metasploit-framework May 2011 archive
Main Archive Page > Month Archives  > metasploit-framework archives
metasploit-framework: Re: [framework] WinExec payload?

Re: [framework] WinExec payload?

From: Abuse007 <abuse007_at_nospam>
Date: Wed May 18 2011 - 07:24:56 GMT
To: Jun Koi <junkoi2004@gmail.com>

Hi Jun,

I haven't looked into metasploit's WinExec shellcode but it is probably working out the addresses of the functions in the libraries that it needs. The addresses of breakpoints you are setting and the calculated addresses might not match. The shellcode could be calling a little past the function prologue. Try setting the break points further into the functions.

Also in general some functions are merely wrappers around others, so break on the lowest level function.

Msf may have source code or documentation on the shellcode. Otherwise disassemble it and have a look at how it is working.

I may be missing something myself, but I hope the above helps.

On 18/05/2011, at 3:38 PM, Jun Koi <junkoi2004@gmail.com> wrote:

> hi,
>
> i am using payload WinExec to test one vulnerable application (the exploitation also comes from metasploit)
>
> before launching the exploit, i put 2 breakpoints on WinExec and GetProcAddress function of this application.
> then i run the exploit, and it successes.
>
> however, the problem is none of my breakpoints were triggered. this is a surprise to me, as i supposed that the payload cannot work without using these 2 functions. clearly i missed something there!
>
> could anybody please tell me why this happens?
>
> thanks a lot,
> Jun
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework