Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

[no subject]

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */

Probably generated from here:

http://metasploit.com:55555/PAYLOADS?MODE=SELECT&MODULE=%77%69%6e%33%32%5f%62%69%6e%64

The code does create an RTSP server on port 554 and delivers a response
to any data received.  It doesn't automatically connect to the victim's
new listener port on 4444. That you'll need to use netcat for.


On Tue, Nov 27, 2007 at 12:51:56PM -0500, Jeffs wrote:

Are you sure the payload opens a listening socket on the *victim's* 
machine? *  The way I understand that sploit to work is it allows the 
attacker to listen for a connection whilst at the same time listening on 
another port (4444) for a connection from the victims machine.  The sploit 
creates an RTSP server that waits for a connection, then sends code to the 
victim having them contact the attacher's machine. 
Kurt Grutzmacher wrote:

You should learn more about buffer overflows before you get too deep
into any code. There are a ton of resources on the web that a quick
google will direct you towards.

But to quickly answer your question, the payload shellcode provides the
instructions to open a listener socket on port 4444 on the victim's
machine that you connect to with netcat. It's assembly code because the
overflow allowed us to execute it.

The script you linked to just uses the shellcode generated by metasploit.
It doesn't integrate within the framework. An exploit has been written
and is available in the current svn trunk.

On Tue, Nov 27, 2007 at 09:20:31AM -0500, Jeffs wrote:
  

Regarding

http://www.securityfocus.com/data/vulnerabilities/exploits/26549-uni.py

which is the Apple QuickTime RTSP Response Header Remote Stack Based 
Buffer Overflow Vulnerability -- as a newbie I have a simple question.

I understand the code behind the exploit in theory, but am confused about 
how one would successfully attach or bind to the process that is sitting 
at port 4444 (assuming you used that value as per the code) to get the 
reverse shell?  Netcat wouldn't do it because there is no netcat process 
being sent to the attacking machine.  If you could integrate it into 
metasploit then I understand you would have a "session".  But this is a 
python script.  How does one integrate it into metasploit if at all.  If 
not, how does the attacking machine attach to the bind process coming in 
on port 4444?

Thank you from a newbie
    


  




-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20071127/7253c809/attachment.pgp>
Previous By Date Next
Previous By Thread Next

Current thread: