Contents in Detail
xi
Configuration ...................................................................................................... 178
Launching the Attack ............................................................................................. 179
Credential Harvesting ........................................................................................... 181
Getting a Shell ..................................................................................................... 182
Wrapping Up ...................................................................................................... 184
Getting Command Execution on Microsoft SQL ........................................................ 186
Exploring an Existing Metasploit Module ................................................................. 187
Creating a New Module ....................................................................................... 189
PowerShell ............................................................................................. 189
Running the Shell Exploit .......................................................................... 190
Creating powershell_upload_exec ............................................................. 192
Conversion from Hex to Binary ................................................................. 192
Counters ................................................................................................ 194
Running the Exploit .................................................................................. 195
The Art of Fuzzing ................................................................................................ 198
Controlling the Structured Exception Handler ........................................................... 201
Hopping Around SEH Restrictions ........................................................................... 204
Getting a Return Address ...................................................................................... 206
Bad Characters and Remote Code Execution ........................................................... 210
Wrapping Up ...................................................................................................... 213
15
PORTING EXPLOITS TO THE METASPLOIT FRAMEWORK
Stripping the Existing Exploit ..................................................................... 218
Configuring the Exploit Definition .............................................................. 219
Testing Our Base Exploit .......................................................................... 220
Implementing Features of the Framework .................................................... 221
Adding Randomization ............................................................................ 222
Removing the NOP Slide .......................................................................... 223
Removing the Dummy Shellcode ................................................................ 223
Our Completed Module ........................................................................... 224
SEH Overwrite Exploit .......................................................................................... 226
Wrapping Up ...................................................................................................... 233