Metasploit mailing list archives

extra code added to exploit and payload

From: hybryd17 at gmail.com (Chris Smith)
Date: Tue, 28 Jul 2009 15:03:28 -0400

I'm trying to understand the code added by Metasploit in addition to the
exploit and payload. For a given exploit and payload, Metasploit seems to
add code above and beyond what can be seen in the exploit and payload
modules, even when there is no encoding.

For example, I modified the exploit msvidctl_mpeg2.rb to operate with no
encoder by commenting out the BadChars line.  The exploit and payload still
work, but there is still a long sequence of shellcode preceding the payload
bytes (which come from windows/shell_bind_tcp.rb). Where does this extra
code come from and what does it do? It seems necessary, since when I patch
the nop sled in the heap spray to jump over this extra code and go directly
to the payload, I don't get my command shell.

Thanks,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090728/c5f82fb3/attachment.htm>

Current thread:

extra code added to exploit and payload Chris Smith (Jul 28)
- extra code added to exploit and payload HD Moore (Jul 28)