Re: windows/exec payload

["HD Moore" <hdm () metasploit com>]

Interesting - they must be stable enough that the hashes still match anyways
(with the NULLs included). Great catch ! 

-----Original Message-----
From: Robert Larsen [mailto:robert () the-playground dk] 
Sent: Tuesday, August 07, 2012 4:18 PM
To: HD Moore
Cc: framework () spool metasploit com
Subject: Re: [framework] windows/exec payload

On 08/07/2012 04:00 PM, HD Moore wrote:
> Typically these match (length vs max length) and even if they don't, the
> null byte wouldn't affect the hashing. At least, that is my vague
> understanding of it. You may want to read through the source code under
> external/source/shellcode/windows/x86/src/
Thanks for your reply.

On my machine "ntdll.dll" has length 0x12 and max length 0x14,
"kernel32.dll" has length 0x18 and max length 0x1a. Maybe max length
just adds room for the null terminator?

The hashing algorithm does this for each byte in the string (max length
bytes):

  ror edi, 13            ; Rotate right our hash value
  add edi, eax           ; Add the next byte of the name

...so the 'ror edi, 13' modifies the hash even for null bytes.

However, I have never seen the code fail, so maybe these numbers are in
fact stable...but would it not be more safe to use the length?

Robert


_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework