Re: payloads ending with a RET

[kktmp1 <kktmp1 () gmail com>]

Thanx for the quick answer.

I'm going to try your suggestion creating a new thread with the user
payload, and then doing a ret.

Thx again !!!

2010/6/14 HD Moore <hdm () metasploit com>

> On 6/13/2010 3:33 PM, Nadie wrote:
> > PD: I've tried EXITFUNC=seh, thread, and process, but there isn't a
> > similar to EXITFUNC=ret
>
> By the time the payload stage is running the original stack return
> address is long gone. There isn't any clean way to get back to,
> considering how many twists and turns the staging process takes.
>
> You might be able to hack the non-staged payloads to do this or the
> stagers themselves in the case of an error, but its not going to work
> right for something like meterpreter.
>
> A typical staging process for Meterpreter looks like:
>
> 1. Allocate some RWX memory with VirtualAlloc
> 2. Connect back and grab the next stage
> 3. Transfer into this stage (push/ret or jmp)
> 4. Execute the Reflective DLL stub
> 5. Map the DLL into memory and jump into it
> 6. Run the actual Init() routine
> 7. Initialize stdapi and possibly priv
> 8. Wait for commmands
>
> One way you can try hacking this is by prepending the payload with code
> that creates a new thread with the real shellcode and then does a "ret".
> This would be easy to add into any exploit just by setting the Prepend
> element in the Payload block to the bytecode.
>
> -HD
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework