Metasploit mailing list archives
Re: windows/exec payload
From: "HD Moore" <hdm () metasploit com>
Date: Tue, 7 Aug 2012 17:58:15 -0500
Interesting - they must be stable enough that the hashes still match anyways (with the NULLs included). Great catch ! -----Original Message----- From: Robert Larsen [mailto:robert () the-playground dk] Sent: Tuesday, August 07, 2012 4:18 PM To: HD Moore Cc: framework () spool metasploit com Subject: Re: [framework] windows/exec payload On 08/07/2012 04:00 PM, HD Moore wrote:
Typically these match (length vs max length) and even if they don't, the null byte wouldn't affect the hashing. At least, that is my vague understanding of it. You may want to read through the source code under external/source/shellcode/windows/x86/src/
Thanks for your reply. On my machine "ntdll.dll" has length 0x12 and max length 0x14, "kernel32.dll" has length 0x18 and max length 0x1a. Maybe max length just adds room for the null terminator? The hashing algorithm does this for each byte in the string (max length bytes): ror edi, 13 ; Rotate right our hash value add edi, eax ; Add the next byte of the name ...so the 'ror edi, 13' modifies the hash even for null bytes. However, I have never seen the code fail, so maybe these numbers are in fact stable...but would it not be more safe to use the length? Robert _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)
- Re: windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)
- Re: windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)