Metasploit mailing list archives
Writing an encoder
From: Paul Johnston <paj () pajhome org uk>
Date: Tue, 26 Jul 2011 16:35:30 +0100
Hi, I have an interesting vulnerability to exploit. I can place a file on the victim's computer (Windows), so for now I am placing a .exe file in their startup directory. I'm using windows/shell_reverse_tcp encoded using msfpayload/msfencode. This gets me a shell when the user reboots, which will do for the purpose of my demo. However, to place the file it needs to match a particular checksum, which works in 512-byte blocks. If I can modify two bytes in each block, I can "massage" the file to have the correct checksum. So, what I need is an encoder that lets me do this without messing up the .exe file. I was thinking that it could inject something like the following, every 512-bytes: push eax mov 0x00000000, eax pop eax That way, I can tamper with the 0x00000000 without messing up the code. I am going to press on with implementing this. What I wondered is: has anyone tried something similar? Any alternative ideas for achieving this? Any pitfalls to be wary of? Advice would be much appreciated :-) Paul
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Writing an encoder Paul Johnston (Jul 26)
- Re: Writing an encoder John Strand (Jul 26)