Metasploit mailing list archives

VNC payload problems

From: andres.riancho at gmail.com (Andres Riancho)
Date: Wed, 26 Sep 2007 10:56:22 -0300

hdm,

On 9/26/07, H D Moore <hdm at metasploit.com> wrote:

Cross-referencing that with the source:
http://metasploit.com/svn/framework3/trunk/external/source/vncdll/winvnc/winvnc/winvnc.cpp


Thanks for this reference, I'll read some sections of the code,

We see that SetWindowPos() is the last call we do that relates to the
Metasploit modifications to the VNC server. IOW, I have no idea, but it
looks like something is wrong with the process heap or the transferred
DLLs content.


It seems that the problem is here:

"NtAllocateVirtualMemory (-1, 0, 0, 0, 8192, 4, ... ) ==
STATUS_INVALID_PARAMETER_4"

The paremeter with the issue is number 4, if we check the syscall
reference available at:
http://metasploit.com/users/opcode/syscalls.html

We see this:

NtAllocateVirtualMemory(
        IN HANDLE ProcessHandle,
        IN OUT PVOID *BaseAddress,
        IN ULONG ZeroBits,
        IN OUT PULONG AllocationSize,
        IN ULONG AllocationType,
        IN ULONG Protect
        );

So it seems that the payload is (at some point) requesting virtual
memory of size 0 ... odd stuff... going to debug...

-HD

On Tuesday 25 September 2007 21:47, Andres Riancho wrote:

885 932 724 NtDelayExecution (0, {-10000000, -1}, ... ) == 0x0
886 932 724 NtUserFindWindowEx (0, 0, 0x0, "Metasploit Courtesy Shell
(TM)", 0, ... ) == 0xbc013a 887 932 724 NtUserSetWindowPos (12321082,
-1, 0, 0, 0, 0, 3, ... ) == 0x1 888 932 724 NtRequestWaitReplyPort (36,
{24, 48, new_msg, 0, 452608, 1853182464, 1735289198, 2011287552}
"\0\0\0\0\14\0\1\00\350\6\0#\1\1\0\0\1\0\0\0\0\0\0" ... {24, 48, reply,
0, 932, 724, 43030, 0}
"\0\0\0\0\14\0\1\0\0\0\0\0#\1\1\0\0\1\0\0\0\0\0\0" ) == 0x0 889 932 724
NtCreateSemaphore (0x1f0003, 0x0, 0, 2147483647, ... 124, ) == 0x0 890
932 724 NtAllocateVirtualMemory (-1, 0, 0, 0, 8192, 4, ... ) ==
STATUS_INVALID_PARAMETER_4 891 932 724 NtRaiseException (452544,
451800, 1, ...

And there it dies with an exception that ain't handled. As I said in my
first email, the first stage is successfully connecting back,
downloading the second stage and executing it(at least some sections of
it), but it seems that one of the last syscalls ( the
NtAllocateVirtualMemory just after starting the "Metasploit Courtesy
Shell (TM)" ) is raising an exception. Do you guys know what the
problem might be ?




-- 
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework

Current thread:

VNC payload problems Andres Riancho (Sep 25)
- VNC payload problems H D Moore (Sep 25)
  - VNC payload problems Andres Riancho (Sep 25)
    - VNC payload problems Patrick Webster (Sep 25)
    - VNC payload problems Andres Riancho (Sep 25)
    - VNC payload problems H D Moore (Sep 26)
    - VNC payload problems Andres Riancho (Sep 26)
    - VNC payload problems Andres Riancho (Sep 26)
- Re: VNC payload problems Andres Riancho (Sep 25)
- <Possible follow-ups>
- VNC payload problems Steven Olson (Sep 26)