Meterpreter will not run on Windows 7 RC

[stephen_fewer at harmonysecurity.com (Stephen Fewer)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

- From some early testing I have found that their are several problems
with running any metasploit shellcode on Windows7 RC1 compared to
earlier versions (Vista,2003,xp,...). When testing a simple payload
win32_single_exec I came across the following:

* Getting the kernel32.dll's base address is broken in the current
shellcode implementation due to Windows7 loading kernelbase.dll before
kernel32.dll (Due to Windows7 using the new MinWin kernel structure[1]).
Their is an quick fix[2] but is not backwards compatible, so a generic
fix is needed :)

* After getting kernel32's base address, parsing the kernel32 Export
address table seems broken too, it gets parsed backwards and seems to
allways fail on the last entry (which is the first one parsed). I have
yet to look into why this is happening.

These two problems seem to be present in most if not all the current
win32 shellcodes AFAIK.

With regard to using Reflective Dll Injection, it works after the fix
for getting the kernel32 base address is applied but when used as a
payload the stager used (e.g. reverse_tcp) would need to be fixed also.

Anyone else experiencing shellcode failing/succeeding on win7rc1 too?

Regards, Steve.

[1]
http://www.windows-now.com/blogs/robert/mark-russinovich-explains-minwin-once-and-for-all.aspx

[2] http://pastebin.com/f5d372f02



Carlos Perez wrote:
> Hi Guys 
>
>
>      I have tried all version of meterpreter using msfpayload to
> generate an exe and run it in Windows 7 an have had no luck what so ever
> in getting it to run. The version if Windows 7 is the latest RC in x86.
> Any ideas?
>
> Cheers,
> Carlos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkoSg9gACgkQQIrmi1YdFr5Q4ACfVMFRBvSz1YDvJhwLuohZ1rsY
d38An3HTridD4MaHc7HDQW7iLzK6lhnK
=9+I1
-----END PGP SIGNATURE-----