206
Chapter 14
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 341
Rank: Normal
The return address at in the
'Targets'
section is currently occupied by a
placeholder value, which we’ll change later in the exploit development process.
As with the fuzzer module discussed earlier, this exploit connects and
logs into the target at , uses a string of
A
s at as the initial buffer, and
appends four
C
s at to overwrite the SEH. The entire exploit string is gen-
erated at and then sent to the target at .
Getting a Return Address
The next step is to locate a
POP-POP-RETN
sequence in
surgemail.exe
. To do
so, copy the executable to a location on your Back|Track machine, and then
use the
-p
switch with
msfpescan
to locate a suitable candidate, as in the follow-
ing example:
root@bt:/tmp#
msfpescan -p surgemail.exe
[surgemail.exe]
0x0042e947 pop esi; pop ebp; ret
0x0042f88b pop esi; pop ebp; ret
0x00458e68 pop esi; pop ebp; ret
0x00458edb pop esi; pop ebp; ret
0x0046754d pop esi; pop ebp; ret
0x00467578 pop esi; pop ebp; ret
0x0046d204 pop eax; pop ebp; ret
. . . SNIP . . .
0x0078506e pop ebx; pop ebp; ret
0x00785105 pop ecx; pop ebx; ret
0x0078517e
pop esi; pop ebx; ret
When
msfpescan
is run against the target executable, it reads through
the machine code looking for assembly instructions that match the target (a
POP-POP-RETN
sequence in this case) and displays the memory address where
these instructions occur. As you can see in the listing, multiple addresses are
found. We’ll use the address at the end of the output,
0x0078517e
, to overwrite
SEH in the exploit. Having made our selection, we edit the
'Targets'
section
of the exploit module to include this address and edit the
exploit
section to
include it as part of the buffer to be sent, as shown next.