Advanced Ethical Hacking Institute in Pune
Coding Exploit Targets in your Metasploit Module
Exploits define a list of targets that includes a name, number, and options. Targets are specified by number when launched.
Sample Target Code for an Exploit Module:
'Targets' => [ # Windows 2000 – TARGET = 0 [ 'Windows 2000 English', { 'Rets' => [ 0x773242e0 ], }, ], # Windows XP - TARGET = 1 [ 'Windows XP English', { 'Rets' => [ 0x7449bf1a ], }, ], ], 'DefaultTarget' => 0))
Target Options Block
The options block within the target section is nearly free-form although there are some special option names.
-
- ‘Ret’ is short-cutted as target.ret()
- ‘Payload’ overloads the exploits info block
Options are where you store target data. For example:
-
- The return address for a Windows 2000 target
- 500 bytes of padding need to be added for Windows XP targets
- Windows Vista NX bypass address
Accessing Target Information
The ‘target’ object inside the exploit is the users selected target and is accessed in the exploit as a hash.
-
- target[‘padcount’]
- target[‘Rets’][0]
- target[‘Payload’][‘BadChars’]
- target[‘opnum’]
Adding and Fixing Exploit Targets
Sometimes you need new targets because a particular language pack changes addresses, a different version of the software is available, or the addresses are shifted due to hooks. Adding a new target only requires 3 steps.
-
- Determine the type of return address you require. This could be a simple ‘jmp esp’, a jump to a specific register, or a ‘pop/pop/ret’. Comments in the exploit code can help you determine what is required.
- Obtain a copy of the target binaries
- Use msfpescan to locate a suitable return address
Getting a Return Address with msfpescan
If the exploit code doesn’t explicitly tell you what type of return address is required but is good enough to tell you the dll name for the existing exploit, you can find out what type of return address you are looking for. Consider the following example that provides a return address for a Windows 2000 SP0-SP4 target.
'Windows 2000 SP0-SP4', { 'Ret' => 0x767a38f6, # umpnpmgr.dll }
To find out what type of return address the exploit currently uses, we just need to find a copy of umpnpmgr.dll from a Windows 2000 machine machine and run msfpescan with the provided address to determine the return type. In the example below, we can see that this exploit requires a pop/pop/ret.
root@kali:~# msfpescan -D -a 0x767a38f6 win2000sp4.umpnpmgr.dll [win200sp4.umpnpmgr.dll] 0x767a38f6 5f5ec3558bec6aff68003c7a7668e427 00000000 5F pop edi 00000001 5E pop esi 00000002 C3 ret 00000003 55 push ebp 00000004 8BEC mov ebp,esp 00000006 6AFF push byte -0x1 00000008 68003C7A76 push 0x767a3c00 0000000D 68 db 0x68 0000000E E427 in al,0x27
Now, we just need to grab a copy of the target dll and use msfpescan to find a usable pop/pop/ret address for us.
root@kali:~# msfpescan -p targetos.umpnpmgr.dll [targetos.umpnpmgr.dll] 0x79001567 pop eax; pop esi; ret 0x79011e0b pop eax; pop esi; retn 0x0008 0x79012749 pop esi; pop ebp; retn 0x0010 0x7901285c pop edi; pop esi; retn 0x0004
Now that we’ve found a suitable return address, we add our new target to the exploit.
'Windows 2000 SP0-SP4 Russian Language', { 'Ret' => 0x7901285c, # umpnpmgr.dll }