Closed megabug closed 8 years ago
msfvenom -p windows/x64/meterpreter/reverse_tcp -f exe -a x86_64 --platform win
works fine when manually executed in the Win7 64bit instance, so I guess I'm doing something wrong when transferring into meterpreter...
So a simple test program that does a stack pivot before jumping to windows/x64/meterpreter/reverse_tcp
fails in the same way. I'm guessing that the broken stack stops the exception from getting to the default handler normally near the bottom of the stack.
It looks like debug messages got enabled by @OJ's commit rapid7/metasploit-payloads@0cbb86c a few months ago - perhaps by accident?
Hmm, that should be disabled @megabug - thanks for the catch.
in #7493 I rebuilt a metasploit-payloads gem without debug enabled. Does this resolve your issue @megabug ?
Yeah it does, thanks!
I'm writing my own exploit module for a vuln I've found. The exploit needs to function differently depending on the target, namely:
Using the 32/64bit reverse TCP staged meterpreter payloads, I get the following results:
DBG_PRINTEXCEPTION_C
With regards to the last case, the exploit's ropchains succeed, passing execution to stage0 generated by
windows/x64/meterpreter/reverse_tcp
. stage0 connects back OK, and downloads stage1 (metsrv) from the attacking host. stage1 is reflectively loaded, and the reflective loader passes control to metsrv via theInit
function. In theInit
function, a call todprintf
is made, which is effectively a call toOutputDebugStringA
: https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/server/metsrv.c#L19OutputDebugStringA/W
work by raising a software exception,DBG_PRINTEXCEPTION_C
(0x40010006
). For more info, check here.Normally, it appears that this exception is being ignored by Windows when it bubbles through the SEH handlers, if any, and being still unhandled. But in the Win7 64bit case, this is no longer the case - the process crashes when the exception is raised, and left unhandled entirely:
Note that despite the book I linked above, this isn't a false positive from what I can tell. This debugging output comes from a dump generated by ProcDump as the JIT debugger, so no debugger was attached at the time of the crash. With no JIT debugger, the process still crashes and the Windows event logs show that
DBG_PRINTEXCEPTION_C
still being the cause.I'm not sure how to proceed here... my understanding was that Windows was meant to ignore non-fatal exceptions like this if they're unhandled but a Google search shows lots of other things crashing in the same way, so I'm not sure of this either. Why would Win8+ be ok, as well as 32-bit Win7, too?
Am I missing something that I need to do in my exploit before jumping into stage0, or has something changed in meterpreter recently to cause this behaviour? (Sorry for the noise if its the former.)
Using git version, 865eb56 ("Bump to 1.1.25"), and Ruby 2.3.1p112, on Debian stretch.