You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: AGENTS.md
+30Lines changed: 30 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,10 +38,37 @@ Metasploit Framework is an open-source penetration testing and exploitation fram
38
38
- When possible don't set a default payload (`DefaultOptions` with `'PAYLOAD'`) in modules — let the framework choose the most appropriate payload automatically
39
39
- New modules require an associated markdown file in the `documentation/modules` folder with the same structure, including steps to set up the vulnerable environment for testing
40
40
- Module descriptions or documentation should list the range of vulnerable versions and the fixed version of the affected software, when known
41
+
-`report_service` method called when a service can be reported
42
+
-`report_vuln` method called when a vuln can be reported
43
+
- When creating a fake account / username use FAKER not `rand_test_alphanumeric`
44
+
- Always use `res.get_json_document` to convert an HTTP response to a hash instead of calling `JSON.parse(res.body)`
45
+
- If there's only one `ACTION` in the exploit, it can likely be omitted.
46
+
-`Msf::Exploit::SQLi` should be used if it's exploiting an SQLi
47
+
- All `print_*` calls should start with a capital
48
+
- when opening a file, make sure the file exists first
49
+
- when checking for a string in a response - will it always be in english?
50
+
- Ensure hardcoded strings being regex'ed will be consistent across multiple versions
51
+
- Use the TEST-NET-1 range for example / non-routeable IP address: `192.0.2.0`
52
+
- Use fetch payload instead of command stagers when only options that request the stage are available (i.e. don’t use a cmd stager and only allow curl/wget).
53
+
- Define bad characters instead of explicitly base-64 encoding payloads
54
+
- Use `ARCH_CMD` payloads instead of command stagers when only curl/wget and other download mechanisms would be available
55
+
- Don’t check the number of sessions at the end of an exploit and report success based on that, not all payloads open sessions
56
+
- Don’t submit any kind of opaque binary blob, everything must include source code and build instructions
57
+
- Don’t print host information like `#{ip}:#{port}` because it doesn’t handle IPv6 addresses, instead use `#{Rex::Socket.to_authority(ip, port)}`
41
58
- Implement a `check` method when possible to allow users to verify vulnerability before exploitation
59
+
60
+
### Check Methods
61
+
42
62
-`check` methods must only return `CheckCode` values (e.g. `CheckCode::Vulnerable`, `CheckCode::Safe`) — never raise exceptions or call `fail_with`
43
63
- When writing a `check` method, verify it does not produce false positives when run against unrelated software or services
44
64
- Use `fail_with(Failure::UnexpectedReply, '...')` (and other `Failure::*` constants) to bail out of `exploit`/`run` methods — don't use `raise` or bare `return` for error conditions
65
+
-`get_version` methods should return a REX version
66
+
-`CheckCode::Vulnerable` is only used when the vulnerability has been exploited
67
+
-`CheckCode::Appears` is only used when the application's versions has been checked`
68
+
- Don't use a massive `<href .*` dot star to grab the version, to be more precise.
69
+
- Do catch exceptions that may be raised and ensure a valid Check Code is returned
70
+
- Do research and determine a minimum version where the application is vulnerable, mark prior versions as safe
71
+
- Check helper methods that are used by both `#check` and `#exploit` (or `#run`) and make sure there is no condition (exception, return, etc) where `#check` could return something else than CheckCode.
45
72
- Prefer `prepend Msf::Exploit::Remote::AutoCheck` over manually calling `check` inside `exploit` — this lets the framework handle check-before-exploit automatically
46
73
47
74
### Library Code
@@ -60,9 +87,12 @@ Metasploit Framework is an open-source penetration testing and exploitation fram
60
87
### Preferred Libraries
61
88
- Use the `RubySMB` library for SMB modules
62
89
- Use `Rex::Stopwatch.elapsed_time` to track elapsed time
90
+
- Use the `Rex::MIME::Message` class for MIME messages instead of hardcoding XML
91
+
- When creating random variable names prefer `Rex::RandomIdentifier::Generator` and specify the runtime language used. This avoids generating langauge keywords that would break the script.
63
92
64
93
## Common Patterns
65
94
- Register options with `register_options` and `register_advanced_options`
95
+
- Use `SCREAMING_SNAKE_CASE` option names and `CamelCase` advanced option names
66
96
- Use `datastore['OPTION_NAME']` to access module options
67
97
- Use `print_status`, `print_good`, `print_error`, `print_warning` for console output
0 commit comments