Metasploit mailing list archives
findrecv payloads
From: hdm at metasploit.com (H D Moore)
Date: Tue, 18 Jan 2005 21:30:01 -0600
On Tuesday 18 January 2005 21:12, eip wrote:
Regardless of which win32 exploit I use I can't use any of the findrecv payloads. I was interested in testing this through NAT. Are there only some exploits that can use these payloads?
There are a few reasons for this: 1. The findrecv payloads use the new ordinal stager, this stager requires the stack pointer to be somewhat sane before it executes. Right now we manually test each exploit to make sure that it is compatible and then add the +ws2ord key if it is, or add a Prepend/PrependEncoder stub to fix the stack if it is not. There are still a handful of win32 exploits that we have not had a chance to test with the ordinal stager, so they have neither a stack fixing prepend or the +ws2ord key set. 2. The findrecv payloads work by reading data off the socket and comparing the beginning of this data with what we call the 'tag'. If the exploit module sends more data than the target service reads during the exploit request, then subsequent reads will result in the rest of the data queue'd on the socked being read instead of the tag. To make an exploit compatible with findrecv, you have to know exactly how many bytes the remote side reads and make sure that your code only sends that amount. We had to tweak the samba exploits quite a bit to work around this requirement. Additionally, since findrecv payloads inherit FindConnection, the exploit must have the +findsock key set to enable findrecv payloads. 3. The reason behind the +findsock key is that quite a few vulns result in code execution outside of the process which actually owns the socket. A good example of this is IIS and ISAPI exploits, the dllhost.exe process is what you control, and without crazy ECB tricks you cant gain access to the original socket. So for one or more of the above reasons, none of the *tested* win32 exploits included with version 2.3 were compatible with the win32 findrecv payloads. We didn't have a chance to test them all, so if you are feeling brave, feel free to add Keys => ['+ws2ord', '+findsock'] to the Payloads => { } section of an exploit module and give it a shot. If you get results either way, send an email to msfdev[at]metasploit.com and let us know. Thanks :-) -HD
Current thread:
- findrecv payloads eip (Jan 18)
- findrecv payloads H D Moore (Jan 18)
- findrecv payloads class 101 (Jan 19)