Home page logo
/

metasploit logo Metasploit mailing list archives

How payloads (shellcodes) used in exploiting
From: rrawal at ipolicynetworks.com (Rawal, Rajesh)
Date: Thu, 29 Mar 2007 15:44:37 +0530

Thanks Jerome,

Means to avoid badchars and for ID/PS evasion reasons, shellcodes being XORed.

-----Original Message-----
From: Jerome Athias [mailto:jerome.athias at free.fr]
Sent: Thursday, March 29, 2007 3:03 PM
To: framework at metasploit.com
Subject: Re: [framework] How payloads (shellcodes) used in exploiting

Hi,

it is due to the fact of the Metasploit Framework uses kind of magic and hexa voodoo!...

After joking, yes the shellcode has to be sent to the target to having it running.
To avoid badchars and for ID/PS evasion reasons, the base code of the shellcode (called payload) will me modified by 
the Framework before to be sent to the target. (ie: XORed) So yes it could be different every time.
A way to retrieve it in your packets is to attach a debugger to the target application/service and see what it 
receives, and then compare this with your capture.

Note that in the version 2 of the MSF, you can view the shellcodes's codes (:p) in 
*\Metasploit\Framework2\home\framework\src\shellcode\

I hope it helps
/JA

Rawal, Rajesh a ?crit :
Hi,

I am using metasploit framework 3, exploiting windows and linux
applications.
I have captured packets using ethereal, but I didn't find the payload
(position) used during the exploittation.

For e.g.

Exploit used was "windows/smb/ms06_040_netapi" and used payload
"windows/shell_bind_tcp" and it successfully exploited remote host and
got command of remote host machine. Also taken packet capture during
this process.
I m not able to find payload of "windows/shell_bind_tcp" in packet
capture.

1. Can I know where this payload exist (where it comes during this
sesion) in packet capture?
2. Does these payloads (shellcodes) differs in every new exploit attemts?

waiting for positive response

Regards

Rajesh Rawal
AMTS
*iPolicy Networks*
**NSEZ Noida | India
Tel. +91-120-2567001,xtn-1246
Cell +91-9899401874

www.ipolicynetworks.com <http://www.ipolicynetworks.com/>







<http://858769.sigclick.mailinfo.com/sigclick/0F040106/0F0E4D04/020245
03/07191971.jpg>

----------------------------------------------------------------------
--

"DISCLAIMER: This message is proprietary to iPolicy Networks Pvt. Ltd.
and is intended solely for the use of the individuals to whom it is
addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose 
other than for what is intended. If you have received this message in error, please notify the originator 
immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, 
copying, altering, or disclosing the contents of this message. iPolicy Networks accepts no responsibility for loss or 
damage arising from the use of the information transmitted by this email including damage from virus."....IPF 5K
 




 <http://858769.sigclick.mailinfo.com/sigclick/0C040E05/07004E06/01044A00/24162192.jpg> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070329/e12f62ba/attachment.htm>
-------------- next part --------------
"DISCLAIMER: This message is proprietary to iPolicy Networks Pvt. Ltd. and is intended solely for the use of the 
individuals to whom it is addressed. It may contain privileged or confidential information and should not be circulated 
or used for any purpose other than for what is intended. If you have received this message in error, please notify the 
originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from 
using, copying, altering, or disclosing the contents of this message. iPolicy Networks accepts no responsibility for 
loss or damage arising from the use of the information transmitted by this email including damage from virus."....IPF 5K


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault