Re: WinExec payload?

[Jun Koi <junkoi2004 () gmail com>]

silly me, i put the breakpoint at the wrong place. now it works!

thanks a lot, everyobydy!
J

On Wed, May 18, 2011 at 3:43 PM, Peter Van Eeckhoutte
<peter.ve () corelan be> wrote:
> It uses kernel32.WinExec - so either set a bp before the shellcode starts to run and step through,
> or set a bp at kernel32.WinExec before running the shellcode
> (worked fine for me)
>
>
>
> -----Original Message-----
> From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of 
> Abuse007
> Sent: woensdag 18 mei 2011 9:25
> To: Jun Koi
> Cc: framework () spool metasploit com
> Subject: Re: [framework] WinExec payload?
>
> Hi Jun,
>
> I haven't looked into metasploit's WinExec shellcode but it is probably working out the addresses of the functions in 
> the libraries that it needs. The addresses of breakpoints you are setting and the calculated addresses might not 
> match. The shellcode could be calling a little past the function prologue. Try setting the break points further into 
> the functions.
>
> Also in general some functions are merely wrappers around others, so break on the lowest level function.
>
> Msf may have source code or documentation on the shellcode. Otherwise disassemble it and have a look at how it is 
> working.
>
> I may be missing something myself, but I hope the above helps.
>
>
> On 18/05/2011, at 3:38 PM, Jun Koi <junkoi2004 () gmail com> wrote:
>
> > hi,
> >
> > i am using payload WinExec to test one vulnerable application (the exploitation also comes from metasploit)
> >
> > before launching the exploit, i put 2 breakpoints on WinExec and GetProcAddress function of this application.
> > then i run the exploit, and it successes.
> >
> > however, the problem is none of my breakpoints were triggered. this is a surprise to me, as i supposed that the 
> > payload cannot work without using these 2 functions. clearly i missed something there!
> >
> > could anybody please tell me why this happens?
> >
> > thanks a lot,
> > Jun
> >
> > _______________________________________________
> > https://mail.metasploit.com/mailman/listinfo/framework
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
>
> This transmission is intended only for use by the intended recipient(s).  If you are not an intended recipient you 
> should not read, disclose, copy, circulate or in any other way use the information contained in this transmission.  
> The information contained in this transmission may be confidential and/or privileged.  If you have received this 
> transmission in error, please notify the sender immediately and delete this transmission including any attachments.
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework