Metasploit mailing list archives
Exploit::Remote::HttpClient and stages
From: mmiller at hick.org (mmiller at hick.org)
Date: Fri, 9 Mar 2007 09:51:52 -0800
On Fri, Mar 09, 2007 at 10:24:29AM +0100, Olivier Dembour wrote:
Hi, I've seen that pipelining is not yet finished on msf 3, so I don't know if the feature I'm looking for is to be implemented ... I'd like to use Exploit::Remote::HttpClient class to develop an exploit (buffer overflow), but there is two problems : - socket is shutdowned after the request - send_request_raw() try to get the reply, but the server is already overflow (there is no reply)
I think the best way to handle this is two fold: 1) We can add an option that you can pass to send_request_raw that will let you toggle pipeline. This should prevent the connection from being closed. This support isn't necessary if you don't read a response, since the socket is only closed after a response is read (unless the server closes it). 2) You can specify the timeout window to wait for the reply. We can add support so that if you specify a timeout of zero, it won't wait for a response. Alternatively, we could just add a wrapper to the HTTP mixin that lets you send a request without waiting for a response. Just make sure that you call handler after you trigger the bug. This will grab the socket used by the global HTTP client connection and try to use that to stage the payload over. Let us know if you run into problems with this, since findsock payloads have thus far not been used all that much. HD, what do you think?
Current thread:
- Exploit::Remote::HttpClient and stages Olivier Dembour (Mar 09)
- Exploit::Remote::HttpClient and stages mmiller at hick.org (Mar 09)
- Exploit::Remote::HttpClient and stages H D Moore (Mar 09)
- Exploit::Remote::HttpClient and stages Olivier Dembour (Mar 11)
- Exploit::Remote::HttpClient and stages Nicob (Mar 25)
- Exploit::Remote::HttpClient and stages H D Moore (Mar 25)
- Exploit::Remote::HttpClient and stages mmiller at hick.org (Mar 09)