[framework] Using encoded payload in executable
mmiller at hick.org
mmiller at hick.org
Fri Jun 8 01:25:18 CDT 2007
On Fri, Jun 08, 2007 at 08:11:53AM +0200, C0r3 1mp4ct wrote:
> Yes! The software that I am trying to exploit, converts the chars to
> lowercase, just like with the ActiveX component mentioned in the
> articlcle about this encoder.
>
> "The decoder stub is hardcoded to assume that ecx will hold the address."
> Does it mean, that i have to put the address of the encoded payload
> into ecx before the control transfers to it? I mean it isn't enough to
> transfer to control with a JMP ESP, i need to have ECX store the
> address too.
There's a trick you can do to set ECX to ESP using pusha/popa. Check
out this paper for more details:
http://uninformed.org/index.cgi?v=5&a=3&p=12
Let me know if you still have problems getting it to work.
More information about the framework
mailing list