  • Have you looked at some of the scripts in the `modules/auxiliary` directory of your Metasploit installation and tried to learn from that? It would be easier to help you if you have a concrete question. – Michael Kohl Feb 17 '12 at 08:40
  • I have looked at those scripts but not able to find what to use for file I/O and string manipulation. I have created .rb file that sets RPORT, RHOST and BASEURI but clueless what to do next to fuzz this set RHOST using file contents , replacint this file contents with $fuzz$ keyword written in BASEURI get request parameter like msf auxiliary(http_get_fuzz) > set BASEURI /datastore/search_get_by_id.aspx?id=$fuzz$ – Akash Panchal Feb 17 '12 at 10:18

1 Answers1

1

I'd recommend you check out the Metasploit repo at Github for examples similar to what you are trying to do.

https://github.com/rapid7/metasploit-framework

You should never use puts in a Metasploit auxiliary module. You should use register options for user input. You can use print_line instead of puts.

For more on Metasploit guidelines check out:

https://github.com/rapid7/metasploit-framework/blob/master/HACKING

threatagent
  • 190
  • 1
  • 7