Let's now take a look at the custom_meta method, which is responsible for handling all the Metasploit modules. It does this with the help of the Pexpect library.

As can be seen in section (1) in the following snippet, we are using pexpect.spawn to invoke "msfconsole -q", on our terminal. This will invoke a Metasploit process over a virtual terminal and would return the control of that process to the variable declared as a child:

Whenever we invoke msfconole, if there is no error, we would get a Metasploit prompt as msf>. This is what we are specifying in section (2), [.*>, .., ..] , as the 0th index. What is implied here is that we expect anything preceded by > to be successfully executed, and so we will pass the commands that are required to run the Metasploit module. If the index returned by child.expect is 0, we will iterate over the command list of the JSON file and send each command to our Metasploit console. For our projectID 744 and the http service, we have configured a few Metasploit modules. One of these is shown here:

Whatever is within the args keyin the preceding screenshot of the JSON structure would be passed as a list to the custom_meta method and stored in the commands list. In section (3), we iterate over the commands list, and, as we studied earlier, the <host> and <port> would actually be replaced by an actual host and the port being scanned.

In this section, each command is sent to the msfconsole Terminal one by one with the child.sendline(cmd) command. After sending each command, we need to check whether the console is as we expect it to be, which means that it should contain the msf> prompt. We invoke pexpect.expect and specify ".*>" as the 0th index of our input list. Note that index 0 defines the success criteria for us to continue. As long as we get an output that matches with index 0, we continue, as specified by section (4). If at anytime we observe anything other than index 0 (either a timeout or the end of a file – EOF), we realize that something did not happen as expected, and so we set the boolean variable as false:

When we get out of this iterative loop, we move to section (9), where we are checking if run ==True. If it is true, we assume all the parameters are properly set to execute the Metasploit module. We issue the 'run' command with the help of sendline, as highlighted by section (10).

Finally, if everything goes right and the module is executed successfully, it's time for us to collect our results. In section (11), if all goes as expected, we collect the results in an exploits_results variable and the commands in the commands_launched variable. If there is an error, we collect the error details in section (12):

Finally, in section (14), we save the results in the database table by invoking the saveDetails() method. It must be noted that the results would be saved in the same JSON structure as discussed earlier against the "http_headers_2" key, which is the ID of the script. The definition of the saveDetails method is shown. Note it would be issued across all the different methods that we will discuss:

The section highlighted as (1) invokes the method placed in the class file IPexploits.py, which would insert the details in the database. The whole code file can be found at the GitHub repository.