Home page logo

metasploit logo Metasploit mailing list archives

Exploit::Remote::HttpClient and stages
From: mmiller at hick.org (mmiller at hick.org)
Date: Fri, 9 Mar 2007 09:51:52 -0800

On Fri, Mar 09, 2007 at 10:24:29AM +0100, Olivier Dembour wrote:

      I've seen that pipelining is not yet finished on msf 3, so I don't know if the
feature I'm looking for is to be implemented ...

I'd like to use Exploit::Remote::HttpClient class to develop an exploit (buffer
overflow), but there is two problems :

      - socket is shutdowned after the request
      - send_request_raw() try to get the reply, but the server is already overflow
(there is no reply)

I think the best way to handle this is two fold:

1) We can add an option that you can pass to send_request_raw that will
let you toggle pipeline.  This should prevent the connection from being
closed.  This support isn't necessary if you don't read a response,
since the socket is only closed after a response is read (unless the
server closes it).

2) You can specify the timeout window to wait for the reply.  We can add
support so that if you specify a timeout of zero, it won't wait for a
response.  Alternatively, we could just add a wrapper to the HTTP mixin
that lets you send a request without waiting for a response.

Just make sure that you call handler after you trigger the bug.  This
will grab the socket used by the global HTTP client connection and try
to use that to stage the payload over.  Let us know if you run into
problems with this, since findsock payloads have thus far not been used
all that much.

HD, what do you think?

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]