Metasploit mailing list archives
VNC payload problems
From: andres.riancho at gmail.com (Andres Riancho)
Date: Wed, 26 Sep 2007 10:56:22 -0300
hdm, On 9/26/07, H D Moore <hdm at metasploit.com> wrote:
Cross-referencing that with the source: http://metasploit.com/svn/framework3/trunk/external/source/vncdll/winvnc/winvnc/winvnc.cpp
Thanks for this reference, I'll read some sections of the code,
We see that SetWindowPos() is the last call we do that relates to the Metasploit modifications to the VNC server. IOW, I have no idea, but it looks like something is wrong with the process heap or the transferred DLLs content.
It seems that the problem is here: "NtAllocateVirtualMemory (-1, 0, 0, 0, 8192, 4, ... ) == STATUS_INVALID_PARAMETER_4" The paremeter with the issue is number 4, if we check the syscall reference available at: http://metasploit.com/users/opcode/syscalls.html We see this: NtAllocateVirtualMemory( IN HANDLE ProcessHandle, IN OUT PVOID *BaseAddress, IN ULONG ZeroBits, IN OUT PULONG AllocationSize, IN ULONG AllocationType, IN ULONG Protect ); So it seems that the payload is (at some point) requesting virtual memory of size 0 ... odd stuff... going to debug...
-HD On Tuesday 25 September 2007 21:47, Andres Riancho wrote:885 932 724 NtDelayExecution (0, {-10000000, -1}, ... ) == 0x0 886 932 724 NtUserFindWindowEx (0, 0, 0x0, "Metasploit Courtesy Shell (TM)", 0, ... ) == 0xbc013a 887 932 724 NtUserSetWindowPos (12321082, -1, 0, 0, 0, 0, 3, ... ) == 0x1 888 932 724 NtRequestWaitReplyPort (36, {24, 48, new_msg, 0, 452608, 1853182464, 1735289198, 2011287552} "\0\0\0\0\14\0\1\00\350\6\0#\1\1\0\0\1\0\0\0\0\0\0" ... {24, 48, reply, 0, 932, 724, 43030, 0} "\0\0\0\0\14\0\1\0\0\0\0\0#\1\1\0\0\1\0\0\0\0\0\0" ) == 0x0 889 932 724 NtCreateSemaphore (0x1f0003, 0x0, 0, 2147483647, ... 124, ) == 0x0 890 932 724 NtAllocateVirtualMemory (-1, 0, 0, 0, 8192, 4, ... ) == STATUS_INVALID_PARAMETER_4 891 932 724 NtRaiseException (452544, 451800, 1, ... And there it dies with an exception that ain't handled. As I said in my first email, the first stage is successfully connecting back, downloading the second stage and executing it(at least some sections of it), but it seems that one of the last syscalls ( the NtAllocateVirtualMemory just after starting the "Metasploit Courtesy Shell (TM)" ) is raising an exception. Do you guys know what the problem might be ?
-- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework
Current thread:
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 25)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems Patrick Webster (Sep 25)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 26)
- VNC payload problems Andres Riancho (Sep 26)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems Andres Riancho (Sep 26)
- VNC payload problems H D Moore (Sep 25)
- <Possible follow-ups>
- VNC payload problems Steven Olson (Sep 26)