background image

226

Chapter 15

              sock.put(sploit + "\r\n")

              handler
              disconnect
        end

end

You’ve just completed your first port of a buffer overflow exploit to 

Metasploit! 

SEH Overwrite Exploit

In our next example, we’ll convert a Structured Exception Handler (SEH) 
overwrite exploit for Quick TFTP Pro 2.1 to Metasploit. SEH overwrites occur 
when you overwrite the pointer to the applications exception handler. In this 
particular exploit, the application triggers an exception, and when it arrives 
at the pointer over which you have control, you can direct execution flow to 
your shellcode. The exploit itself is a bit more complex than a simple buffer 
overflow, but it’s very elegant. In an SEH overwrite, we attempt to bypass the 
handler that tries to close an application gracefully when a major error or 
crash occurs.

In the balance of this chapter, we’ll use the 

POP-POP-RETN

 technique 

to allow us to access our attacker-controlled memory space and gain full 
code execution. The 

POP-POP-RETN

 technique is commonly used to try to 

get around the SEH and execute our own code. The first 

POP

 in assembly 

pulls a memory address from the stack, essentially removing one memory 
address instruction. The second 

POP

 also pulls a memory address from the 

stack. The 

RETN

 returns us to a user-controlled area of the code, where we 

can begin executing our memory instructions. 

NOTE

To learn more about SEH overwrites, see 

http://www.exploit-db.com/download_pdf/

10195/

.

The Quick TFTP Pro 2.1 exploit was written by Muts. You can find the code 

for the complete exploit as well as the application at 

http://www.exploit-db.com/

exploits/5315/

. We’ve stripped down the exploit here to make it simpler to port 

into Metasploit—for example, we’ve stripped out the payload. The remaining 
skeleton has all of the information we’ll need to use the exploit in Metasploit.

#!/usr/bin/python
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# Tested on Windows XP SP2. 
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt
#########################################################
import socket
import sys