Metasploit mailing list archives
MSFEncode bug doesn't encode EXE's or VBA's
From: huperdefigo at gmail.com (Mark Baggett)
Date: Fri, 19 Dec 2008 15:03:24 -0500
It seems there is an error in msfencode. Today It doesn't encode the payload when an output type of EXE or VBA is selected. Looking at code, the problem for payloads of type exe and vba is this: First the varialbe raw is assigned the encoded payload return by the encode function.. Line 159 # Encode it up raw = enc.encode(buf, badchars) Then when it creates its exe it uses buf (the unencoded payload) again rather than raw (the encoded payload) Line 173 exe = Rex::Text.to_win32pe(buf, "") I changed it to raw ... exe = Rex::Text.to_win32pe(raw, "") and it will then encodes payloads of type exe. But the encoded payloads do not work. Using ollydbg I can see a memory access violation when the actual xor encoding attempts to write to code segment where the payload runs. I reverted to the template.exe distributed prior to the Sept 29th update (Change set 5689) and it everything works fine now. The same error is in the code for encoding vba output. After those three changes I am able to make encoded payloads... ./msfpayload windows/shell_bind_tcp R | ./msfencode -t exe -o ~/winbindencoded.exe and double encoded payloads... ./msfpayload windows/shell_bind_tcp R | ./msfencode -e x86/countdown -t raw | ./msfencode -t exe -o ~/winbinddoubleencode.exe Mark Baggett http://markremark.blogspot.com
Current thread:
- MSFEncode bug doesn't encode EXE's or VBA's Mark Baggett (Dec 19)
- MSFEncode bug doesn't encode EXE's or VBA's natron (Dec 19)
- MSFEncode bug doesn't encode EXE's or VBA's H D Moore (Dec 24)