Metasploit mailing list archives
Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record
From: HD Moore <hdm () metasploit com>
Date: Tue, 27 Dec 2011 11:03:58 -0600
On 12/22/2011 6:14 PM, lukasz skrzeszewski wrote:
HI, I would like to use this post to say HelloWorld.rb to the community! I would like to suggest small change to: *Rex::Exploitation::Seh#**generate_dynamic_seh_record* function. Just to make *Msf::Exploit::Seh *mixin* *a bit more usable. At the moment when we are mixing *Msf::Exploit::Seh* module we have two options about how to create our seh record: - first default one is *generate_static_seh_record* which is classic "\xeb\x06" short 6 bytes jump. - second is *generate_dynamic_seh_record* which is a random short jump for up to 128 bytes. What if we have to jump for at least 50 bytes??
The SEH mixin is there to assist in evasion when selected, its not there to provide a way around memory corruption of the payload in the scenario you outlined. The reason this doesn't work - the user could change the datastore option to a value that breaks the exploit (something we try to avoid letting them do). It would make more sense to ignore the mixin entirely and just implemented a custom jump to work around the case you specified (this is how like exploits do it today). -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record lukasz skrzeszewski (Dec 22)
- Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record HD Moore (Dec 27)
- Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record Patrick Webster (Dec 27)
- Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record HD Moore (Dec 27)