Metasploit mailing list archives
Exploit writing payload idea
From: hdm at metasploit.com (H D Moore)
Date: Fri, 17 Nov 2006 14:36:59 -0600
This actually already exists. I use these routines every day for exploit development. In version 2.7, call Pex::Text::PatternCreate(length) and in version 3.0 call Rex::Text.pattern_create(length). You can then use sdk/patternOffset.pl and tools/pattern_offset.rb to determine where in the buffer your return address goes. The 0xdefaced demo stack dump for the Airport exploit was a quick way to show control of a write operation. Unfortunately, this isn't a straight stack overflow and its taking some time to develop a reliable exploit (you corrupt internal kernel heap memory, so theres no telling which process or driver ends up using the corrupted chunk). -HD On Friday 17 November 2006 14:23, mat wrote:
Anyways, I thought that this would be a cool payload generator for metasploit. ?It seems like it wouldnt be very difficult to write. ?Tell me if this is something people actually use, or am I way off in my thinking. ?Just an apiphony I had, and wanted to
Current thread:
- Exploit writing payload idea mat (Nov 17)
- Exploit writing payload idea H D Moore (Nov 17)
- Exploit writing payload idea Hamid . K (Nov 17)
- Exploit writing payload idea Giorgio Casali (Nov 21)