windows/exec payload

[Robert Larsen <robert () the-playground dk>]

Hi all

In an attempt to learn shellcoding I am reversing the payloads from Metasploit and I found something in 'windows/exec' 
that strikes me as "odd"...maybe even a bug? You tell me.

I disassembled the code like this:
./msfpayload windows/exec CMD=calc R | ndisasm -b 32 -

What I found is this:
....
; Get address of LDR into EDX
; http://www.nirsoft.net/kernel_struct/vista/PEB_LDR_DATA.html
0000000F  8B520C            mov edx,[edx+0xc]

; Get address of InMemoryOrderModuleList list entry into EDX
; http://www.nirsoft.net/kernel_struct/vista/LDR_DATA_TABLE_ENTRY.html
00000012  8B5214            mov edx,[edx+0x14]

; Get address of base dll name unicode string into ESI
; http://www.nirsoft.net/kernel_struct/vista/UNICODE_STRING.html
00000015  8B7228            mov esi,[edx+0x28]

; Get maximum length of base dll name unicode string into ECX
00000018  0FB74A26          movzx ecx,word [edx+0x26] 
....

The code then continues hashing the dll name.

A UNICODE_STRING has a length, a maximum length and a pointer to the buffer containing the string and the MSDN site 
(http://msdn.microsoft.com/en-us/library/windows/desktop/aa380518(v=vs.85).aspx) says this about the maximum length:
"Specifies the total size, in bytes, of memory allocated for Buffer. Up to MaximumLength bytes may be written into the 
buffer without trampling memory."

And this about length:
"Specifies the length, in bytes, of the string pointed to by the Buffer member, not including the terminating NULL 
character, if any."

Why was maximum length chosen over length ?
I would assume that the length would be constant across different versions of the dll while the maximum length might 
differ.

Am I missing something ?

Best regards and thanks for a wonderful tool
Robert

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework