[framework] Exploit writing payload idea
H D Moore
hdm at metasploit.com
Fri Nov 17 14:36:59 CST 2006
This actually already exists. I use these routines every day for exploit
development. In version 2.7, call Pex::Text::PatternCreate(length) and in
version 3.0 call Rex::Text.pattern_create(length). You can then use
sdk/patternOffset.pl and tools/pattern_offset.rb to determine where in
the buffer your return address goes.
The 0xdefaced demo stack dump for the Airport exploit was a quick way to
show control of a write operation. Unfortunately, this isn't a straight
stack overflow and its taking some time to develop a reliable exploit
(you corrupt internal kernel heap memory, so theres no telling which
process or driver ends up using the corrupted chunk).
-HD
On Friday 17 November 2006 14:23, mat wrote:
> Anyways, I thought that this would be a cool
> payload generator for metasploit. It seems like it wouldnt be very
> difficult to write. Tell me if this is something people actually use,
> or am I way off in my thinking. Just an apiphony I had, and wanted to
More information about the framework
mailing list