226
Chapter 15
sock.put(sploit + "\r\n")
handler
disconnect
end
end
You’ve just completed your first port of a buffer overflow exploit to
Metasploit!
SEH Overwrite Exploit
In our next example, we’ll convert a Structured Exception Handler (SEH)
overwrite exploit for Quick TFTP Pro 2.1 to Metasploit. SEH overwrites occur
when you overwrite the pointer to the applications exception handler. In this
particular exploit, the application triggers an exception, and when it arrives
at the pointer over which you have control, you can direct execution flow to
your shellcode. The exploit itself is a bit more complex than a simple buffer
overflow, but it’s very elegant. In an SEH overwrite, we attempt to bypass the
handler that tries to close an application gracefully when a major error or
crash occurs.
In the balance of this chapter, we’ll use the
POP-POP-RETN
technique
to allow us to access our attacker-controlled memory space and gain full
code execution. The
POP-POP-RETN
technique is commonly used to try to
get around the SEH and execute our own code. The first
POP
in assembly
pulls a memory address from the stack, essentially removing one memory
address instruction. The second
POP
also pulls a memory address from the
stack. The
RETN
returns us to a user-controlled area of the code, where we
can begin executing our memory instructions.
NOTE
To learn more about SEH overwrites, see
http://www.exploit-db.com/download_pdf/
10195/
.
The Quick TFTP Pro 2.1 exploit was written by Muts. You can find the code
for the complete exploit as well as the application at
http://www.exploit-db.com/
exploits/5315/
. We’ve stripped down the exploit here to make it simpler to port
into Metasploit—for example, we’ve stripped out the payload. The remaining
skeleton has all of the information we’ll need to use the exploit in Metasploit.
#!/usr/bin/python
# Quick TFTP Pro 2.1 SEH Overflow (0day)
# Tested on Windows XP SP2.
# Coded by Mati Aharoni
# muts..at..offensive-security.com
# http://www.offensive-security.com/0day/quick-tftp-poc.py.txt
#########################################################
import socket
import sys