Metasploit mailing list archives

Exploit writing payload idea

From: hdm at metasploit.com (H D Moore)
Date: Fri, 17 Nov 2006 14:36:59 -0600

This actually already exists. I use these routines every day for exploit 
development. In version 2.7, call Pex::Text::PatternCreate(length) and in 
version 3.0 call Rex::Text.pattern_create(length). You can then use 
sdk/patternOffset.pl and tools/pattern_offset.rb to determine where in 
the buffer your return address goes.

The 0xdefaced demo stack dump for the Airport exploit was a quick way to 
show control of a write operation. Unfortunately, this isn't a straight 
stack overflow and its taking some time to develop a reliable exploit 
(you corrupt internal kernel heap memory, so theres no telling which 
process or driver ends up using the corrupted chunk).

-HD

On Friday 17 November 2006 14:23, mat wrote:

Anyways, I thought that this would be a cool
payload generator for metasploit. ?It seems like it wouldnt be very
difficult to write. ?Tell me if this is something people actually use,
or am I way off in my thinking. ?Just an apiphony I had, and wanted to

Current thread:

Exploit writing payload idea mat (Nov 17)
- Exploit writing payload idea H D Moore (Nov 17)
- Exploit writing payload idea Hamid . K (Nov 17)
  - Exploit writing payload idea Giorgio Casali (Nov 21)