Exploit Writing Tutorial Part 4 _ From Exploit to Metasploit – the Basics _ Corelan Team | Port (Computer Networking) | Network Socket

Please download to get full document.

View again

All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
 7
 
  Detail description of writing an exploit in metasploit
Share
Transcript
  2/14/2017Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics | Corelan Teamhttps://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/1/18 Exploit writing tutorial part 4 : From Exploit toMetasploit – The basics Published August 12, 2009 | Corelan Team (corelanc0d3r) [1] In the first parts of the exploit writing tutorial, I have discussed some common vulnerabilitiesthat can lead to 2 types of exploits : stack based buffer overflows (with direct EIP overwrite),and stack based buffer overflows that take advantage of SEH chains. In my examples, I haveused perl to demonstrate how to build a working exploit.Obviously, writing exploits is not limited to perl only. I guess every programming languagecould be used to write exploits… so you can just pick the one that you are most familiar with.(python, c, c++, C#, etc)Despite the fact that these custom written exploits will work just fine, it may be nice to be ableto include your own exploits in the metasploit framework in order to take advantage of some of the unique metasploit features.So today, I’m going to explain how exploits can be written as a metasploit module.Metasploit modules are writting in ruby. Even if you don’t know a lot about ruby, you shouldstill be able to write a metasploit exploit module based on this tutorial and the existing exploitsavailable in metasploit. Metasploit exploit module structure A typical metasploit exploit module consists of the following components :header and some dependenciesSome comments about the exploit modulerequire ‘msf/core’class definitionincludes“def” definitions :  2/14/2017Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics | Corelan Teamhttps://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/2/18 initializecheck (optional)exploitYou can put comments in your metasploit module by using the # character. �  That’s all we needto know for now, let’s look at the steps to build a metasploit exploit module. Case study : building an exploit for a simple vulnerable server We’ll use the following vulnerable server code (C) to demonstrate the building process : #include #include #include //load windows socket#pragma comment(lib, wsock32.lib )//Define Return Messages#define SS_ERROR 1#define SS_OK 0 pr( *str){ buf[500]= ; strcpy(buf,str);} sError( *str){ MessageBox (NULL, str, socket Error ,MB_OK); WSACleanup();} main( argc, **argv){WORD sockVersion;WSADATA wsaData; rVal; Message[5000]= ;  2/14/2017Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics | Corelan Teamhttps://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/3/18  buf[2000]= ;u_short LocalPort;LocalPort = 200;//wsock32 initialized for usagesockVersion = MAKEWORD(1,1);WSAStartup(sockVersion, &wsaData);//create server socketSOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);(serverSocket == INVALID_SOCKET){ sError( Failed socket() ); return SS_ERROR;}SOCKADDR_IN ;.sin_family = PF_INET;.sin_port = htons(LocalPort);.sin_addr.s_addr = INADDR_ANY;//bind the socketrVal = bind(serverSocket, (LPSOCKADDR)&, sizeof());(rVal == SOCKET_ERROR){ sError( Failed bind() ); WSACleanup(); return SS_ERROR;}//get socket to listenrVal = listen(serverSocket, 10);(rVal == SOCKET_ERROR){ sError( Failed listen() ); WSACleanup(); return SS_ERROR;}//wait for a client to connectSOCKET clientSocket;  2/14/2017Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics | Corelan Teamhttps://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/4/18 clientSocket = accept(serverSocket, NULL, NULL);(clientSocket == INVALID_SOCKET){ sError( Failed accept() ); WSACleanup(); return SS_ERROR;} bytesRecv = SOCKET_ERROR;while( bytesRecv == SOCKET_ERROR ){ //receive the data that is being sent by the client max limit to 5000 bytes. bytesRecv = recv( clientSocket, Message, 5000, 0 ); ( bytesRecv == 0 || bytesRecv == WSAECONNRESET ) { printf( \nConnection Closed.\n ); break; }}//Pass the data received to the function prpr(Message);//close client socketclosesocket(clientSocket);//close server socketclosesocket(serverSocket);WSACleanup();return SS_OK;} � Compile the code and run it on a Windows 2003 server R2 with SP2. (I have used lcc-win32 tocompile the code)When you send 1000 bytes to the server, the server will crash.The following perl script demonstrates the crash :
Related Search
Similar documents
View more
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x