Payload Bugs ?

[jerome.athias at free.fr (Jerome Athias)]

This code ensures that the payloads/encoders don't corrupt themselves. 
Also, in some cases, payloads assume that a certain amount of available 
stack space exists; so that adjustment helps to correct that assumption.

PS: thank you skape ;-p

Thomas Werth a ?crit :
> It works!
> I created a msf module set Payload StackAdjustment to -3500 and now
> meterpreter reverse works.
>
> Can someone please explain to me why a stackadjustment solves this problem ?
> Payload is :
> nop x 260 - call esp - shellcode
> now when understanding right new payload is
> nop x 260 - call esp - sub esp,3500 - shellcode
>
> i guess in "staged" payloads ( only inline run former ) stack frame end
> was to near and now we have a bit more space so staged payload won't be
> cut ? Did i understand this right ?
>
> Thomas Werth schrieb:
>   
> > thanks for the info.
> > As i'm using strcpy in my test app only \x00 has to be a badchar, right ?
> >
> > When using encoding i read something on uninformed about edx ( or ecx)
> > is used as base for decoding and has to be adjusted. Is this still
> > needed or is encoding enough without taking care about art of decoding ?
> >
> >
> > J. M. Seitz schrieb:
> >     
> > > Use the NASM shell that ships with Metasploit. 
> > >
> > > nasm > sub esp,3500
> > > 00000000  81ECAC0D0000      sub esp,0xdac
> > > nasm >
> > >
> > > So you would start payload off with "\x81\xec\xac\x0d\x00\x00" but of course
> > > you will want to encode it as those two NULL bytes will give you grief.
> > >
> > > JS
> > >
> > >
> > >       
> > > > -----Original Message-----
> > > > From: Thomas Werth [mailto:security at vahle.de] 
> > > > Sent: Tuesday, August 28, 2007 11:20 PM
> > > > To: framework at metasploit.com
> > > > Subject: Re: [framework] Payload Bugs ?
> > > >
> > > > ok, but how do i append ?
> > > > i doubt $payload .= "sub esp,3500" would do it, am i wrong ?
> > > > How would i exactly append this in perl and how in msf.rb file ?
> > > >
> > > > J. M. Seitz schrieb:
> > > >         
> > > > > I think a simple:
> > > > >
> > > > > sub esp,3500
> > > > >
> > > > > Would do it, prepend to your shellcode. 
> > > > >
> > > > > JS
> > > > >           
> > > > > > -----Original Message-----
> > > > > > From: Thomas Werth [mailto:security at vahle.de]
> > > > > > Sent: Tuesday, August 28, 2007 10:50 PM
> > > > > > To: framework at metasploit.com
> > > > > > Subject: Re: [framework] Payload Bugs ?
> > > > > >
> > > > > > Patrick Webster schrieb:
> > > > > >             
> > > > > > > I assume your german return address is correct.
> > > > > > >
> > > > > > > Try using a shellcode with a stack adjustment of -3500.
> > > > > > >
> > > > > > > Otherwise your payload may be using bad characters which are not 
> > > > > > > accepted, or the payload code is changed by other
> > > > > > >               
> > > > > > instructions before
> > > > > >             
> > > > > > > you execute, by the target application?
> > > > > > >
> > > > > > > -Patrick
> > > > > > >
> > > > > > >               
> > > > > > How exactly can i do this ? This sounds really interessting, but i 
> > > > > > didn't find a "Adjust Stack for dummies guide" ;) Can you gimme a 
> > > > > > small example ?
> > > > > >             
>
>
>
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070829/b2fda217/attachment.bin>