mailing list archives
Re: payloads ending with a RET
From: HD Moore <hdm () metasploit com>
Date: Sun, 13 Jun 2010 22:07:38 -0500
On 6/13/2010 3:33 PM, Nadie wrote:
PD: I've tried EXITFUNC=seh, thread, and process, but there isn't a
similar to EXITFUNC=ret
By the time the payload stage is running the original stack return
address is long gone. There isn't any clean way to get back to,
considering how many twists and turns the staging process takes.
You might be able to hack the non-staged payloads to do this or the
stagers themselves in the case of an error, but its not going to work
right for something like meterpreter.
A typical staging process for Meterpreter looks like:
1. Allocate some RWX memory with VirtualAlloc
2. Connect back and grab the next stage
3. Transfer into this stage (push/ret or jmp)
4. Execute the Reflective DLL stub
5. Map the DLL into memory and jump into it
6. Run the actual Init() routine
7. Initialize stdapi and possibly priv
8. Wait for commmands
One way you can try hacking this is by prepending the payload with code
that creates a new thread with the real shellcode and then does a "ret".
This would be easy to add into any exploit just by setting the Prepend
element in the Payload block to the bytecode.