The options block within the target section is nearly free-form although there are some special option names.
‘Ret’ is short-cutted as target.ret()
‘Payload’ overloads the exploits info block
Options are where you store target data. For example:
The return address for a Windows 2000 target
500 bytes of padding need to be added for Windows XP targets
Windows Vista NX bypass address
Accessing Target Information
The ‘target’ object inside the exploit is the users selected target and is accessed in the exploit as a hash.
Adding and Fixing Exploit Targets
Sometimes you need new targets because a particular language pack changes addresses, a different version of the software is available, or the addresses are shifted due to hooks. Adding a new target only requires 3 steps.
Determine the type of return address you require. This could be a simple ‘jmp esp’, a jump to a specific register, or a ‘pop/pop/ret’. Comments in the exploit code can help you determine what is required.
Obtain a copy of the target binaries
Use msfpescan to locate a suitable return address
msfpescan help file – Metasploit Unleashed
Getting a Return Address with msfpescan
If the exploit code doesn’t explicitly tell you what type of return address is required but is good enough to tell you the dll name for the existing exploit, you can find out what type of return address you are looking for. Consider the following example that provides a return address for a Windows 2000 SP0-SP4 target.
To find out what type of return address the exploit currently uses, we just need to find a copy of umpnpmgr.dll from a Windows 2000 machine machine and run msfpescan with the provided address to determine the return type. In the example below, we can see that this exploit requires a pop/pop/ret.
root@kali:~# msfpescan -D -a 0x767a38f6 umpnpmgr.dll
00000000 5F pop edi
00000001 5E pop esi
00000002 C3 ret
00000003 55 push ebp
00000004 8BEC mov ebp,esp
00000006 6AFF push byte -0x1
00000008 68003C7A76 push 0x767a3c00
0000000D 68 db 0x68
0000000E E427 in al,0x27
Now, we just need to grab a copy of the target dll and use msfpescan to find a usable pop/pop/ret address for us.
root@kali:~# msfpescan -p umpnpmgr.dll
0x79001567 pop eax; pop esi; ret
0x79011e0b pop eax; pop esi; retn 0x0008
0x79012749 pop esi; pop ebp; retn 0x0010
0x7901285c pop edi; pop esi; retn 0x0004
Now that we’ve found a suitable return address, we add our new target to the exploit.