Metasploit mailing list archives
VNC payload problems
From: andres.riancho at gmail.com (Andres Riancho)
Date: Tue, 25 Sep 2007 17:29:12 -0300
Hi list, I'm trying to do something really odd with metasploit (so I think this is the correct list =). I'm trying to integrate MSF and w3af in order to be able to use all MSF payloads while exploiting web applications (sql injection, osCommanding, and anything that gets me a remote shell). To do that, I coded a metasploit plugin (see code below) and a virtual daemon. The virtual daemon listens on port 9091 and receives the msf plugin connections, the msf plugin sends the payload to the virtual daemon; when the virtual daemon gets the payload, it wraps the payload in an PE file. That PE file is sent to the server i REALLY want to exploit using some non-important method and then it gets executed. Using this method I have been able to use the following payloads successfully: - create "metasploit" user - bind a shell - reverse shell The problem I have is with the VNC payloads, they are simply not working. This is the log I get when exploiting this: [*] Started bind handler [*] The remote IP address is: 172.16.1.128 [*] Using remote IP address to create payloads. [*] Sent payload to vdaemon. [*] The estimated time to wait for PE transfer is: 7.0 seconds. [*] Sleeping... [*] Going to sleep for 02 seconds (waiting for crontab/at to execute payload). [*] Transmitting intermediate stager for over-sized stage...(89 bytes) [*] Sending stage (2834 bytes) [*] Sleeping before handling stage... [*] Done waiting! [*] Starting handler [*] Uploading DLL (340049 bytes)... [*] Upload completed. [*] Starting local TCP relay on 127.0.0.1:5900... Local TCP relay started. [*] Launched vnciewer in the background. [*] VNC Server session 1 opened (172.16.1.1:41780 -> 172.16.1.128:4444) [*] Using already established connection. [*] VNC connection closed. [*] VNC Server session 1 closed. As far as I know, the DLL is successfully sent to the remote server and it's working ( the MSF courtesy shell pops up in the remote windows ). The problem is that the VNC session closes... and I see this on the console: VNC viewer version 3.3.7 - built Mar 8 2007 21:56:52 Copyright (C) 2002-2003 RealVNC Ltd. Copyright (C) 1994-2000 AT&T Laboratories Cambridge. See http://www.realvnc.com for information on VNC. ReadFromRFBServer: rdr::EndOfStream Neither bind and reverse VNC are working. I think that the problem is with the TCP relay... any ideas on why this ain't working? How can I debug the multistage payload (the .exe on the remote server) ? Cheers, -- Andres Riancho http://w3af.sourceforge.net/ Web Application Attack and Audit Framework -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070925/ea699b51/attachment.htm>
Current thread:
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 25)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems Patrick Webster (Sep 25)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 26)
- VNC payload problems Andres Riancho (Sep 26)
- VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems Andres Riancho (Sep 26)
- VNC payload problems H D Moore (Sep 25)
- <Possible follow-ups>
- VNC payload problems Steven Olson (Sep 26)