Writing an encoder

[Paul Johnston <paj () pajhome org uk>]

Hi,

I have an interesting vulnerability to exploit.

I can place a file on the victim's computer (Windows), so for now I am
placing a .exe file in their startup directory. I'm using
windows/shell_reverse_tcp encoded using msfpayload/msfencode. This gets me a
shell when the user reboots, which will do for the purpose of my demo.

However, to place the file it needs to match a particular checksum, which
works in 512-byte blocks. If I can modify two bytes in each block, I can
"massage" the file to have the correct checksum. So, what I need is an
encoder that lets me do this without messing up the .exe file. I was
thinking that it could inject something like the following, every 512-bytes:

push eax
mov 0x00000000, eax
pop eax

That way, I can tamper with the 0x00000000 without messing up the code. I am
going to press on with implementing this.

What I wondered is: has anyone tried something similar? Any alternative
ideas for achieving this? Any pitfalls to be wary of?

Advice would be much appreciated :-)

Paul

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework