Metasploit mailing list archives
Re: Help required to understand the Exploits Better
From: "Joshua J. Drake" <jdrake () metasploit com>
Date: Tue, 6 Dec 2011 12:43:10 -0600
On Tue, Dec 06, 2011 at 03:35:52AM -0800, firstname lastname wrote:
I want to understand what exactly an exploit module is doing on the victim's machine in a better way. If I run a metasploit exploit module against a Windows Target which triggers some vulnerability and exploits it to gain a reverse tcp shell for instance. What I am trying to understand is, how does the memory map of the victim machine look like when the Application crashed. As an example to make it more clear what I want to know is: I run a Browser Based exploit on Mozilla Firefox running on Victim's machine. This exploit crashes the browser on victim's machine and sends back a reverse tcp shell. At the very point, when the Browser Crashes on Victim's Machine, is it possible to take a look at the memory map to understand, what are the contents of the CPU Registers or to find out the shell code in memory? I attached my debugger to firefox.exe process before launching the exploit. When I ran the exploit, firefox crashed, I also got the reverse tcp shell but in Olly Debugger, it showed no status info for the registers. That section went blank. Can I find out the location of shellcode in memory and the value of EIP or things like that? I believe, since the exploit has already occurred, I need to set a breakpoint somewhere else in the code to pause the execution before shellcode gets executed. Any clues, how to go about it?
I like to modify the module itself. I place a breakpoint before the payload. For example: buf << payload.encoded becomes: buf << "\xcc" << payload.encoded That said, running the target software under a debugger may change behavior due to timing differences or debugger checks. The first thing can be hard to fix, but the second is a bit easier. For this, I like to run WinDbg as follows: windbg.exe -xe cpr -c "eb ebx+2 00;g" ...<path to program, args, etc> Another option is to use "DebugHide", "IsDebuggerPresent", or "ida stealth" type plugins for various other tools. Hope this helps, Joshua J. Drake
Attachment:
_bin
Description:
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Help required to understand the Exploits Better firstname lastname (Dec 06)
- Re: Help required to understand the Exploits Better Sunil Kumar (Dec 06)
- Re: Help required to understand the Exploits Better firstname lastname (Dec 06)
- Re: Help required to understand the Exploits Better Sunil Kumar (Dec 06)
- Re: Help required to understand the Exploits Better sisco 0 (Dec 06)
- Re: Help required to understand the Exploits Better firstname lastname (Dec 06)
- Re: Help required to understand the Exploits Better Sunil Kumar (Dec 06)
- Re: Help required to understand the Exploits Better Joshua J. Drake (Dec 06)
- Re: Help required to understand the Exploits Better firstname lastname (Dec 06)