We can now edit the exploit section to have Metasploit generate a ran-dom string of uppercase alphabetic characters instead of the 5093 As at run-time. This is a very useful feature, becausein some cases the buffer length will differ across different operating systemversions.
#SURGEMAIL LOGIN PAGE GC WINDOWS#
If we were to finda standard JMP ESP in the application’s memory address, we would not needto use a Windows DLL and could make this exploit universal to all Windowsplatforms, because the memory addresses would never change.'Targets' =>, ,222 Chapter 15īy declaring the Offset here, you will no longer need to include thestring of As manually in the exploit itself. We are using an address from SHEL元2.DLL,which will change across different versions or service packs.
#SURGEMAIL LOGIN PAGE GC CODE#
We need to find a legitimate return address to ensurethat our code executes properly on the operating system we are targeting.Remember that some exploits work only on specific operating systems, asis the case with this exploit. This is the sameaddress that was used in the original exploit it’s found in SHEL元2.DLL onWindows XP SP2. We begin by setting the target return address (shown in bold in the fol-lowing example) in the 'Targets' block to a JMP ESP address. Notice in Figure 15-1 that the EIP register points to 42424242 and that the NOP slide and the dummy pay- load have made it into the buffer as expected.220 Chapter 15įigure 15-1: MailCarrier initial overwriteImplementing Features of the FrameworkHaving proved that the basic skeleton of the module works by overwritingour EIP address, we can slowly start to implement the features of the Frame-work.
After the module runs, the debugger should pause with EIP overwritten by 42424242 as shown in Figure 15-1 if you see a successful EIP overwrite of 42424242, you know your exploit is working. msf exploit(mailcarrier_book) > We set the options as if we were running a normal exploit, except that we use the generic/debug_trap payload to test our exploit. Then we run the module: msf > use exploit/windows/smtp/mailcarrier_book msf exploit(mailcarrier_book) > show options Module options: Name Current Setting Required Description - LHOST yes The local address RHOST 25 yes The target address RPORT yes The target port Exploit target: Id Name - 0 Windows XP SP2 - EN msf exploit(mailcarrier_book) > set LHOST 192.168.1.101 LHOST => 192.168.1.101 msf exploit(mailcarrier_book) > set RHOST 192.168.1.155 RHOST => 192.168.1.155 msf exploit(mailcarrier_book) > set payload generic/debug_trap payload => generic/debug_trap msf exploit(mailcarrier_book) > exploit Exploit completed, but no session was created. Testing Our Base Exploit In the next step, we load the module in msfconsole, set the required options, and configure a payload of generic/debug_trap (a great payload for exploit development that triggers a stop point when you are tracing the application in a debugger). Having configured the exploit section, we save the file as mailcarrier_book.rb at modules/exploits/windows/smtp/. In this case, we’ve selected an interrupt (breakpoint) at so that execution will pause when it reaches our shellcode without us having to set a breakpoint. Porting Exploits to the Metasploit Framework 219 \"\r\n\") handler disconnect end The malicious buffer is built based on the original exploit code begin- ning with the EHLO command at followed by a long string of As at (5093 of them), 4 bytes to overwrite the EIP register at, a small NOP slide at, and then some dummy shellcode at.
0 kommentar(er)
