Metasploit mailing list archives
payloads ending with a RET
From: Nadie <n0s0yn4die () gmail com>
Date: Sun, 13 Jun 2010 22:33:44 +0200
Hi All, I'm using the Win32 Kernel Shellcode (by Stephen Fewer) explained here: http://blog.harmonysecurity.com/2009/11/implementing-win32-kernel-shellcode.html I want to do all the work (copy the user payload to SharedUserData, hook systenter MSR, clear the NX bit from the PTE, intercept the SYSENTER user call, unhook MSR, and execute the user payload) without break the intercepted process (stealth). If I use the MSF payloads that normally exits, the intercepted ring3 process die. Is there any way to create the payloads ending with a ret and a fixed stack?. For example, I can use windows/exec but I have to manually change the last part, the fixed call to exit: push byte 0 // push the desired exit code parameter push 0x56A2B5F0 // push the hash value for ExitProcess call ebp // call kernel32.dll!ExitProcess( 0 ) or the: %include "./src/block/block_exitfunk.asm" by a: retn If I try to use the reverse_https stager, and handler is not up, or the connection fails I have to manual fix: 126 failure: 127 push 0x56A2B5F0 ; hardcoded to exitprocess for size 128 call ebp by: add esp, 0c retn (or ret 0c) And so on... I'm missing something ?, I'm sure there is probably an easy way to fix the user payloads.. Thx in advance. PD: I've tried EXITFUNC=seh, thread, and process, but there isn't a similar to EXITFUNC=ret _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- payloads ending with a RET Nadie (Jun 13)
- Re: payloads ending with a RET HD Moore (Jun 13)
- Re: payloads ending with a RET kktmp1 (Jun 13)
- Re: payloads ending with a RET HD Moore (Jun 13)