Metasploit mailing list archives
Re: Shellcodes first stage ignores EXITFUNC
From: HD Moore <hdm () metasploit com>
Date: Thu, 31 Dec 2009 07:04:19 -0600
On 12/31/2009 6:57 AM, Amin wrote:
Hi Everybody, First of all: thank ALL of you for metasploit and for keeping it improving! Its a joy to work with :-) ! Now my problem: the first stage of multistage windows shellcodes does not consider the EXITFUNC option. This has an impact in connect-back shellcodes, where the ReverseConnectRetries option is set to a number less then 255 (finite number of retries). After failing to connect to the attacker, the stage exits.
Yes - this was an improvement from the previous implementation of this stager, where a failed connection would simply crash the process.
By looking at the this first stage of the shellcode we always find an ExitProcess call instead of the one specified with EXITFUNC.
The reason for this is size -- patching in ExitThread() is no longer just a DWORD change for newer versions of Windows, instead a semi-complex thunking process has to be performed, which adds a large number of bytes to the stager. Since the first-stage has to be tiny in order to work with exploits that have limited space, adding ExitProcess was a compromise between just crashing the process and cleanly exiting. If you are trying to launch a Metasploit payload inside of a dedicated thread, one workaround is to create a suspended process, write the shellcode into the remote process's memory,and then resume it. This is how the service.exe template works (for psexec) and you can then WaitForSingleObject() on the process handle from CreateProcess(). This approach will also handle instances where the payload simply crashes (a bug in meterpreter, a user trying to load a 64-bit extension into a 32-bit process, etc). -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Shellcodes first stage ignores EXITFUNC Amin (Dec 31)
- Re: Shellcodes first stage ignores EXITFUNC HD Moore (Dec 31)
- Re: Shellcodes first stage ignores EXITFUNC Amin (Dec 31)
- Re: Shellcodes first stage ignores EXITFUNC HD Moore (Dec 31)