Reversing MSF Modules
MSF Module Key-terms
EXITFUNC: This is a function which is used to terminate the payload after it has completed, such as
ExitThread() or ProcessEXIT()
ExitThread() or ProcessEXIT()
The EXITFUNC has several methods for terminating the payload these include:
| SEH | This method should be used when there is a structured exception handler (SEH) that will restart the thread or process automatically when an error occurs. |
| THREAD | This method is used in most exploitation scenarios where the exploited process (e.g. IE) runs the shellcode in a sub-thread and exiting this thread results in a working application/system (clean exit) |
| PROCESS | This method should be used with multi/handler. This method should also be used with any exploit where a master process restarts it on exit. |
datastore['LHOST'].length): This parameter refers to obtaining the length of the local host ip address
To perform this parameter in python use len(lhost)
To perform this parameter in python use len(lhost)
payload.encoded: This parameter refers to generating an encoded shellcode
[target['Ret']].pack('V'): This parameter refers to mapping the return address //usually pointing to JMP ESP
[target.ret].pack('V*')[0,3]: This parameter parses the target.ret variable (the return address) and strips three null characters.
rand_text_alpha_upper(target['Offset'] - hunter.length): This parameter is used to generate upper case characters multiplied by the value specified in the targets offset, and then subtracted by the length of the value stored in the hunter variable.
To perform this parameter in python use buff += "A" * ((the offset value) - len(hunter))
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions): This parameter generates an egg (example "W00TW00T") at the begin of a payload and then inserts the egg hunter into hunter var.
Tip.
If the generated shellcode size is smaller then the specified space, add nops
[target.ret].pack('V*')[0,3]: This parameter parses the target.ret variable (the return address) and strips three null characters.
rand_text_alpha_upper(target['Offset'] - hunter.length): This parameter is used to generate upper case characters multiplied by the value specified in the targets offset, and then subtracted by the length of the value stored in the hunter variable.
To perform this parameter in python use buff += "A" * ((the offset value) - len(hunter))
def check(): The Check Function is used to determine whether or not the target asset is vulnerable.
When porting msf exploits to python make sure to match up the required values specified in the variables, such asImportant Notice
- Space
- BadChars
- StackAdjustment
Tip.
If the generated shellcode size is smaller then the specified space, add nops
Comments
Post a Comment