Re: Metasploits Msfencode

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Important administrivia note:

For only 3101 USD you can get a years worth of support on CANVAS's
encoders, which will do what you want to do here. :> And if it doesn't
then we assign someone to make it so! You can still feel free to send
messages to DailyDave about it though.

Also, as for the moderator dropping messages: sometimes this is a
system glitch, and sometimes the moderators get bored with a
particular thread and just hard-kill it. Sometimes five people email
all with the same basic information as Dave Korn already posted, so
everyone after him gets dropped. Sometimes off topic posts that are
amusing or from someone who knows the difference between TCP/IP and a
hole in the ground get through. Usually a one-line post will not get
through, but sometimes I click "Accept" by mistake.

A few other things stirring in my head:
1. Matt Hargett - I think I speak for the entire information security
world when I say: WE KNOW YOUR SEXUAL PREFERENCE. :>
2. Congrats to Nicolas Waisman who is now a married man! (If you use
any of CANVAS's heap overflows, you're using Nico's work!)

- -dave




Adam Bateman - 7Safe Information Security wrote:
> Hi everyone,
>
> I was wondering whether anyone could pass on some knowledge about
msfencode.
> I am having a go at developing an exploit for my own educational benefit.
>
> The payload must avoid certain bad chars so I have used msfencode to
> generate a payload that successfully avoids the use of these chars. The
> problem is that the payload must be split into two area's with a jmp
command
> to reach the second half. If I encode the payload, will the decoder be
aware
> that the second half also needs decoding? And does the JMP command need to
> be encoded separately and then appended to the first half of the payload?
>
> ----------------------------------------------------------------------------
> -------
>
>    [ENCODED PAYLOAD 2] * [ENCODED PAYLOAD 1]  [UN ENCODED REVERSE JMP]
>
> (execution starts at *)
>
> ----------------------------------------------------------------------------
> -------
>
> When I use msfencode does the payload end up like this?
>
> [DECODER][ENCODED PAYLOAD]
>
> Therefore removing half the payload will stop the decoder?
>
>
> One final thing, why does msfencode in Metasploit framework 2.6 generate a
> payload that's 1309 bytes and on msfweb (hosted on the Metasploit site)
> generates a payload that's 447 bytes? Is the decoder not included in the
> output?
>
>
> Q summary:
> -----------
>
> 1. How does msfencode work, where does it place the decoder?
> 2. Will the decoder still decode the second part of the payload?
> 3. Does the JMP command need to be encoded separately and then added to the
> end of the first half of the payload?
> 3. Why does msfencode (msf 2.6) and msfweb output different size payloads,
> is the decoder not included in msfweb?
>
>
>
> Any help is very much appreciated..
>
> Kind Regards,
>
> ADAM
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iD8DBQFFPnGEzOrqAtg8JS8RAtxcAJ9FTnaQdoS75hvHThfl+4892zvZhwCg0CBg
yDODVErRua26IvfhDN3g+zw=
=MGxe
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave