Metasploits Msfencode

["Adam Bateman - 7Safe Information Security" <adam.bateman () 7safe com>]

Hi everyone,

I was wondering whether anyone could pass on some knowledge about msfencode.
I am having a go at developing an exploit for my own educational benefit.

The payload must avoid certain bad chars so I have used msfencode to
generate a payload that successfully avoids the use of these chars. The
problem is that the payload must be split into two area's with a jmp command
to reach the second half. If I encode the payload, will the decoder be aware
that the second half also needs decoding? And does the JMP command need to
be encoded separately and then appended to the first half of the payload?

----------------------------------------------------------------------------
-------

   [ENCODED PAYLOAD 2] * [ENCODED PAYLOAD 1]  [UN ENCODED REVERSE JMP]

(execution starts at *)

----------------------------------------------------------------------------
-------

When I use msfencode does the payload end up like this?

[DECODER][ENCODED PAYLOAD]

Therefore removing half the payload will stop the decoder?


One final thing, why does msfencode in Metasploit framework 2.6 generate a
payload that's 1309 bytes and on msfweb (hosted on the Metasploit site)
generates a payload that's 447 bytes? Is the decoder not included in the
output?


Q summary:
-----------

1. How does msfencode work, where does it place the decoder?
2. Will the decoder still decode the second part of the payload?
3. Does the JMP command need to be encoded separately and then added to the
end of the first half of the payload?
3. Why does msfencode (msf 2.6) and msfweb output different size payloads,
is the decoder not included in msfweb?



Any help is very much appreciated..

Kind Regards,

ADAM

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave