Re: Why metasploit's exploits fails inside Qemu?

[Philip Sanderson <philip.k.sanderson () gmail com>]

General ideas:

  - If it heap sprays, it may not have completed the heap spray before the
vuln is triggered, thus returning to memory too early.
  - depending on what is being exploited, it might be cleaning up threads /
resources before it's triggered.

Just related to time, and that it is significantly slower emulating vs
hardware acceleration.

On Wed, Sep 22, 2010 at 11:51 AM, Jun Koi <junkoi2004 () gmail com> wrote:

> On Wed, Sep 22, 2010 at 8:30 AM, Philip Sanderson
> <philip.k.sanderson () gmail com> wrote:
> > Are you using pure qemu without any kernel/hardware acceleration?
>
> yes, i dont use any accelerator like KVM or KQemu. just pure emulation Qemu
>
> > If you are using pure emulation, there could be timing issues with the
> vulnerability
> > being triggered.
>
> what do you mean by "timing issue"?
>
> sorry but i cannot imagine that the Metasploit exploitation rely on
> timing to work. this is so confused (???)
>
> thanks,
> Jun
>
>
>
>
> > On Wed, Sep 22, 2010 at 10:34 AM, Jun Koi <junkoi2004 () gmail com> wrote:
> > > On Tue, Sep 21, 2010 at 11:53 PM, Joshua J. Drake <
> jdrake () metasploit com>
> > > wrote:
> > > > On Tue, Sep 21, 2010 at 11:58:07PM +0700, Jun Koi wrote:
> > > > > i want to fix the bug of Qemu, to "support Metasploit" :-). any idea
> > > > > where Qemu might be wrong?
> > > > >
> > > > > first of all, i am starting with the windows/exec payload, which
> > > > > contains the suspected shellcode. i suppose that its source is at
> > > > > external/source/shellcode/windows/single_exec.asm. is that correct?
> > > > >
> > > > > however, looking at this source, it doesnt seem to use any special
> > > > > instruction at all. this confuses me even more ...
> > > >
> > > > There are alot of steps in between the source code and the resulting
> > > > shellcode coming out of Metasploit. I recommend reading the developer
> > > > guide and source code for more information.
> > >
> > > to confirm that the culprit is the shellcode with weird tricks, i
> > > created a EXE payload using msfpayload. this payload uses windows/exec
> > > payload, and simply executes calc.exe
> > >
> > > i suppose that this EXE file uses the same code as the real shellcode
> > > in metasploit exploitation. then i run this EXE file on 2 VM: one is
> > > QEMU+KQemu, one is pure QEMU. and i can confirm that it works
> > > perfectly well on both environments.
> > >
> > > so my conclusion is that the shellcode doesnt seem to be the reason
> > > why metasploit fails inside pure QEMU. is that reasonable?
> > >
> > > now i have no idea what is wrong with QEMU anymore, given that my
> > > assumption about the weird tricks done inside Metasploit shellcode
> > > seems wrong.
> > >
> > > idea?
> > >
> > > thanks,
> > > Jun
> > > _______________________________________________
> > > https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework