Metasploit mailing list archives
Using encoded payload in executable
From: c0r31mp4ct at gmail.com (C0r3 1mp4ct)
Date: Mon, 11 Jun 2007 09:01:08 +0200
You were right! The article says that it is important to have ecx point to the base of decoder stub. With that 5 extra instruction esp is popped into ecx. That is right. But the payload still doesn't work: "Access violation when reading 0xFFFFFFFF" The last instruction which causes the error is POP SS after INC ESP. On 6/8/07, mmiller at hick.org <mmiller at hick.org> wrote:
On Fri, Jun 08, 2007 at 08:11:53AM +0200, C0r3 1mp4ct wrote:Yes! The software that I am trying to exploit, converts the chars to lowercase, just like with the ActiveX component mentioned in the articlcle about this encoder. "The decoder stub is hardcoded to assume that ecx will hold the address." Does it mean, that i have to put the address of the encoded payload into ecx before the control transfers to it? I mean it isn't enough to transfer to control with a JMP ESP, i need to have ECX store the address too.There's a trick you can do to set ECX to ESP using pusha/popa. Check out this paper for more details: http://uninformed.org/index.cgi?v=5&a=3&p=12 Let me know if you still have problems getting it to work.
Current thread:
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)
- Using encoded payload in executable C0r3 1mp4ct (Jun 11)
- Using encoded payload in executable C0r3 1mp4ct (Jun 07)
- Using encoded payload in executable mmiller at hick.org (Jun 07)