[framework] Payload Bugs ?

Thomas Werth security at vahle.de
Wed Aug 29 07:50:19 CDT 2007 

It works!
I created a msf module set Payload StackAdjustment to -3500 and now
meterpreter reverse works.

Can someone please explain to me why a stackadjustment solves this problem ?
Payload is :
nop x 260 - call esp - shellcode
now when understanding right new payload is
nop x 260 - call esp - sub esp,3500 - shellcode

i guess in "staged" payloads ( only inline run former ) stack frame end
was to near and now we have a bit more space so staged payload won't be
cut ? Did i understand this right ?

Thomas Werth schrieb:
> thanks for the info.
> As i'm using strcpy in my test app only \x00 has to be a badchar, right ?
> 
> When using encoding i read something on uninformed about edx ( or ecx)
> is used as base for decoding and has to be adjusted. Is this still
> needed or is encoding enough without taking care about art of decoding ?
> 
> 
> J. M. Seitz schrieb:
>> Use the NASM shell that ships with Metasploit. 
>>
>> nasm > sub esp,3500
>> 00000000  81ECAC0D0000      sub esp,0xdac
>> nasm >
>>
>> So you would start payload off with "\x81\xec\xac\x0d\x00\x00" but of course
>> you will want to encode it as those two NULL bytes will give you grief.
>>
>> JS
>>
>>
>>> -----Original Message-----
>>> From: Thomas Werth [mailto:security at vahle.de] 
>>> Sent: Tuesday, August 28, 2007 11:20 PM
>>> To: framework at metasploit.com
>>> Subject: Re: [framework] Payload Bugs ?
>>>
>>> ok, but how do i append ?
>>> i doubt $payload .= "sub esp,3500" would do it, am i wrong ?
>>> How would i exactly append this in perl and how in msf.rb file ?
>>>
>>> J. M. Seitz schrieb:
>>>> I think a simple:
>>>>
>>>> sub esp,3500
>>>>
>>>> Would do it, prepend to your shellcode. 
>>>>
>>>> JS
>>>>> -----Original Message-----
>>>>> From: Thomas Werth [mailto:security at vahle.de]
>>>>> Sent: Tuesday, August 28, 2007 10:50 PM
>>>>> To: framework at metasploit.com
>>>>> Subject: Re: [framework] Payload Bugs ?
>>>>>
>>>>> Patrick Webster schrieb:
>>>>>> I assume your german return address is correct.
>>>>>>
>>>>>> Try using a shellcode with a stack adjustment of -3500.
>>>>>>
>>>>>> Otherwise your payload may be using bad characters which are not 
>>>>>> accepted, or the payload code is changed by other
>>>>> instructions before
>>>>>> you execute, by the target application?
>>>>>>
>>>>>> -Patrick
>>>>>>
>>>>> How exactly can i do this ? This sounds really interessting, but i 
>>>>> didn't find a "Adjust Stack for dummies guide" ;) Can you gimme a 
>>>>> small example ?
>

More information about the framework mailing list