[framework] Loading meterpreter extensions in ms 3.0 beta (shedding new light...)
Luke J
0xlukej at gmail.com
Thu Mar 1 17:52:08 CST 2007
I added that debug line and it is reporting the correct size which is
strange. So the problem must be in the transport to the server, the handling
at the server or just plainly a win2k3 problem.
I tried adding some debugging statements to files that make up metsrv.dll to
get it to write logs to keep track of stuff but couldn't even seem to get it
to write to files for some reason. My general C knowledge is OK but my
windows programming isn't really upto scratch so maybe I'm missing
something.
I might attach a debugger at some point but other than that I guess maybe
this will be an unsolved mystery. The VNC DLL is fine at 300k+ in size so I
imagine maybe this isn't going to be much of an issue practically unless
someone wants to write a huge extension.
On 3/1/07, mmiller at hick.org <mmiller at hick.org> wrote:
>
> On Thu, Mar 01, 2007 at 03:55:27PM +0000, Luke J wrote:
> > It was failing with the same ruby stack trace that Vedran had (as
> > below). I didn't attach a debugger but the server side didn't crash. I
> > could still carry on using the meterpreter perfectly.
> >
> > The error code 1168 is windows system error ERROR_NOT_FOUND which seemed
> > to be returned from the server side code based on my brief code
> analysis.
> >
> > If this is definitely just due to the file size then I guess it is not
> > so big an issue unless people want to write some huge extensions.
> > However, I just figured it might be worth a little bit of investigation.
> >
> > If there is anything specific you'd like me to do/test or if you'd like
> > me to send you an example compiled DLL that fails on win2k3 then let me
> > know.
>
> As it relates to size, my only guess would be that somehow an incomplete
> version of the DLL is being sent to the server. Here's something to
> try.
>
> In lib/rex/post/meterpreter/client_core.rb inside load_library, there's
> this block of code:
>
> ::File.open(library_path, 'rb') { |f|
> image = f.read
> }
>
> Try adding a $stdout.puts("#{image.length}") after that block. Compare
> the output to the size of the file. If they mismatch, then we know this
> is the problem.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070301/f58ee7d3/attachment.htm
More information about the framework
mailing list