Home page logo
/

metasploit logo Metasploit mailing list archives

payloads ending with a RET
From: Nadie <n0s0yn4die () gmail com>
Date: Sun, 13 Jun 2010 22:33:44 +0200

Hi All,


I'm using the Win32 Kernel Shellcode (by Stephen Fewer) explained here:

http://blog.harmonysecurity.com/2009/11/implementing-win32-kernel-shellcode.html

I want to do all the work (copy the user payload to SharedUserData,
hook systenter MSR, clear the NX bit from the PTE, intercept the
SYSENTER user call, unhook MSR, and execute the user payload) without
break the intercepted process (stealth). If I use the MSF payloads
that normally exits, the intercepted ring3 process die. Is there any
way to create the payloads ending with a ret and a fixed stack?.

For example, I can use windows/exec but I have to manually change the
last part, the fixed call to exit:

push byte 0 // push the desired exit code parameter
push 0x56A2B5F0 // push the hash value for ExitProcess
call ebp // call kernel32.dll!ExitProcess( 0 )

or the:
%include "./src/block/block_exitfunk.asm"

by a:
retn

If I try to use the reverse_https stager, and handler is not up, or
the connection fails I have to manual fix:

126 failure:
127     push 0x56A2B5F0        ; hardcoded to exitprocess for size
128     call ebp

by:

add esp, 0c
retn

(or ret 0c)

And so on... I'm missing something ?, I'm sure there is probably an
easy way to fix the user payloads..
Thx in advance.

PD: I've tried EXITFUNC=seh, thread, and process, but there isn't a
similar to EXITFUNC=ret
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]