Metasploit mailing list archives
Re: payloads ending with a RET
From: HD Moore <hdm () metasploit com>
Date: Sun, 13 Jun 2010 22:07:38 -0500
On 6/13/2010 3:33 PM, Nadie wrote:
PD: I've tried EXITFUNC=seh, thread, and process, but there isn't a similar to EXITFUNC=ret
By the time the payload stage is running the original stack return address is long gone. There isn't any clean way to get back to, considering how many twists and turns the staging process takes. You might be able to hack the non-staged payloads to do this or the stagers themselves in the case of an error, but its not going to work right for something like meterpreter. A typical staging process for Meterpreter looks like: 1. Allocate some RWX memory with VirtualAlloc 2. Connect back and grab the next stage 3. Transfer into this stage (push/ret or jmp) 4. Execute the Reflective DLL stub 5. Map the DLL into memory and jump into it 6. Run the actual Init() routine 7. Initialize stdapi and possibly priv 8. Wait for commmands One way you can try hacking this is by prepending the payload with code that creates a new thread with the real shellcode and then does a "ret". This would be easy to add into any exploit just by setting the Prepend element in the Payload block to the bytecode. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- payloads ending with a RET Nadie (Jun 13)
- Re: payloads ending with a RET HD Moore (Jun 13)
- Re: payloads ending with a RET kktmp1 (Jun 13)
- Re: payloads ending with a RET HD Moore (Jun 13)