Dailydave mailing list archives
Re: Metasploits Msfencode
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 24 Oct 2006 16:03:17 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Important administrivia note: For only 3101 USD you can get a years worth of support on CANVAS's encoders, which will do what you want to do here. :> And if it doesn't then we assign someone to make it so! You can still feel free to send messages to DailyDave about it though. Also, as for the moderator dropping messages: sometimes this is a system glitch, and sometimes the moderators get bored with a particular thread and just hard-kill it. Sometimes five people email all with the same basic information as Dave Korn already posted, so everyone after him gets dropped. Sometimes off topic posts that are amusing or from someone who knows the difference between TCP/IP and a hole in the ground get through. Usually a one-line post will not get through, but sometimes I click "Accept" by mistake. A few other things stirring in my head: 1. Matt Hargett - I think I speak for the entire information security world when I say: WE KNOW YOUR SEXUAL PREFERENCE. :> 2. Congrats to Nicolas Waisman who is now a married man! (If you use any of CANVAS's heap overflows, you're using Nico's work!) - -dave Adam Bateman - 7Safe Information Security wrote:
Hi everyone, I was wondering whether anyone could pass on some knowledge about
msfencode.
I am having a go at developing an exploit for my own educational benefit. The payload must avoid certain bad chars so I have used msfencode to generate a payload that successfully avoids the use of these chars. The problem is that the payload must be split into two area's with a jmp
command
to reach the second half. If I encode the payload, will the decoder be
aware
that the second half also needs decoding? And does the JMP command need to be encoded separately and then appended to the first half of the payload? ---------------------------------------------------------------------------- ------- [ENCODED PAYLOAD 2] * [ENCODED PAYLOAD 1] [UN ENCODED REVERSE JMP] (execution starts at *) ---------------------------------------------------------------------------- ------- When I use msfencode does the payload end up like this? [DECODER][ENCODED PAYLOAD] Therefore removing half the payload will stop the decoder? One final thing, why does msfencode in Metasploit framework 2.6 generate a payload that's 1309 bytes and on msfweb (hosted on the Metasploit site) generates a payload that's 447 bytes? Is the decoder not included in the output? Q summary: ----------- 1. How does msfencode work, where does it place the decoder? 2. Will the decoder still decode the second part of the payload? 3. Does the JMP command need to be encoded separately and then added to the end of the first half of the payload? 3. Why does msfencode (msf 2.6) and msfweb output different size payloads, is the decoder not included in msfweb? Any help is very much appreciated.. Kind Regards, ADAM _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFFPnGEzOrqAtg8JS8RAtxcAJ9FTnaQdoS75hvHThfl+4892zvZhwCg0CBg yDODVErRua26IvfhDN3g+zw= =MGxe -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Metasploits Msfencode Adam Bateman - 7Safe Information Security (Oct 24)
- Re: Metasploits Msfencode Dave Aitel (Oct 24)