Metasploit mailing list archives
VNC payload problems
From: andres.riancho at gmail.com (Andres Riancho)
Date: Tue, 25 Sep 2007 23:47:29 -0300
This is getting stranger... I'm using a "strace for windows" (from bindview) to debug the .exe file that has the first stage of the reverse vnc and this is what I see: ... ...<some syscalls> 776 932 724 NtUserRegisterWindowMessage ("WinVNC.Update.DrawRect", ... ) == 0xc0b8 777 932 724 NtUserRegisterWindowMessage ("WinVNC.Update.CopyRect", ... ) == 0xc0b9 778 932 724 NtUserRegisterWindowMessage ("WinVNC.Update.Mouse", ... ) == 0xc0ba 779 932 724 NtAllocateVirtualMemory (-1, 7946240, 0, 4096, 4096, 4, ... 7946240, 4096, ) == 0x0 780 932 724 NtUserRegisterWindowMessage ("WinVNC.Properties.User.Show", ... ) == 0xc0bb 781 932 724 NtUserRegisterWindowMessage ("WinVNC.Properties.Default.Show", ... ) == 0xc0bc 782 932 724 NtUserRegisterWindowMessage ("WinVNC.AboutBox.Show", ... ) == 0xc0bd 783 932 724 NtUserRegisterWindowMessage ("WinVNC.ServiceHelper.Message", ... ) == 0xc0be 784 932 724 NtUserRegisterWindowMessage ("WinVNC.AddClient.Message", ... ) == 0xc0bf 785 932 724 NtUserRegisterWindowMessage ("WinVNC.RemoveClients.Message", ... ) == 0xc0c0 786 932 724 NtUserGetProcessWindowStation (... ) == 0x48 ... ...<some more syscalls> ... 885 932 724 NtDelayExecution (0, {-10000000, -1}, ... ) == 0x0 886 932 724 NtUserFindWindowEx (0, 0, 0x0, "Metasploit Courtesy Shell (TM)", 0, ... ) == 0xbc013a 887 932 724 NtUserSetWindowPos (12321082, -1, 0, 0, 0, 0, 3, ... ) == 0x1 888 932 724 NtRequestWaitReplyPort (36, {24, 48, new_msg, 0, 452608, 1853182464, 1735289198, 2011287552} "\0\0\0\0\14\0\1\00\350\6\0#\1\1\0\0\1\0\0\0\0\0\0" ... {24, 48, reply, 0, 932, 724, 43030, 0} "\0\0\0\0\14\0\1\0\0\0\0\0#\1\1\0\0\1\0\0\0\0\0\0" ) == 0x0 889 932 724 NtCreateSemaphore (0x1f0003, 0x0, 0, 2147483647, ... 124, ) == 0x0 890 932 724 NtAllocateVirtualMemory (-1, 0, 0, 0, 8192, 4, ... ) == STATUS_INVALID_PARAMETER_4 891 932 724 NtRaiseException (452544, 451800, 1, ... And there it dies with an exception that ain't handled. As I said in my first email, the first stage is successfully connecting back, downloading the second stage and executing it(at least some sections of it), but it seems that one of the last syscalls ( the NtAllocateVirtualMemory just after starting the "Metasploit Courtesy Shell (TM)" ) is raising an exception. Do you guys know what the problem might be ? Complete syscall log available to anyone who wants it. Thanks! On 9/25/07, Patrick Webster <patrick at aushack.com> wrote:
Hi, I have also experienced the same issue - sometimes the vuln process restarts itself because of the VNC upload. On 26/09/2007, Andres Riancho < andres.riancho at gmail.com> wrote:"what happens when the connection is closed.", what do you mean with this ?See thread http://www.metasploit.com/archive/framework/msg02686.html. -Patrick
-- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070925/53234960/attachment.htm>
Current thread:
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 25)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems Patrick Webster (Sep 25)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 26)
- VNC payload problems Andres Riancho (Sep 26)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems Andres Riancho (Sep 26)
- VNC payload problems H D Moore (Sep 25)
- <Possible follow-ups>
- VNC payload problems Steven Olson (Sep 26)