Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Porting exploit to win2k3 sp2

From: jerome.athias at free.fr (Jerome Athias)
Date: Fri, 27 Jul 2007 17:27:11 +0200
Konrads Smelkovs wrote :

Hello,

I found a useful exploit in the framework - 3cdaemon_ftp_user.rb . 
However, it has the jumpcodes(?) only for nt/2k/xp and I need it for 
win2k3 sp2. How to port it? Perhaps somebody already has done so?
-- 
Konrads Smelkovs
Applied IT sorcery.

Hi Konrads,

the jumpcodes (called "opcodes" in the Metasploit's familly) have to be 
modified.
In fact, you have to add a new line, as a new target, in the exploit 
module code.

To retrieve an opcode for your target, you have to:

1) Search one in the msfopcodes database
http://www.metasploit.com/opcode_database.html

or here:
https://www.securinfos.info/international-opcodes/index.php
(not updated actually :-/)

or
2) Run one of this tool on it (or on a clone. means: same OS, locale, 
SP, and if possible level of patches installed, assuming all are 
installed is a good way):
* msfpescan (used with memdump.exe)
You can find an overview of msfpescan here:
The Metasploit's website! always THE place to find information about the MSF
The Metasploit Framework's book: 
http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit#Finding_a_return_address
hxxp://www.securityfocus.com/infocus/1800

or:
* findjmp2 by class101
https://www.securinfos.info/outils-securite-hacking/Findjmp2.zip
* eereap by eEye

Good luck!
/JA
Jerome Athias, Founder https://www.securinfos.info

PS1: you should have to: change the offset and/or deal with the new 
protection mechanisms introduced in Windows 2003 (DEP...)
PS2: i have written an article for Hakin9 about how to write exploit 
modules for the MSF v3. It should be available in the coming months (in 
both US and French version)
PS3: is copyrighted by Sony

Non-profit spam: retrieve the top killer coding ninja monkeys at 
VNSECON07, http://conf.vnsecurity.net/

Tags:
How to modify a Metasploit's exploit module
How to retrieve a return address (opcode) for a Windows exploit
How to add a target in a Metasploit Framework exploit module

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070727/48d62cc7/attachment.bin>
Previous By Date Next
Previous By Thread Next

Current thread: