Information Security
penetration-test metasploit buffer-overflow metasploitable msfvenom
Updated Sat, 25 Jun 2022 06:26:25 GMT

Metasploit MsfVenom - Payload binds shell, but unable to spawn it with netcat


Running a SEH BoF exploit script that contains a payload that is generated from msfvenom as such:

msfvenom --payload windows/shell/bind_tcp --format py --arch x86 --platform windows --bad-chars "\x00\x20" EXITFUNC=seh

After running the script containing the said payload, I checked all active connections on the victim machine (WinXp SP3) by running netstat -an, there is an open port listening on 4444 (the default port from msf payload). However on the attacker's machine (Fedora 27) I was not able to spawn the shell using netcat as such:

nc [victim IP] 4444

after running the above command the cursor just blinks below it. And after hitting enter (return), nc is killed and so is the vulnerable program from victim's PC. Anybody have any ideas?

The only possible explanation right now is that the problem lies within the payload from msfvenom? I assume that is because the payload was definitely executed since there was an open port at 4444 on the victim's PC. So if the problem did not exist while the script was running, then it must be the payload that is creating the problem, what do you guys think?




Solution

After a while of messing with the attack, I noticed how the exploit would crash the program and the alerted error message contained a module called hungapp, and offset of 00000000. Some more research were done, hungapp looks like a microsoft security feature that blocks TCP connections. The last microsoft security update for the victim's pc was published in 5/15/2017, that most likely patched up against this type of Seh attack.