Metasploit mailing list archives
Re: framework Digest, Vol 40, Issue 13
From: "" <sachinshinde11 () gmail com>
Date: Thu, 19 May 2011 02:07:42 +0000
Hi list ,
----------
Sent via Nokia Email
------Original message------
From: <framework-request () spool metasploit com>
To: <framework () spool metasploit com>
Date: Wednesday, May 18, 2011 9:59:06 AM GMT-0700
Subject: framework Digest, Vol 40, Issue 13
Send framework mailing list submissions to
framework () spool metasploit com
To subscribe or unsubscribe via the World Wide Web, visit
https://mail.metasploit.com/mailman/listinfo/framework
or, via email, send a message with subject or body 'help' to
framework-request () spool metasploit com
You can reach the person managing the list at
framework-owner () spool metasploit com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of framework digest..."
Today's Topics:
1. Re: WinExec payload? (Abuse007)
2. Re: WinExec payload? (Peter Van Eeckhoutte)
3. Re: WinExec payload? (Jun Koi)
4. ROP support? (Jun Koi)
5. Re: ROP support? (Peter Van Eeckhoutte)
6. Re: ROP support? (Jun Koi)
7. Re: ROP support? (Peter Van Eeckhoutte)
----------------------------------------------------------------------
Message: 1
Date: Wed, 18 May 2011 17:24:56 +1000
From: Abuse007 <abuse007 () gmail com>
To: Jun Koi <junkoi2004 () gmail com>
Cc: "framework () spool metasploit com" <framework () spool metasploit com>
Subject: Re: [framework] WinExec payload?
Message-ID: <2F9F255B-DD8B-4DBB-8007-BFDFEAC1D4DF () gmail com>
Content-Type: text/plain; charset=us-ascii
Hi Jun,
I haven't looked into metasploit's WinExec shellcode but it is probably working out the addresses of the functions in
the libraries that it needs. The addresses of breakpoints you are setting and the calculated addresses might not match.
The shellcode could be calling a little past the function prologue. Try setting the break points further into the
functions.
Also in general some functions are merely wrappers around others, so break on the lowest level function.
Msf may have source code or documentation on the shellcode. Otherwise disassemble it and have a look at how it is
working.
I may be missing something myself, but I hope the above helps.
On 18/05/2011, at 3:38 PM, Jun Koi <junkoi2004 () gmail com> wrote:
hi, i am using payload WinExec to test one vulnerable application (the exploitation also comes from metasploit) before launching the exploit, i put 2 breakpoints on WinExec and GetProcAddress function of this application. then i run the exploit, and it successes. however, the problem is none of my breakpoints were triggered. this is a surprise to me, as i supposed that the payload cannot work without using these 2 functions. clearly i missed something there! could anybody please tell me why this happens? thanks a lot, Jun _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
------------------------------
Message: 2
Date: Wed, 18 May 2011 09:43:51 +0200
From: Peter Van Eeckhoutte <peter.ve () corelan be>
To: Abuse007 <abuse007 () gmail com>, Jun Koi <junkoi2004 () gmail com>
Cc: "framework () spool metasploit com" <framework () spool metasploit com>
Subject: Re: [framework] WinExec payload?
Message-ID:
<C0641B79F7D6A44791BA8FA35BC143F903D38631E936 () apollo corelan be>
Content-Type: text/plain; charset="us-ascii"
It uses kernel32.WinExec - so either set a bp before the shellcode starts to run and step through,
or set a bp at kernel32.WinExec before running the shellcode
(worked fine for me)
-----Original Message-----
From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Abuse007
Sent: woensdag 18 mei 2011 9:25
To: Jun Koi
Cc: framework () spool metasploit com
Subject: Re: [framework] WinExec payload?
Hi Jun,
I haven't looked into metasploit's WinExec shellcode but it is probably working out the addresses of the functions in
the libraries that it needs. The addresses of breakpoints you are setting and the calculated addresses might not match.
The shellcode could be calling a little past the function prologue. Try setting the break points further into the
functions.
Also in general some functions are merely wrappers around others, so break on the lowest level function.
Msf may have source code or documentation on the shellcode. Otherwise disassemble it and have a look at how it is
working.
I may be missing something myself, but I hope the above helps.
On 18/05/2011, at 3:38 PM, Jun Koi <junkoi2004 () gmail com> wrote:
hi, i am using payload WinExec to test one vulnerable application (the exploitation also comes from metasploit) before launching the exploit, i put 2 breakpoints on WinExec and GetProcAddress function of this application. then i run the exploit, and it successes. however, the problem is none of my breakpoints were triggered. this is a surprise to me, as i supposed that the payload cannot work without using these 2 functions. clearly i missed something there! could anybody please tell me why this happens? thanks a lot, Jun _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments. ------------------------------ Message: 3 Date: Wed, 18 May 2011 16:27:09 +0800 From: Jun Koi <junkoi2004 () gmail com> To: Peter Van Eeckhoutte <peter.ve () corelan be> Cc: "framework () spool metasploit com" <framework () spool metasploit com> Subject: Re: [framework] WinExec payload? Message-ID: <BANLkTinTRXaMaXAS1_N7TxaRHofQNnf6Zw () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 silly me, i put the breakpoint at the wrong place. now it works! thanks a lot, everyobydy! J On Wed, May 18, 2011 at 3:43 PM, Peter Van Eeckhoutte <peter.ve () corelan be> wrote:
It uses kernel32.WinExec - so either set a bp before the shellcode starts to run and step through, or set a bp at kernel32.WinExec before running the shellcode (worked fine for me) -----Original Message----- From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Abuse007 Sent: woensdag 18 mei 2011 9:25 To: Jun Koi Cc: framework () spool metasploit com Subject: Re: [framework] WinExec payload? Hi Jun, I haven't looked into metasploit's WinExec shellcode but it is probably working out the addresses of the functions in the libraries that it needs. The addresses of breakpoints you are setting and the calculated addresses might not match. The shellcode could be calling a little past the function prologue. Try setting the break points further into the functions. Also in general some functions are merely wrappers around others, so break on the lowest level function. Msf may have source code or documentation on the shellcode. Otherwise disassemble it and have a look at how it is working. I may be missing something myself, but I hope the above helps. On 18/05/2011, at 3:38 PM, Jun Koi <junkoi2004 () gmail com> wrote:hi, i am using payload WinExec to test one vulnerable application (the exploitation also comes from metasploit) before launching the exploit, i put 2 breakpoints on WinExec and GetProcAddress function of this application. then i run the exploit, and it successes. however, the problem is none of my breakpoints were triggered. this is a surprise to me, as i supposed that the payload cannot work without using these 2 functions. clearly i missed something there! could anybody please tell me why this happens? thanks a lot, Jun _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework This transmission is intended only for use by the intended recipient(s). ?If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. ?The information contained in this transmission may be confidential and/or privileged. ?If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.
------------------------------ Message: 4 Date: Thu, 19 May 2011 00:20:31 +0800 From: Jun Koi <junkoi2004 () gmail com> To: framework () spool metasploit com Subject: [framework] ROP support? Message-ID: <BANLkTimSD4KTP8-F53Vw0NbH_eMZWFqEig () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" hi, does current metasploit support ROP-based exploitation? if so, which exploitation/payload are available? thanks, Jun -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20110519/4320a026/attachment-0001.html> ------------------------------ Message: 5 Date: Wed, 18 May 2011 18:38:56 +0200 From: Peter Van Eeckhoutte <peter.ve () corelan be> To: Jun Koi <junkoi2004 () gmail com>, "framework () spool metasploit com" <framework () spool metasploit com> Subject: Re: [framework] ROP support? Message-ID: <C0641B79F7D6A44791BA8FA35BC143F903D38631E93E () apollo corelan be> Content-Type: text/plain; charset="us-ascii" Msf won't automagically build a rop chain for you, but if you can build one yourself and include it in your module, the selected payloads will be more than happy to execute for you From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Jun Koi Sent: woensdag 18 mei 2011 18:21 To: framework () spool metasploit com Subject: [framework] ROP support? hi, does current metasploit support ROP-based exploitation? if so, which exploitation/payload are available? thanks, Jun ________________________________ This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20110518/d5a70bf7/attachment-0001.html> ------------------------------ Message: 6 Date: Thu, 19 May 2011 00:52:50 +0800 From: Jun Koi <junkoi2004 () gmail com> To: Peter Van Eeckhoutte <peter.ve () corelan be> Cc: "framework () spool metasploit com" <framework () spool metasploit com> Subject: Re: [framework] ROP support? Message-ID: <BANLkTikPig5J8Qd8Df-7+vzCCDOuCfW-eQ () mail gmail com> Content-Type: text/plain; charset=windows-1252 On Thu, May 19, 2011 at 12:38 AM, Peter Van Eeckhoutte <peter.ve () corelan be> wrote:
Msf won?t automagically build a rop chain for you, but if you can build one yourself and include it in your module, the selected payloads will be more than happy to execute for you
so Metasploit doesnt make ROP exploit for. this is the (current) limitation, and will be improved in the future? or there is a reason for Metasploit not to do that? thanks, J
From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Jun Koi Sent: woensdag 18 mei 2011 18:21 To: framework () spool metasploit com Subject: [framework] ROP support? hi, does current metasploit support ROP-based exploitation? if so, which exploitation/payload are available? thanks, Jun ________________________________ This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.
------------------------------
Message: 7
Date: Wed, 18 May 2011 18:57:36 +0200
From: Peter Van Eeckhoutte <peter.ve () corelan be>
To: Jun Koi <junkoi2004 () gmail com>
Cc: "framework () spool metasploit com" <framework () spool metasploit com>
Subject: Re: [framework] ROP support?
Message-ID:
<C0641B79F7D6A44791BA8FA35BC143F903D38631E940 () apollo corelan be>
Content-Type: text/plain; charset="us-ascii"
I guess it would need to be able to generate the gadgets from the correct dlls from within the correct context etc
In theory it should be perfectly possible... feel free to apply your patches :)
-----Original Message-----
From: Jun Koi [mailto:junkoi2004 () gmail com]
Sent: woensdag 18 mei 2011 18:53
To: Peter Van Eeckhoutte
Cc: framework () spool metasploit com
Subject: Re: [framework] ROP support?
On Thu, May 19, 2011 at 12:38 AM, Peter Van Eeckhoutte
<peter.ve () corelan be> wrote:
Msf won't automagically build a rop chain for you, but if you can build one yourself and include it in your module, the selected payloads will be more than happy to execute for you
so Metasploit doesnt make ROP exploit for. this is the (current) limitation, and will be improved in the future? or there is a reason for Metasploit not to do that? thanks, J
From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Jun Koi Sent: woensdag 18 mei 2011 18:21 To: framework () spool metasploit com Subject: [framework] ROP support? hi, does current metasploit support ROP-based exploitation? if so, which exploitation/payload are available? thanks, Jun ________________________________ This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.
This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments. ------------------------------ _______________________________________________ framework mailing list framework () spool metasploit com https://mail.metasploit.com/mailman/listinfo/framework End of framework Digest, Vol 40, Issue 13 ***************************************** _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Re: framework Digest, Vol 40, Issue 13 (May 18)
- <Possible follow-ups>
- Re: framework Digest, Vol 40, Issue 13 (May 18)