Metasploit mailing list archives
Re: Writing an encoder
From: John Strand <strandjs () gmail com>
Date: Tue, 26 Jul 2011 11:33:07 -0600
Not quite the same thing. But close.. Check out stripwire.pl. HTH, John On Tue, Jul 26, 2011 at 9:35 AM, Paul Johnston <paj () pajhome org uk> wrote:
Hi, I have an interesting vulnerability to exploit. I can place a file on the victim's computer (Windows), so for now I am placing a .exe file in their startup directory. I'm using windows/shell_reverse_tcp encoded using msfpayload/msfencode. This gets me a shell when the user reboots, which will do for the purpose of my demo. However, to place the file it needs to match a particular checksum, which works in 512-byte blocks. If I can modify two bytes in each block, I can "massage" the file to have the correct checksum. So, what I need is an encoder that lets me do this without messing up the .exe file. I was thinking that it could inject something like the following, every 512-bytes: push eax mov 0x00000000, eax pop eax That way, I can tamper with the 0x00000000 without messing up the code. I am going to press on with implementing this. What I wondered is: has anyone tried something similar? Any alternative ideas for achieving this? Any pitfalls to be wary of? Advice would be much appreciated :-) Paul _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-- John Strand Office: (605) 550-0742 Cell: (303) 710-1171
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Writing an encoder Paul Johnston (Jul 26)
- Re: Writing an encoder John Strand (Jul 26)