Metasploit mailing list archives
Re: windows/exec payload
From: "HD Moore" <hdm () metasploit com>
Date: Tue, 7 Aug 2012 09:00:41 -0500
Typically these match (length vs max length) and even if they don't, the null byte wouldn't affect the hashing. At least, that is my vague understanding of it. You may want to read through the source code under external/source/shellcode/windows/x86/src/ -HD -----Original Message----- From: framework-bounces () spool metasploit com [mailto:framework-bounces () spool metasploit com] On Behalf Of Robert Larsen Sent: Tuesday, August 07, 2012 7:18 AM To: framework () spool metasploit com Subject: [framework] windows/exec payload Hi all In an attempt to learn shellcoding I am reversing the payloads from Metasploit and I found something in 'windows/exec' that strikes me as "odd"...maybe even a bug? You tell me. I disassembled the code like this: ./msfpayload windows/exec CMD=calc R | ndisasm -b 32 - What I found is this: .... ; Get address of LDR into EDX ; http://www.nirsoft.net/kernel_struct/vista/PEB_LDR_DATA.html 0000000F 8B520C mov edx,[edx+0xc] ; Get address of InMemoryOrderModuleList list entry into EDX ; http://www.nirsoft.net/kernel_struct/vista/LDR_DATA_TABLE_ENTRY.html 00000012 8B5214 mov edx,[edx+0x14] ; Get address of base dll name unicode string into ESI ; http://www.nirsoft.net/kernel_struct/vista/UNICODE_STRING.html 00000015 8B7228 mov esi,[edx+0x28] ; Get maximum length of base dll name unicode string into ECX 00000018 0FB74A26 movzx ecx,word [edx+0x26] .... The code then continues hashing the dll name. A UNICODE_STRING has a length, a maximum length and a pointer to the buffer containing the string and the MSDN site (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380518(v=vs.85).a spx) says this about the maximum length: "Specifies the total size, in bytes, of memory allocated for Buffer. Up to MaximumLength bytes may be written into the buffer without trampling memory." And this about length: "Specifies the length, in bytes, of the string pointed to by the Buffer member, not including the terminating NULL character, if any." Why was maximum length chosen over length ? I would assume that the length would be constant across different versions of the dll while the maximum length might differ. Am I missing something ? Best regards and thanks for a wonderful tool Robert _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)
- Re: windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)
- Re: windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)