Hey, everybody, and welcome to part four of the Métis boy mini module.
Now we're going to be going over how to add our own custom module to medicinally.
Now, this is not going to be a fully end up course where you're going to be talking about every single option, trying to understand a basis basics of Ruby.
So we're not going to go over that level of it in this course.
But I want to show you the steps.
So if you wanted to add your own custom exploit to medicinally without it being in their actual repo, which you could get, you could have it tried to be added.
As long as it's about working in the correct format, you should be fine.
So we're in this directory.
We're in user Sheremeta support framework modules, exploits.
Now, if we go back to directories and we take a look at this inside the modules, we've got Auxillary, which is our Rickon, we've got encoders, which we're not going to go over.
And this video exploits Knopf's.
We're not going to go over in the video payloads, which we've used, such as an interpreter and then post, which is something that we've used already with the interpreter we're going to do is we're going to go into exploits and for this we're going to see what options we have.
Right.
So we've got a bunch of different operating systems.
So in this example, we're going to go into windows.
Now, keep in mind, you should notice the structure.
So remember, exploits slash windows, slash whatever.
In this case, SNH.
If we went to S.H., then we can look up to actually it's do that we look at as S.H. and then we go ahead and look at all of our options.
We can see here we've got our CISAC SNH, so let's actually go ahead and work with this.
So what we'll do is we'll make a directory called New S.H. We'll put it a directory back, new SNH, then we'll do is we'll copy
Secich back a directory to our new S.H. and we'll go ahead and go into that.
Perfect, so we'll we'll rename this, we'll do this will do.
We need to sample a sausage derby and we'll go and open it up.
So what we're looking at here is, is what a S.H. or a SNH exploit in motorsport is.
So we can see here the Métis white module the NSF exploit.
It's a remote exploit.
So this is important.
Now, what we include here is we're going to be connecting over TCP and we're going to be working with SNH now metastable.
It comes with its own modules to interface with these services.
So you don't have to worry about rebuilding out the whole exploit, creating the sockets, everything like that.
It's already done for you.
So what we'll do in this particular case is we're going to change the name.
So this is the name of the of the exploit itself.
So we'll use new sample size, each service exploit.
Right.
So this is the description, which is what we've seen before.
So we'll do, you know, sample as each description MSF license's completely.
I will leave that alone.
So here we have our author.
So in this case, we'll do we know we can change this references.
So this is where Exploit explained.
This is the number for export to that it's located.
Here's an example page for the URL.
Now, the Payloaders is a bit important here, so we need one hundred and twenty thousand twenty four spaces and then we've got bad characters for the exploit that we need to filter out or have it filtered out and then we need to adjust for 3500.
Now, this is all when you're dealing with exploits, so don't worry about that at this point.
Just know that when you set your bad characters for your own exploit, it's set here.
You set your entire offsets and the amount of space needing to be set so you can kind of have it kind of builds it for you.
So are we have an exit function, which is our default option.
So changes to thread just for the sake of simplicity.
So we see here we've got windows to make SP1 and we've got this target here which have different return addresses based on the system that they work so currently.
This one's for the system executable itself for the service.
Looks like this.
It doesn't actually tell us where this is from.
So this might be in the same executable.
So we've got our privileges false.
It doesn't need a privilege.
It tells us our disclosure date and then we have our register options.
So this so our outport.
So the target port and 22.
Now, if we take a look here, we've got our check.
So every exploit has our in most cases, we'll have a check.
So what this does is it connects to the machine on Port 22 and checks to see if it sees that banner, which we've already looked at.
And if it does, then it works.
Otherwise it will throw an error of some kind.
So in this case, we're going to we're going to remove this.
We don't need this in our exploit.
We don't need that either, so this is to generate the exploit, so depending on how you were generating it, you may want to change some stuff around.
But like I said, this is just an example of kind of what you can do.
So this is generating the rob exploit and then we're encoding it.
So for our instance, we don't actually need or care about the exploit itself.
I just kind of want to give you guys an example of how we can add it.
So go ahead, remove this part.
It's a little bit too far.
You know, get rid of this.
Perfect.
Now we've got an actual explosion, so it's looking for a.
That's fine.
We're going to actually clear out.
We're actually going to clear out this whole thing.
Perfect.
So right now we have a skeleton exploit with no code, so what we're going to turn to, who puts it we'll do exploit is a war game.
So all we're doing is essentially printing to the screen, the exploits working, but we're using a few changes on the top are the exploit.
Now, again, this is not me taking a another exploit entirely, rebuilding it from scratch.
That would be a model in itself.
So I'm just going to give you guys an example on how we do this.
So as long as we're in this directory and we've got our name here, so this is our name of our exploit, what we're going to do is load up.
And as a console, once this loads up, it will then it'll then go through all of these directories and reload them in the memory.
So that's important to keep in mind.
So if you already have MSF consul open and you start making changes and you want it and you want to just run it again, you'll have to reload the module, which there's a command inside of MSF console when you first load it up that you can do a reload.
So in this case, we're going to search sample A and we're going to go ahead and let that search so we can try to find out what we've got, see if it made it into metastable it correctly.
No, perfect, so we can see here we've got our full path, which is what we kind of expected right here, one copy that for future use disclosure date.
We didn't change in the rank.
We didn't change either.
But we have our new description.
So let's go ahead and use it.
Perfect, your options now we can see we got our targets, which is fine, but we also still have our host and our port, which is fine.
But we kept those we kept those set.
So if we set our host to to Radio 20, which we're not actually going to exploit this.
So if we do exploit.
Exploit.
Oh, looks like we goofed or I goofed, I put put instead of puts, there should be an S at the end there.
So if we go ahead and reopen this back up, go all the way at the bottom, should be Put's.
Let's save that and we'll read back open this, so I'm going to cut here until we get back to the same spot that we were just at and then we'll continue from there.
Sorry about that.
So we should be good to go now.
So we go ahead and run.
But again, we should get our text onto the screen.
Perfect, so the exploit failed for Method SS because we're not you're currently using it, but we can see exploiters working.
So this is how you load your own exploit.
Now, you can do this in auxillary, you can do this on post.
It doesn't matter, however, what it's good, good ideas to use to look through some of the example, the example modules and kind of get an idea of how some of these are built.
Now, there's quite a few very, very in-depth tutorials on how to build display modules.
So go to feel free to take that extra step if you need to.
But in this particular video, we're just covering how to add something custom to it, because sometimes you might find a misplaced code for a module on XPoint TV, but it might not be an exploit or it might not be in Métis Point just yet.
It's not often, but you might find it sometimes.
And if that's the case, you can copy everything over and go ahead and load that into your own.
That is split and test it out locally before you fire it off.
So go ahead, play around with this, rebuild your own exploit or your own module.
Put it all out there, rebuild it and use like printing statements similar to what we did here and get a better get an understanding for how the structure of the exploit in the Ruby file is.