-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unhandled DBG_PRINTEXCEPTION_C exception using meterpreter #7482
Comments
|
So a simple test program that does a stack pivot before jumping to It looks like debug messages got enabled by @OJ's commit rapid7/metasploit-payloads@0cbb86c a few months ago - perhaps by accident? |
Hmm, that should be disabled @megabug - thanks for the catch. |
Yeah it does, thanks! |
I'm writing my own exploit module for a vuln I've found. The exploit needs to function differently depending on the target, namely:
Using the 32/64bit reverse TCP staged meterpreter payloads, I get the following results:
DBG_PRINTEXCEPTION_C
With regards to the last case, the exploit's ropchains succeed, passing execution to stage0 generated by
windows/x64/meterpreter/reverse_tcp
. stage0 connects back OK, and downloads stage1 (metsrv) from the attacking host. stage1 is reflectively loaded, and the reflective loader passes control to metsrv via theInit
function. In theInit
function, a call todprintf
is made, which is effectively a call toOutputDebugStringA
:https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/server/metsrv.c#L19
OutputDebugStringA/W
work by raising a software exception,DBG_PRINTEXCEPTION_C
(0x40010006
). For more info, check here.Normally, it appears that this exception is being ignored by Windows when it bubbles through the SEH handlers, if any, and being still unhandled. But in the Win7 64bit case, this is no longer the case - the process crashes when the exception is raised, and left unhandled entirely:
Note that despite the book I linked above, this isn't a false positive from what I can tell. This debugging output comes from a dump generated by ProcDump as the JIT debugger, so no debugger was attached at the time of the crash. With no JIT debugger, the process still crashes and the Windows event logs show that
DBG_PRINTEXCEPTION_C
still being the cause.I'm not sure how to proceed here... my understanding was that Windows was meant to ignore non-fatal exceptions like this if they're unhandled but a Google search shows lots of other things crashing in the same way, so I'm not sure of this either. Why would Win8+ be ok, as well as 32-bit Win7, too?
Am I missing something that I need to do in my exploit before jumping into stage0, or has something changed in meterpreter recently to cause this behaviour? (Sorry for the noise if its the former.)
Using git version, 865eb56 ("Bump to 1.1.25"), and Ruby 2.3.1p112, on Debian stretch.
The text was updated successfully, but these errors were encountered: