Some weeks ago I attended the *excellent* Digital Magic workshop, that was offered as part of the BackTrack Day 0x7DA.
In this course KMDave taught the basics of exploit development (Ret, SEH) to an enthusiastic audience ;)
One of the exercises involved identifying a SEH overwrite and of course, writing an exploit for it ;)
For this purpose, KMDave provided some kind of “crackme” or example program called ServerSEH.exe. The idea is pretty simple, it spawns a TCP listening socket and copy the receiving string to a fixed length buffer. Sounds familiar? ;)
Yes, the problem resides in a call to the vulnerable function strcpy(). The only peculiarity in this case is that the vulnerable call is contained inside a try{} catch{} structure, that is, the function which contains the strcpy() call was compiled with exception handlers. I won’t explain the technical details behind SEH exploits, for that you have the awesome Corelan tutorials.
Once at home I decided to recreate the exploit in my Windows XP SP3 (EN) test machine. After programming it (you know, once you did one, they all look the same :)) I decided it would be cool to pass from my small, rigid python script (dm_seh.py (zip)) to a full blown metasploit module (dm_seh.rb (zip)).
Just copy the ruby script to “/pentest/exploits/framework3/modules/exploits/windows/misc/” and ready to go! :)
As we can see, one of the first advantages of using metasploit is the ability to set the target dinamically. In our script, the IP/Port and so on are hardcoded into the shellcode :(
Not only that, but we can also select one of the multiple msf payloads on the fly (and it will be encoded avoiding our bad characters, as defined in the module).
In particular we can use the *meterpreter* baby…
And here you are, the power of the framework in your hands!
Wow! How neat is that? I’ll tell you… Very :)
