Metasploit mailing list archives
windows/exec payload
From: Robert Larsen <robert () the-playground dk>
Date: Tue, 07 Aug 2012 14:17:37 +0200
Hi all In an attempt to learn shellcoding I am reversing the payloads from Metasploit and I found something in 'windows/exec' that strikes me as "odd"...maybe even a bug? You tell me. I disassembled the code like this: ./msfpayload windows/exec CMD=calc R | ndisasm -b 32 - What I found is this: .... ; Get address of LDR into EDX ; http://www.nirsoft.net/kernel_struct/vista/PEB_LDR_DATA.html 0000000F 8B520C mov edx,[edx+0xc] ; Get address of InMemoryOrderModuleList list entry into EDX ; http://www.nirsoft.net/kernel_struct/vista/LDR_DATA_TABLE_ENTRY.html 00000012 8B5214 mov edx,[edx+0x14] ; Get address of base dll name unicode string into ESI ; http://www.nirsoft.net/kernel_struct/vista/UNICODE_STRING.html 00000015 8B7228 mov esi,[edx+0x28] ; Get maximum length of base dll name unicode string into ECX 00000018 0FB74A26 movzx ecx,word [edx+0x26] .... The code then continues hashing the dll name. A UNICODE_STRING has a length, a maximum length and a pointer to the buffer containing the string and the MSDN site (http://msdn.microsoft.com/en-us/library/windows/desktop/aa380518(v=vs.85).aspx) says this about the maximum length: "Specifies the total size, in bytes, of memory allocated for Buffer. Up to MaximumLength bytes may be written into the buffer without trampling memory." And this about length: "Specifies the length, in bytes, of the string pointed to by the Buffer member, not including the terminating NULL character, if any." Why was maximum length chosen over length ? I would assume that the length would be constant across different versions of the dll while the maximum length might differ. Am I missing something ? Best regards and thanks for a wonderful tool Robert
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)
- Re: windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)
- Re: windows/exec payload Robert Larsen (Aug 07)
- Re: windows/exec payload HD Moore (Aug 07)