[framework] Payload Bugs ?

Jerome Athias jerome.athias at free.fr
Wed Aug 29 08:14:30 CDT 2007 

This code ensures that the payloads/encoders don't corrupt themselves. 
Also, in some cases, payloads assume that a certain amount of available 
stack space exists; so that adjustment helps to correct that assumption.

PS: thank you skape ;-p

Thomas Werth a écrit :
> It works!
> I created a msf module set Payload StackAdjustment to -3500 and now
> meterpreter reverse works.
>
> Can someone please explain to me why a stackadjustment solves this problem ?
> Payload is :
> nop x 260 - call esp - shellcode
> now when understanding right new payload is
> nop x 260 - call esp - sub esp,3500 - shellcode
>
> i guess in "staged" payloads ( only inline run former ) stack frame end
> was to near and now we have a bit more space so staged payload won't be
> cut ? Did i understand this right ?
>
> Thomas Werth schrieb:
>   
>> thanks for the info.
>> As i'm using strcpy in my test app only \x00 has to be a badchar, right ?
>>
>> When using encoding i read something on uninformed about edx ( or ecx)
>> is used as base for decoding and has to be adjusted. Is this still
>> needed or is encoding enough without taking care about art of decoding ?
>>
>>
>> J. M. Seitz schrieb:
>>     
>>> Use the NASM shell that ships with Metasploit. 
>>>
>>> nasm > sub esp,3500
>>> 00000000  81ECAC0D0000      sub esp,0xdac
>>> nasm >
>>>
>>> So you would start payload off with "\x81\xec\xac\x0d\x00\x00" but of course
>>> you will want to encode it as those two NULL bytes will give you grief.
>>>
>>> JS
>>>
>>>
>>>       
>>>> -----Original Message-----
>>>> From: Thomas Werth [mailto:security at vahle.de] 
>>>> Sent: Tuesday, August 28, 2007 11:20 PM
>>>> To: framework at metasploit.com
>>>> Subject: Re: [framework] Payload Bugs ?
>>>>
>>>> ok, but how do i append ?
>>>> i doubt $payload .= "sub esp,3500" would do it, am i wrong ?
>>>> How would i exactly append this in perl and how in msf.rb file ?
>>>>
>>>> J. M. Seitz schrieb:
>>>>         
>>>>> I think a simple:
>>>>>
>>>>> sub esp,3500
>>>>>
>>>>> Would do it, prepend to your shellcode. 
>>>>>
>>>>> JS
>>>>>           
>>>>>> -----Original Message-----
>>>>>> From: Thomas Werth [mailto:security at vahle.de]
>>>>>> Sent: Tuesday, August 28, 2007 10:50 PM
>>>>>> To: framework at metasploit.com
>>>>>> Subject: Re: [framework] Payload Bugs ?
>>>>>>
>>>>>> Patrick Webster schrieb:
>>>>>>             
>>>>>>> I assume your german return address is correct.
>>>>>>>
>>>>>>> Try using a shellcode with a stack adjustment of -3500.
>>>>>>>
>>>>>>> Otherwise your payload may be using bad characters which are not 
>>>>>>> accepted, or the payload code is changed by other
>>>>>>>               
>>>>>> instructions before
>>>>>>             
>>>>>>> you execute, by the target application?
>>>>>>>
>>>>>>> -Patrick
>>>>>>>
>>>>>>>               
>>>>>> How exactly can i do this ? This sounds really interessting, but i 
>>>>>> didn't find a "Adjust Stack for dummies guide" ;) Can you gimme a 
>>>>>> small example ?
>>>>>>             
>
>
>
>   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3253 bytes
Desc: S/MIME Cryptographic Signature
Url : http://spool.metasploit.com/pipermail/framework/attachments/20070829/b2fda217/attachment.bin

More information about the framework mailing list