Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

findrecv payloads

From: hdm at metasploit.com (H D Moore)
Date: Tue, 18 Jan 2005 21:30:01 -0600

On Tuesday 18 January 2005 21:12, eip wrote:

Regardless of which win32 exploit I use I can't use any of the findrecv
payloads. I was interested in testing this through NAT. Are there only
some exploits that can use these payloads?


There are a few reasons for this:

1. The findrecv payloads use the new ordinal stager, this stager requires 
the stack pointer to be somewhat sane before it executes. Right now we 
manually test each exploit to make sure that it is compatible and then 
add the +ws2ord key if it is, or add a Prepend/PrependEncoder stub to fix 
the stack if it is not. There are still a handful of win32 exploits that 
we have not had a chance to test with the ordinal stager, so they have 
neither a stack fixing prepend or the +ws2ord key set.

2. The findrecv payloads work by reading data off the socket and comparing 
the beginning of this data with what we call the 'tag'. If the exploit 
module sends more data than the target service reads during the exploit 
request, then subsequent reads will result in the rest of the data 
queue'd on the socked being read instead of the tag. To make an exploit 
compatible with findrecv, you have to know exactly how many bytes the 
remote side reads and make sure that your code only sends that amount. We 
had to tweak the samba exploits quite a bit to work around this 
requirement. Additionally, since findrecv payloads inherit 
FindConnection, the exploit must have the +findsock key set to enable 
findrecv payloads. 

3. The reason behind the +findsock key is that quite a few vulns result in 
code execution outside of the process which actually owns the socket. A 
good example of this is IIS and ISAPI exploits, the dllhost.exe process 
is what you control, and without crazy ECB tricks you cant gain access to 
the original socket. 

So for one or more of the above reasons, none of the *tested* win32 
exploits included with version 2.3 were compatible with the win32 
findrecv payloads. We didn't have a chance to test them all, so if you 
are feeling brave, feel free to add Keys => ['+ws2ord', '+findsock'] to 
the Payloads => { } section of an exploit module and give it a shot. If 
you get results either way, send an email to msfdev[at]metasploit.com and 
let us know. Thanks :-)

-HD
Previous By Date Next
Previous By Thread Next

Current thread: