mailing list archives
Re: payloads ending with a RET
From: kktmp1 <kktmp1 () gmail com>
Date: Mon, 14 Jun 2010 06:57:42 +0200
Thanx for the quick answer.
I'm going to try your suggestion creating a new thread with the user
payload, and then doing a ret.
Thx again !!!
2010/6/14 HD Moore <hdm () metasploit com>
On 6/13/2010 3:33 PM, Nadie wrote:
PD: I've tried EXITFUNC=seh, thread, and process, but there isn't a
similar to EXITFUNC=ret
By the time the payload stage is running the original stack return
address is long gone. There isn't any clean way to get back to,
considering how many twists and turns the staging process takes.
You might be able to hack the non-staged payloads to do this or the
stagers themselves in the case of an error, but its not going to work
right for something like meterpreter.
A typical staging process for Meterpreter looks like:
1. Allocate some RWX memory with VirtualAlloc
2. Connect back and grab the next stage
3. Transfer into this stage (push/ret or jmp)
4. Execute the Reflective DLL stub
5. Map the DLL into memory and jump into it
6. Run the actual Init() routine
7. Initialize stdapi and possibly priv
8. Wait for commmands
One way you can try hacking this is by prepending the payload with code
that creates a new thread with the real shellcode and then does a "ret".
This would be easy to add into any exploit just by setting the Prepend
element in the Payload block to the bytecode.