Metasploit mailing list archives
Re: payloads ending with a RET
From: kktmp1 <kktmp1 () gmail com>
Date: Mon, 14 Jun 2010 06:57:42 +0200
Thanx for the quick answer. I'm going to try your suggestion creating a new thread with the user payload, and then doing a ret. Thx again !!! 2010/6/14 HD Moore <hdm () metasploit com>
On 6/13/2010 3:33 PM, Nadie wrote:PD: I've tried EXITFUNC=seh, thread, and process, but there isn't a similar to EXITFUNC=retBy the time the payload stage is running the original stack return address is long gone. There isn't any clean way to get back to, considering how many twists and turns the staging process takes. You might be able to hack the non-staged payloads to do this or the stagers themselves in the case of an error, but its not going to work right for something like meterpreter. A typical staging process for Meterpreter looks like: 1. Allocate some RWX memory with VirtualAlloc 2. Connect back and grab the next stage 3. Transfer into this stage (push/ret or jmp) 4. Execute the Reflective DLL stub 5. Map the DLL into memory and jump into it 6. Run the actual Init() routine 7. Initialize stdapi and possibly priv 8. Wait for commmands One way you can try hacking this is by prepending the payload with code that creates a new thread with the real shellcode and then does a "ret". This would be easy to add into any exploit just by setting the Prepend element in the Payload block to the bytecode. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- payloads ending with a RET Nadie (Jun 13)
- Re: payloads ending with a RET HD Moore (Jun 13)
- Re: payloads ending with a RET kktmp1 (Jun 13)
- Re: payloads ending with a RET HD Moore (Jun 13)