Posted: Wed Sep 02, 2009 10:37 pm Post subject: Windows Metasploit Shellcode - Baffling Problem (to me)
I am fascinated with the use of shellcode to exploit security holes in programs (Windows, especially, because that is my workstation). I have been immersed in the book Gray Hat Hacking: The Ethical Hackers Handbook; it is excellent for beginners to the art such as myself.
However, I have encountered some Windows shellcode problems and have utterly failed in solving them. And so, on to the dilemma.
Windows shellcode is far too advanced for me to write at the moment. To understand some Windows security vulnerabilities I have been using the shellcode generated by Metasploit's payload engine. It was here that the problems began.
I was using a Win32 "Execute an Arbitrary Command" payload to try to start a process (for space, assume "calc.exe") by exploiting the hole. However, the payload failed to function properly. After examining the stack in a debugger during the exploit, I realized the program name "calc.exe" was being overwritten while the shellcode was executing. The program terminated with a "File Not Found" exception--the "name" was now just memory garbage.
After poking around with this problem for a while, I switched out the Arbitrary Command payload for a Bind Shell payload. Unfortunately, this payload also had problems.
I am worried that I am doing something fundamentally wrong, something that someone just has to hit me over the head with. Is there a certain amount of NOP padding I should put before and after the shellcode? Am I perhaps not using the correct payload for my platform? Perhaps I am not exploiting the hole correctly (it was a simple buffer overflow, by the way)?
Ah, a very important piece: when I simply take the shellcode and execute it as an ordinary function in a C program, it works without a hitch.
Any help would be awesome and very appreciated. Thank you!
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum