Metasploit mailing list archives
Re: WinExec payload?
From: Jun Koi <junkoi2004 () gmail com>
Date: Wed, 18 May 2011 16:27:09 +0800
silly me, i put the breakpoint at the wrong place. now it works! thanks a lot, everyobydy! J On Wed, May 18, 2011 at 3:43 PM, Peter Van Eeckhoutte <peter.ve () corelan be> wrote:
It uses kernel32.WinExec - so either set a bp before the shellcode starts to run and step through, or set a bp at kernel32.WinExec before running the shellcode (worked fine for me) -----Original Message----- From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Abuse007 Sent: woensdag 18 mei 2011 9:25 To: Jun Koi Cc: framework () spool metasploit com Subject: Re: [framework] WinExec payload? Hi Jun, I haven't looked into metasploit's WinExec shellcode but it is probably working out the addresses of the functions in the libraries that it needs. The addresses of breakpoints you are setting and the calculated addresses might not match. The shellcode could be calling a little past the function prologue. Try setting the break points further into the functions. Also in general some functions are merely wrappers around others, so break on the lowest level function. Msf may have source code or documentation on the shellcode. Otherwise disassemble it and have a look at how it is working. I may be missing something myself, but I hope the above helps. On 18/05/2011, at 3:38 PM, Jun Koi <junkoi2004 () gmail com> wrote:hi, i am using payload WinExec to test one vulnerable application (the exploitation also comes from metasploit) before launching the exploit, i put 2 breakpoints on WinExec and GetProcAddress function of this application. then i run the exploit, and it successes. however, the problem is none of my breakpoints were triggered. this is a surprise to me, as i supposed that the payload cannot work without using these 2 functions. clearly i missed something there! could anybody please tell me why this happens? thanks a lot, Jun _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- WinExec payload? Jun Koi (May 17)
- Re: WinExec payload? Jose Selvi (May 17)
- Re: WinExec payload? Jun Koi (May 17)
- Re: WinExec payload? Jose Selvi (May 17)
- Re: WinExec payload? Jun Koi (May 17)
- Re: WinExec payload? Abuse007 (May 18)
- Re: WinExec payload? Peter Van Eeckhoutte (May 18)
- Re: WinExec payload? Jun Koi (May 18)
- Re: WinExec payload? Peter Van Eeckhoutte (May 18)
- Re: WinExec payload? Jose Selvi (May 17)