Team LiB
Previous Section Next Section

5.1. Introduction to MSF

MSF exists to provide a consistent and all-encompassing exploit development platform. This makes rapid exploit development possible for professionals and researchers. At its core, MSF provides an extensible API and interface for setting variable parameters on an exploit. You can reuse many components between exploits. Examples include payloads, payload handlers, NOP generators, protocol libraries, and encoding routines. MSF comes with a robust assortment of these core components to be reused in exploit development. To facilitate the goals of component reuse and rapid exploit development, all the components and exploits are written using Object-Oriented Perl (OOP) with dynamic loading. As shown later in this chapter, MSF's complex OOP foundation makes developing modules easier.

MSF functions as a bridge between the abstract concept of a "remote exploit" and a user. These concepts are interfaced within the various MSF frontends. The frontends have the task of setting user-controllable parameters and launching exploit modules with complete control over how the exploit is run. MSF comes with three frontend programs to demonstrate the framework's flexibility. msfconsole is a fully interactive subshell interface that you can run from a shell interpreter such as bash or cmd.exe. It is the preferred frontend and is used for all the examples in this chapter. The msfcli command-line interface is ideal for use in scripts. All options and parameters are supplied as arguments on the command line. The msfweb web server interface allows users to access the framework with a standard web browser.

Another goal of the framework is portability. Because MSF is written in the Perl programming language and uses a minimal number of external modules, it works on a wide variety of operating systems.

The framework download page, at, provides a compressed tar archive of the framework source that you can use as is with the Perl interpreters found on Linux/BSD/OSX. Also found on the download page is an installer for Windows. This installs a minimal version of the Cygwin API emulator as well as the framework source. As of MSF version 2.2, if you have previously installed Cygwin you cannot use MSF Cygwin concurrently with the previously installed Cygwin.

When you first look into the MSF install source directory, you will notice that MSF comes with a series of helper utilities that the framework authors provide to help in exploit development and MSF use. Table 5-1 provides a brief description of the programs that come with MSF and explains what is found in the main directories. After extracting the source your first step should be to read the CrashCourse.html file.

Table 5-1. Main MSF files and directories

File or directory



Contains files needed for specialized payloads.


The documentation directory. This should be your first stop for extensive documentation on how to use the frontends and the tools.


Contains encoder modules that operate on the payloads. The encoders are usually target-architecture-dependent.


Contains all the exploit modules that come with the framework.


Contains the Net-SSL and Term-ReadLine-Gnu Perl modules. These are not necessary to run MSF, but they are required for SSL socket support and for advanced msfconsole features.


Contains the MSF core files.


A command-line interface to the framework. All options and settings are passed as arguments to this program.


A text-based console interface to the framework, with tab completion and external command execution functionality.


A helper utility that downloads debugging symbols for Microsoft Windows files.


A helper utility for testing out the encoder modules. Using this will help you to understand how MSF deals with payload encoding.


A helper utility for analyzing the logs generated by the interface.


A helper utility for testing out the encoder payload.


A helper utility for testing out the encoder payload. You can move this into a CGI directory and execute it from a web browser.


A helper utility that finds opcode matches in a Windows PE executable. These opcodes are often used as return instructions when jumping to shellcode.


A helper utility that downloads updates to the framework over HTTPS.


A web server interface accessible to multiple web browser clients.


Contains modules that generate "No operation" buffers that are used in exploits to increase their reliability.


Contains modules that implement various actions a particular exploit can perform; for example, binding a shell to a TCP socket on the target host.


A small tutorial on writing a module for a contrived vulnerability.


Contains various payloads and assembly used in the framework.


Contains the helper tools Socket Ninja and memdump. Socket Ninja is a multiplexing socket manager and memdump extracts memory segments from running Windows processes.

    Team LiB
    Previous Section Next Section