[framework] find_tag Payloads

[mmiller at hick.org]

I've committed a fix for this issue.  The find tag support was
inadvertently broken by the introduction of the intermediate stage code
we added to support reliably handling large stages.  The intermediate
stage (a small payload blob) was being sent before the tag itself which
caused things to break.  I tested the fix and confirmed that it works on
trunk.  You can find the change set information here:

http://www.metasploit.com/dev/trac/changeset/5084

On Thu, Aug 30, 2007 at 11:00:02AM -0700, mmiller at hick.org wrote:
> Can you take a capture between the attacking machine and the target?
> The key is to observe that a four byte tag is being sent across my the
> wire.  My guess is that the payload isn't actually finding the
> connection on the target machine.  The attacking machine's framework has
> no ability to tell at present that the target machine has found the
> socket, it just assumes that it has.
> 
> The find_tag payload hasn't been extensively used, so it's possible that
> there is a bug lingering somewhere.  You can do 'set TAG MSF1' which
> should force an explicit tag to be used rather than a randomly generated
> one.
> 
> On Thu, Aug 30, 2007 at 10:06:58AM +0200, Thomas Werth wrote:
> > Dear List,
> > 
> > I'm trying to get a find_tag payload to work. I tested several of them.
> > Meterpreter and vnc at least "printf" they have opened a session. But in
> > meterpreter is no communication possible (help won't show fs funcs,
> > migrate timed out, use priv , too ). VNC is the same.
> > 
> > I'm just setting a find_tag as payload and fire test exploit. DLL
> > tranfer is ok. After a while searching for a connection msf tells he has
> > a session. But this one isn't working.
> > 
> > There is one tcp connection between victim and attacker, exactly that
> > one where exploit is send over.
> > 
> > What is needed to get find_tag payloads working ?
> > 
> > Thomas