Metasploit mailing list archives
Opcode db suggestion and msfencode question
From: RaMatkal at hotmail.com (RaMatkal)
Date: Thu, 26 May 2005 13:40:10 +0200
Well, assuming you are exploiting something on win32, you can use an entirely alphanum geteip. Other platforms rely on a small non-alphanum stub to get eip which can generally lead to problems. Here's an example: $ perl -e "\xcc" | ./msfencode -e PexAlphaNum GETPCTYPE=win32 [*] Using Msf::Encoder::PexAlphaNum with final size of 123 bytes "\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48\x50\x68". "\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41\x51\x51\x44\x44". "\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58\x56\x6a\x30\x50\x50\x54". "\x55\x50\x50\x61\x33\x30\x31\x30\x38\x39\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x5a"; Give that a shot and see if it works for you.
on first glance, msfencode is producing alphanum shellcode, however it seems to be broken? I've tried a couple of different things but nothing seems to work.... basically i am trying to do a JUMP -700 bytes which is alphanum encoded..... in order to achive this, i tried doing a sub ebx, 2a4 # 81EB A4020000 jmp ebx # FFE3 since ebx is 676 bytes away from where i want to jump. so i tried doing: perl -e 'print "\x81\xeb\xa4\x02\x00\x00\xff\xe3"' | ./msfencode -b "\x00" -e PexAlphaNum GETPCTYPE=win32 which produced: [*] Using Msf::Encoder::PexAlphaNum with final size of 139 bytes "\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48\x50\x68". "\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41\x51\x51\x44\x44". "\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58\x56\x6a\x30\x50\x50\x54". "\x55\x50\x50\x61\x33\x30\x31\x30\x38\x39\x4f\x49\x49\x49\x49\x49". "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x41\x58\x4b\x4e\x46\x4a". "\x44\x50\x42\x50\x42\x30\x4f\x4f\x43\x4e\x5a"; Unfortunately the above shellcode causes an exception.... I tried encoding a few other instructions as well but they all seem to cause the same exception when memory is accessed from [ecx] which contains 000000030.... Am i doing something really wrong here? Thanks, RaMatkal
Current thread:
- Opcode db suggestion and msfencode question RaMatkal (May 25)
- Opcode db suggestion and msfencode question mmiller at hick.org (May 25)
- Opcode db suggestion and msfencode question RaMatkal (May 26)
- Opcode db suggestion and msfencode question mmiller at hick.org (May 25)