Reversing MSF Modules

MSF Module Key-terms

EXITFUNC: This is a function which is used to terminate the payload after it has completed, such as
ExitThread() or ProcessEXIT()

The EXITFUNC has several methods for terminating the payload these include:

SEHThis method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs.
THREAD                               This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit)
PROCESS  This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit.


datastore['LHOST'].length): This parameter refers to obtaining the length of the local host ip address
To perform this parameter in python use len(lhost)

payload.encoded: This parameter refers to generating an encoded shellcode

[target['Ret']].pack('V'): This parameter refers to mapping the return address //usually pointing to JMP ESP

[target.ret].pack('V*')[0,3]: This parameter parses the target.ret variable (the return address) and strips three null characters.

rand_text_alpha_upper(target['Offset'] - hunter.length): This parameter is used to generate upper case characters multiplied by the value specified in the targets offset, and then subtracted by the length of the value stored in the hunter variable.
To perform this parameter in python use buff += "A" * ((the offset value) - len(hunter))

hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions): This parameter generates an egg (example "W00TW00T") at the begin of a payload and then inserts the egg hunter into hunter var.

def check(): The Check Function is used to determine whether or not the target asset is vulnerable.

Important Notice

When porting msf exploits to python make sure to match up the required values specified in the variables, such as

  • Space   
  • BadChars 
  • StackAdjustment

Tip.
If the generated shellcode size is smaller then the specified space, add nops














Comments

Popular Posts