Porting Exploits to the Metasploit Framework
221
Figure 15-1: MailCarrier initial overwrite
Implementing Features of the Framework
Having proved that the basic skeleton of the module works by overwriting
our EIP address, we can slowly start to implement the features of the Frame-
work. We begin by setting the target return address (shown in bold in the fol-
lowing example) in the
'Targets'
block to a JMP ESP address. This is the same
address that was used in the original exploit; it’s found in
SHELL32.DLL
on
Windows XP SP2. We need to find a legitimate return address to ensure
that our code executes properly on the operating system we are targeting.
Remember that some exploits work only on specific operating systems, as
is the case with this exploit. We are using an address from
SHELL32.DLL
,
which will change across different versions or service packs. If we were to find
a standard JMP ESP in the application’s memory address, we would not need
to use a Windows DLL and could make this exploit universal to all Windows
platforms, because the memory addresses would never change.
'Targets' =>
[
[ 'Windows XP SP2 - EN', { 'Ret' =>
0x7d17dd13
} ],
],
Metasploit will add the return address into the exploit at run time. You can
replace the return address in the exploit block with
[target['Ret']].pack('V')
.
This will insert the target return address into the exploit, reversing the bytes
in little-endian format. (The endian-ness is determined by the target CPU’s
architecture, and processors that are Intel-compatible use little-endian byte
ordering.)