Payload Bugs ?

[security at vahle.de (Thomas Werth)]

thanks for the info.
As i'm using strcpy in my test app only \x00 has to be a badchar, right ?

When using encoding i read something on uninformed about edx ( or ecx)
is used as base for decoding and has to be adjusted. Is this still
needed or is encoding enough without taking care about art of decoding ?


J. M. Seitz schrieb:
> Use the NASM shell that ships with Metasploit. 
>
> nasm > sub esp,3500
> 00000000  81ECAC0D0000      sub esp,0xdac
> nasm >
>
> So you would start payload off with "\x81\xec\xac\x0d\x00\x00" but of course
> you will want to encode it as those two NULL bytes will give you grief.
>
> JS
>
>
> > -----Original Message-----
> > From: Thomas Werth [mailto:security at vahle.de] 
> > Sent: Tuesday, August 28, 2007 11:20 PM
> > To: framework at metasploit.com
> > Subject: Re: [framework] Payload Bugs ?
> >
> > ok, but how do i append ?
> > i doubt $payload .= "sub esp,3500" would do it, am i wrong ?
> > How would i exactly append this in perl and how in msf.rb file ?
> >
> > J. M. Seitz schrieb:
> > > I think a simple:
> > >
> > > sub esp,3500
> > >
> > > Would do it, prepend to your shellcode. 
> > >
> > > JS
> > > > -----Original Message-----
> > > > From: Thomas Werth [mailto:security at vahle.de]
> > > > Sent: Tuesday, August 28, 2007 10:50 PM
> > > > To: framework at metasploit.com
> > > > Subject: Re: [framework] Payload Bugs ?
> > > >
> > > > Patrick Webster schrieb:
> > > > > I assume your german return address is correct.
> > > > >
> > > > > Try using a shellcode with a stack adjustment of -3500.
> > > > >
> > > > > Otherwise your payload may be using bad characters which are not 
> > > > > accepted, or the payload code is changed by other
> > > > instructions before
> > > > > you execute, by the target application?
> > > > >
> > > > > -Patrick
> > > > How exactly can i do this ? This sounds really interessting, but i 
> > > > didn't find a "Adjust Stack for dummies guide" ;) Can you gimme a 
> > > > small example ?