Metasploit mailing list archives
Payload Bugs ?
From: jerome.athias at free.fr (Jerome Athias)
Date: Wed, 29 Aug 2007 15:14:30 +0200
This code ensures that the payloads/encoders don't corrupt themselves. Also, in some cases, payloads assume that a certain amount of available stack space exists; so that adjustment helps to correct that assumption. PS: thank you skape ;-p Thomas Werth a ?crit :
It works! I created a msf module set Payload StackAdjustment to -3500 and now meterpreter reverse works. Can someone please explain to me why a stackadjustment solves this problem ? Payload is : nop x 260 - call esp - shellcode now when understanding right new payload is nop x 260 - call esp - sub esp,3500 - shellcode i guess in "staged" payloads ( only inline run former ) stack frame end was to near and now we have a bit more space so staged payload won't be cut ? Did i understand this right ? Thomas Werth schrieb:thanks for the info. As i'm using strcpy in my test app only \x00 has to be a badchar, right ? When using encoding i read something on uninformed about edx ( or ecx) is used as base for decoding and has to be adjusted. Is this still needed or is encoding enough without taking care about art of decoding ? J. M. Seitz schrieb:Use the NASM shell that ships with Metasploit. nasm > sub esp,3500 00000000 81ECAC0D0000 sub esp,0xdac nasm > So you would start payload off with "\x81\xec\xac\x0d\x00\x00" but of course you will want to encode it as those two NULL bytes will give you grief. JS-----Original Message----- From: Thomas Werth [mailto:security at vahle.de] Sent: Tuesday, August 28, 2007 11:20 PM To: framework at metasploit.com Subject: Re: [framework] Payload Bugs ? ok, but how do i append ? i doubt $payload .= "sub esp,3500" would do it, am i wrong ? How would i exactly append this in perl and how in msf.rb file ? J. M. Seitz schrieb:I think a simple: sub esp,3500 Would do it, prepend to your shellcode. JS-----Original Message----- From: Thomas Werth [mailto:security at vahle.de] Sent: Tuesday, August 28, 2007 10:50 PM To: framework at metasploit.com Subject: Re: [framework] Payload Bugs ? Patrick Webster schrieb:I assume your german return address is correct. Try using a shellcode with a stack adjustment of -3500. Otherwise your payload may be using bad characters which are not accepted, or the payload code is changed by otherinstructions beforeyou execute, by the target application? -PatrickHow exactly can i do this ? This sounds really interessting, but i didn't find a "Adjust Stack for dummies guide" ;) Can you gimme a small example ?
-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3253 bytes Desc: S/MIME Cryptographic Signature URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070829/b2fda217/attachment.bin>
Current thread:
- Payload Bugs ? Thomas Werth (Aug 28)
- Payload Bugs ? H D Moore (Aug 28)
- Payload Bugs ? Patrick Webster (Aug 28)
- Payload Bugs ? Thomas Werth (Aug 28)
- Payload Bugs ? J. M. Seitz (Aug 28)
- Payload Bugs ? Thomas Werth (Aug 28)
- Payload Bugs ? J. M. Seitz (Aug 29)
- Payload Bugs ? Thomas Werth (Aug 29)
- Payload Bugs ? Thomas Werth (Aug 29)
- Payload Bugs ? Jerome Athias (Aug 29)
- need help porting exploit to win2k Thomas Werth (Aug 29)
- need help porting exploit to win2k Jerome Athias (Aug 29)
- need help porting exploit to win2k Thomas Werth (Aug 29)
- Payload Bugs ? Patrick Webster (Aug 28)
- Payload Bugs ? H D Moore (Aug 28)