Metasploit mailing list archives
Mistake in kernel mode payloads
From: mmiller at hick.org (mmiller at hick.org)
Date: Tue, 26 Feb 2008 16:34:04 -0800
On Wed, Feb 27, 2008 at 01:27:24AM +0100, Giuseppe Gottardi wrote:
Hi mans, I have a little trouble with windows kernel mode exploitation. When an user land payload is executed in the context of lsass.exe process, it forces the process lsass.exe to exit and the system shut down after 60 seconds due to lsass.exe system error.
What is EXITFUNC set to when you run your exploit? In general, the stager assumes that the user-mode payload will take care of cleanup. Currently, this typically involves a call to ExitProcess, ExitThread, or generating an exception (depending on EXITFUNC). If your EXITFUNC is set to seh this will likely cause lsass to crash in the manner that you're seeing.
Current thread:
- Mistake in kernel mode payloads Giuseppe Gottardi (Feb 26)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads Matt Miller (Mar 11)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)