How payloads (shellcodes) used in exploiting

[jerome.athias at free.fr (Jerome Athias)]

Hi,

it is due to the fact of the Metasploit Framework uses kind of magic and 
hexa voodoo!...

After joking, yes the shellcode has to be sent to the target to having 
it running.
To avoid badchars and for ID/PS evasion reasons, the base code of the 
shellcode (called payload) will me modified by the Framework before to 
be sent to the target. (ie: XORed)
So yes it could be different every time.
A way to retrieve it in your packets is to attach a debugger to the 
target application/service and see what it receives, and then compare 
this with your capture.

Note that in the version 2 of the MSF, you can view the shellcodes's 
codes (:p) in
*\Metasploit\Framework2\home\framework\src\shellcode\

I hope it helps
/JA

Rawal, Rajesh a ?crit :
> Hi,
>  
> I am using metasploit framework 3, exploiting windows and linux 
> applications.
> I have captured packets using ethereal, but I didn't find the payload 
> (position) used during the exploittation.
>  
> For e.g.
>  
> Exploit used was "windows/smb/ms06_040_netapi" and used 
> payload "windows/shell_bind_tcp" and it successfully exploited remote 
> host and got command of remote host machine. Also taken packet capture 
> during this process.
> I m not able to find payload of "windows/shell_bind_tcp" in packet 
> capture.
>  
> 1. Can I know where this payload exist (where it comes during this 
> sesion) in packet capture?
> 2. Does these payloads (shellcodes) differs in every new exploit attemts?
>  
> waiting for positive response
>  
> Regards
>  
> Rajesh Rawal
> AMTS
> *iPolicy Networks*
> **NSEZ Noida | India
> Tel. +91-120-2567001,xtn-1246
> Cell +91-9899401874
>
> www.ipolicynetworks.com <http://www.ipolicynetworks.com/>
>
>  
>  
>  
>  
>
>
> <http://858769.sigclick.mailinfo.com/sigclick/0F040106/0F0E4D04/02024503/07191971.jpg> 
>
> ------------------------------------------------------------------------
>
> "DISCLAIMER: This message is proprietary to iPolicy Networks Pvt. Ltd. and is intended solely for the use of the 
> individuals to whom it is addressed. It may contain privileged or confidential information and should not be 
> circulated or used for any purpose other than for what is intended. If you have received this message in error, 
> please notify the originator immediately. If you are not the intended recipient, you are notified that you are 
> strictly prohibited from using, copying, altering, or disclosing the contents of this message. iPolicy Networks 
> accepts no responsibility for loss or damage arising from the use of the information transmitted by this email 
> including damage from virus."....IPF 5K
>