Metasploit mailing list archives

VNC payload problems

From: andres.riancho at gmail.com (Andres Riancho)
Date: Tue, 25 Sep 2007 17:29:12 -0300

Hi list,

    I'm trying to do something really odd with metasploit (so I think this
is the correct list =). I'm trying to integrate MSF and w3af in order to be
able to use all MSF payloads while exploiting web applications (sql
injection, osCommanding, and anything that gets me a remote shell).

    To do that, I coded a metasploit plugin (see code below) and a virtual
daemon. The virtual daemon listens on port 9091 and receives the msf plugin
connections, the msf plugin sends the payload to the virtual daemon; when
the virtual daemon gets the payload, it wraps the payload in an PE file.
That PE file is sent to the server i REALLY want to exploit using some
non-important method and then it gets executed. Using this method I have
been able to use the following payloads successfully:
        - create "metasploit" user
        - bind a shell
        - reverse shell

    The problem I have is with the VNC payloads, they are simply not
working. This is the log I get when exploiting this:

[*] Started bind handler
[*] The remote IP address is: 172.16.1.128
[*] Using remote IP address to create payloads.
[*] Sent payload to vdaemon.
[*] The estimated time to wait for PE transfer is: 7.0 seconds.
[*] Sleeping... [*] Going to sleep for 02 seconds (waiting for crontab/at to
execute payload).
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Done waiting!
[*] Starting handler
[*] Uploading DLL (340049 bytes)...
[*] Upload completed.
[*] Starting local TCP relay on 127.0.0.1:5900...  Local TCP relay started.
[*] Launched vnciewer in the background.
[*] VNC Server session 1 opened (172.16.1.1:41780 -> 172.16.1.128:4444)
[*] Using already established connection.
[*] VNC connection closed.
[*] VNC Server session 1 closed.

    As far as I know, the DLL is successfully sent to the remote server and
it's working ( the MSF courtesy shell pops up in the remote windows ). The
problem is that the VNC session closes... and I see this on the console:

VNC viewer version 3.3.7 - built Mar  8 2007 21:56:52
Copyright (C) 2002-2003 RealVNC Ltd.
Copyright (C) 1994-2000 AT&T Laboratories Cambridge.
See http://www.realvnc.com for information on VNC.
ReadFromRFBServer: rdr::EndOfStream

   Neither bind and reverse VNC are working. I think that the problem is
with the TCP relay... any ideas on why this ain't working? How can I debug
the multistage payload (the .exe on the remote server) ?


Cheers,
-- 
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070925/ea699b51/attachment.htm>

Current thread:

VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 25)
  - VNC payload problems Andres Riancho (Sep 25)
    - VNC payload problems Patrick Webster (Sep 25)
    - VNC payload problems Andres Riancho (Sep 25)
    - VNC payload problems H D Moore (Sep 26)
    - VNC payload problems Andres Riancho (Sep 26)
    - VNC payload problems Andres Riancho (Sep 26)
- Re: VNC payload problems Andres Riancho (Sep 25)
- <Possible follow-ups>
- VNC payload problems Steven Olson (Sep 26)