VNC payload problems

[andres.riancho at gmail.com (Andres Riancho)]

This is getting stranger... I'm using a "strace for windows" (from bindview)
to debug the .exe file that has the first stage of the reverse vnc and this
is what I see:

...
...<some syscalls>
776 932 724 NtUserRegisterWindowMessage ("WinVNC.Update.DrawRect", ... ) ==
0xc0b8
777 932 724 NtUserRegisterWindowMessage ("WinVNC.Update.CopyRect", ... ) ==
0xc0b9
778 932 724 NtUserRegisterWindowMessage ("WinVNC.Update.Mouse", ... ) ==
0xc0ba
779 932 724 NtAllocateVirtualMemory (-1, 7946240, 0, 4096, 4096, 4, ...
7946240, 4096, ) == 0x0
780 932 724 NtUserRegisterWindowMessage ("WinVNC.Properties.User.Show", ...
) == 0xc0bb
781 932 724 NtUserRegisterWindowMessage ("WinVNC.Properties.Default.Show",
... ) == 0xc0bc
782 932 724 NtUserRegisterWindowMessage ("WinVNC.AboutBox.Show", ... ) ==
0xc0bd
783 932 724 NtUserRegisterWindowMessage ("WinVNC.ServiceHelper.Message", ...
) == 0xc0be
784 932 724 NtUserRegisterWindowMessage ("WinVNC.AddClient.Message", ... )
== 0xc0bf
785 932 724 NtUserRegisterWindowMessage ("WinVNC.RemoveClients.Message", ...
) == 0xc0c0
786 932 724 NtUserGetProcessWindowStation (... ) == 0x48
...
...<some more syscalls>
...
885 932 724 NtDelayExecution (0, {-10000000, -1}, ... ) == 0x0
886 932 724 NtUserFindWindowEx (0, 0, 0x0, "Metasploit Courtesy Shell (TM)",
0, ... ) == 0xbc013a
887 932 724 NtUserSetWindowPos (12321082, -1, 0, 0, 0, 0, 3, ... ) == 0x1
888 932 724 NtRequestWaitReplyPort (36, {24, 48, new_msg, 0, 452608,
1853182464, 1735289198, 2011287552}
"\0\0\0\0\14\0\1\00\350\6\0#\1\1\0\0\1\0\0\0\0\0\0" ... {24, 48, reply, 0,
932, 724, 43030, 0} "\0\0\0\0\14\0\1\0\0\0\0\0#\1\1\0\0\1\0\0\0\0\0\0" ) ==
0x0
889 932 724 NtCreateSemaphore (0x1f0003, 0x0, 0, 2147483647, ... 124, ) ==
0x0
890 932 724 NtAllocateVirtualMemory (-1, 0, 0, 0, 8192, 4, ... ) ==
STATUS_INVALID_PARAMETER_4
891 932 724 NtRaiseException (452544, 451800, 1, ...

And there it dies with an exception that ain't handled. As I said in my
first email, the first stage is successfully connecting back, downloading
the second stage and executing it(at least some sections of it), but it
seems that one of the last syscalls ( the NtAllocateVirtualMemory just after
starting the "Metasploit Courtesy Shell (TM)" ) is raising an exception. Do
you guys know what the problem might be ?

Complete syscall log available to anyone who wants it.

Thanks!

On 9/25/07, Patrick Webster <patrick at aushack.com> wrote:
> Hi,
>
> I have also experienced the same issue - sometimes the vuln process
> restarts itself because of the VNC upload.
>
> On 26/09/2007, Andres Riancho < andres.riancho at gmail.com> wrote:
> > "what happens when the connection is closed.", what do you mean with
> > this ?
>
> See thread
>
> http://www.metasploit.com/archive/framework/msg02686.html.
>
> -Patrick



-- 
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070925/53234960/attachment.htm>