..
sh-3.1# exit
exit
BT book #
As you can see, the original shellcode is encoded and appended to the decoder. The
decoder is overwritten at runtime to replace the NULL bytes with length and key respectively.
As expected, each time the program is executed, a new set of encoded shellcode is
generated. However, most of the decoder remains the same.
There are ways to add some entropy to the decoder. Portions of the decoder may be
done in multiple ways. For example, instead of using the add instruction, we could have
used the sub instruction. Likewise, we could have used any number of FPU instructions
instead of FABS. So, we can break down the decoder into smaller interchangeable parts
and randomly piece them together to accomplish the same task and obtain some level
of change on each execution.
Automating Shellcode Generation
with Metasploit
Nowthat you have learned ???long division,??? let??™s showyou howto use the ???calculator.??? The
Metasploit package comes with tools to assist in shellcode generation and encoding.
Generating Shellcode with Metasploit
The msfpayload command is supplied with Metasploit and automates the generation of
shellcode.
allen@IBM-4B5E8287D50 ~/framework
$ ./msfpayload
Usage: .
Pages:
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448