Python遠程調用MetaSploit

Python遠程調用MetaSploit

（1）安裝Python的msgpack類庫，MSF官方文檔中的資料序列化標準就是參照msgpack。

root@kali:~# apt-get install python-setuptools

root@kali:~# easy_install msgpack-python

（2）建立createdb_sql.txt:

create database msf;

create user msf with password 'msf123';

grant all privileges on database msf to msf;

（3）在PostgreSQL 執行上述檔案：

root@kali:~# /etc/init.d/postgresql start

root@kali:~# sudo -u postgres /usr/bin/psql < createdb_sql.txt

（4）建立setup.rc檔案

db_connect msf:msf123@127.0.0.1/msf

load msgrpc User=msf Pass='abc123'

（5）啟動MSF並執行載入檔案

root@kali:~# msfconsole -r setup.rc

* SNIP *

[*] Processing setup.rc for ERB directives.

resource (setup.rc)> db_connect msf:msf123@127.0.0.1/msf

[*] Rebuilding the module cache in the background...

resource (setup.rc)> load msgrpc User=msf Pass='abc123'

[*] MSGRPC Service: 127.0.0.1:55552

[*] MSGRPC Username: msf

[*] MSGRPC Password: abc123

[*] Successfully loaded plugin: msgrpc

（6）Github上有一個Python的類庫，不過很不好用

root@kali:~# git clone git://github.com/SpiderLabs/msfrpc.git msfrpc

root@kali:~# cd msfrpc/python-msfrpc

root@kali:~# python setup.py install

測試代碼：

#!/usr/bin/env python

import msgpack

import httplib

class Msfrpc:

class MsfError(Exception):

def __init__(self,msg):

self.msg = msg

def __str__(self):

return repr(self.msg)

class MsfAuthError(MsfError):

def __init__(self,msg):

self.msg = msg

def __init__(self,opts=[]):

self.host = opts.get('host') or "127.0.0.1"

self.port = opts.get('port') or 55552

self.uri = opts.get('uri') or "/api/"

self.ssl = opts.get('ssl') or False

self.authenticated = False

self.token = False

self.headers = {"Content-type" : "binary/message-pack" }

if self.ssl:

self.client = httplib.HTTPSConnection(self.host,self.port)

else:

self.client = httplib.HTTPConnection(self.host,self.port)

def encode(self,data):

return msgpack.packb(data)

def decode(self,data):

return msgpack.unpackb(data)

def call(self,meth,opts = []):

if meth != "auth.login":

if not self.authenticated:

raise self.MsfAuthError("MsfRPC: Not Authenticated")

if meth != "auth.login":

opts.insert(0,self.token)

opts.insert(0,meth)

params = self.encode(opts)

self.client.request("POST",self.uri,params,self.headers)

resp = self.client.getresponse()

return self.decode(resp.read())

def login(self,user,password):

ret = self.call('auth.login',[user,password])

if ret.get('result') == 'success':

self.authenticated = True

self.token = ret.get('token')

return True

else:

raise self.MsfAuthError("MsfRPC: Authentication failed")

if __name__ == '__main__':

# Create a new instance of the Msfrpc client with the default options

client = Msfrpc({})

# Login to the msfmsg server using the password "abc123"

client.login('msf','abc123')

# Get a list of the exploits from the server

mod = client.call('module.exploits')

# Grab the first item from the modules value of the returned dict

print "Compatible payloads for : %s\n" % mod['modules'][0]

# Get the list of compatible payloads for the first option

ret = client.call('module.compatible_payloads',[mod['modules'][0]])

for i in (ret.get('payloads')):

print "\t%s" % i