-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add mmap to linux x86 stager payloads. #10
Conversation
Previously these payloads jumped to a stack address, which would fail on machines with NX enabled.
Nevermind - I see that this is just a prefix for each payload. Looks good with one exception, it needs to xor edx,edx as well (can't guarantee state) |
On further review, it looks like the xor ebx,ebx at the top wasn't moved down to before the push ebx. This probably won't be touched by the mmap call, but in the interest of paranoia, can you refactor this with the following changes:
This would look something like: 00000000 31D2 xor edx,edx |
…c_multi sap_soap_rfc_sxpg_command_exec multi platform and clean up
randomize payload filename
…_refactor LoginScanner refactor
Fix datastore mangling with instance variables
More enum_dns cleanup
Fix Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation
Previously these payloads jumped to a stack address, which would fail on
machines with NX enabled.
The original metasploit bug for this is at:
https://dev.metasploit.com/redmine/issues/3038
The source of the added assembly (which switches the stack to an executable mmaped region) is:
xor %ecx,%ecx
mov $0x20,%ch
mov $0x7,%dl
push $0x22
pop %esi
xor %eax,%eax
mov $0xc0,%al
int $0x80
xchg %eax,%esp
shr %ecx
add %ecx,%esp