background image

Contents in Detail

xi

12
KARMETASPLOIT

177

Configuration ...................................................................................................... 178
Launching the Attack ............................................................................................. 179
Credential Harvesting ........................................................................................... 181
Getting a Shell ..................................................................................................... 182
Wrapping Up ...................................................................................................... 184

13
BUILDING YOUR OWN  MODULE

185

Getting Command Execution on Microsoft SQL ........................................................ 186
Exploring an Existing Metasploit Module ................................................................. 187
Creating a New Module ....................................................................................... 189

PowerShell ............................................................................................. 189
Running the Shell Exploit .......................................................................... 190
Creating powershell_upload_exec ............................................................. 192
Conversion from Hex to Binary ................................................................. 192
Counters ................................................................................................ 194
Running the Exploit .................................................................................. 195

The Power of Code Reuse ..................................................................................... 196

14
CREATING YOUR OWN EXPLOITS

197

The Art of Fuzzing ................................................................................................ 198
Controlling the Structured Exception Handler ........................................................... 201
Hopping Around SEH Restrictions ........................................................................... 204
Getting a Return Address ...................................................................................... 206
Bad Characters and Remote Code Execution ........................................................... 210
Wrapping Up ...................................................................................................... 213

15
PORTING EXPLOITS TO THE  METASPLOIT FRAMEWORK

215

Assembly Language Basics .................................................................................... 216

EIP and ESP Registers ............................................................................... 216
The JMP Instruction Set ............................................................................. 216
NOPs and NOP Slides ............................................................................ 216

Porting a Buffer Overflow ...................................................................................... 216

Stripping the Existing Exploit ..................................................................... 218
Configuring the Exploit Definition .............................................................. 219
Testing Our Base Exploit .......................................................................... 220
Implementing Features of the Framework .................................................... 221
Adding Randomization ............................................................................ 222
Removing the NOP Slide .......................................................................... 223
Removing the Dummy Shellcode ................................................................ 223
Our Completed Module ........................................................................... 224

SEH Overwrite Exploit .......................................................................................... 226
Wrapping Up ...................................................................................................... 233