[prev in list] [next in list] [prev in thread] [next in thread]
List: metasploit-framework
Subject: Re: [framework] msfencode and Windows 7
From: <brian.milliron () ecrsecurity ! com>
Date: 2012-06-28 1:19:48
Message-ID: 20120627181948.216b20039f1819dfe86f0085c053d11a.69fc36dcc7.wbe () email05 ! secureserver ! net
[Download RAW message or body]
[Attachment #2 (unknown)]
<html><body><span style="font-family:Verdana; color:#000000; \
font-size:10pt;"><div>Got it. Makes perfect sense now. Thanks for the \
help.</div><div><br></div><div>Brian<br></div> <blockquote id="replyBlockquote" \
webmail="1" style="border-left: 2px solid blue; margin-left: 8px; padding-left: 8px; \
font-size:10pt; color:black; font-family:verdana;"> <div id="wmQuoteWrapper">
-------- Original Message --------<br>
Subject: Re: [framework] msfencode and Windows 7<br>
From: Sherif El-Deeb <<a \
href="mailto:archeldeeb@gmail.com">archeldeeb@gmail.com</a>><br>
Date: Tue, June 26, 2012 9:56 pm<br>
To: <a href="mailto:brian.milliron@ecrsecurity.com">brian.milliron@ecrsecurity.com</a><br>
Cc: <a href="mailto:framework@spool.metasploit.com">framework@spool.metasploit.com</a><br>
<br>
I am assuming you are using "windows/meterpreter/reverse_tcp",<br>
msfencode "-e x64/xor" with a 64bit binary template, right? ... it<br>
won't work because the specified payload<br>
"windows/meterpreter/reverse_tcp" is 32bit encoded by a 64bit encoder<br>
on a 64bit template.<br>
<br>
If you are taking the x64 route, EVERYTHING has to be x64, by that I<br>
mean you should use "windows/x64/meterpreter/reverse_tcp" *NOT*<br>
"windows/meterpreter/reverse_tcp" ... ok?.<br>
<br>
And please note that all 32 bit standalone payloads work on 64 bit<br>
systems without a problem, please use the x64 bit payloads only when<br>
you are *exploiting* an application that is 64bit.<br>
<br>
Kindly let me repeat that giving more info will (help us) (help you)<br>
better, so, a good example would have been giving us the commands you<br>
typed, the platform you are targeting, and how exactly "it did not<br>
work".<br>
<br>
Sherif Eldeeb.<br>
<br>
On Wed, Jun 27, 2012 at 7:39 AM, <<a \
href="mailto:brian.milliron@ecrsecurity.com">brian.milliron@ecrsecurity.com</a>> \
wrote:<br> > One thing about this still doesn't make sense though. I tested \
several<br> > different encoders and one was x64/XOR. Shouldnt that have \
worked with the<br> > 64 bit exes?<br>
><br>
> -------- Original Message --------<br>
> Subject: Re: [framework] msfencode and Windows 7<br>
> From: Sherif El-Deeb <<a \
href="mailto:archeldeeb@gmail.com">archeldeeb@gmail.com</a>><br> > Date: Sat, \
June 23, 2012 10:29 pm<br> > To: <a \
href="mailto:brian.milliron@ecrsecurity.com">brian.milliron@ecrsecurity.com</a><br> \
> Cc: <a href="mailto:framework@spool.metasploit.com">framework@spool.metasploit.com</a><br>
><br>
> It won't be Microsoft if it didn't put the "64bit" binaries in a<br>
> Directory named "32" and put the "32bit" binaries in a directory<br>
> called "64" :)<br>
><br>
> On Sun, Jun 24, 2012 at 1:51 AM, <<a \
href="mailto:brian.milliron@ecrsecurity.com">brian.milliron@ecrsecurity.com</a>> \
wrote:<br> >> Right. How silly of me to think there would be 64 bit \
binaries in the<br> >> SysWOW64 folder. Microsoft strikes again. \
Thanks, I think that was<br> >> indeed<br>
>> the problem.<br>
>><br>
>> -------- Original Message --------<br>
>> Subject: Re: [framework] msfencode and Windows 7<br>
>> From: Sherif El-Deeb <<a \
href="mailto:archeldeeb@gmail.com">archeldeeb@gmail.com</a>><br> >> Date: \
Sat, June 23, 2012 12:09 pm<br> >> To: <a \
href="mailto:brian.milliron@ecrsecurity.com">brian.milliron@ecrsecurity.com</a><br> \
>> Cc: <a href="mailto:framework@spool.metasploit.com">framework@spool.metasploit.com</a><br>
>><br>
>> You might be using the x64 windows executables as templates for x86<br>
>> payloads... so, instead of taking c:\windows\system32\calc.exe - take<br>
>> - c:\windows\SysWOW64\calc.exe which is the 32bit version of the<br>
>> application.<br>
>><br>
>> And to be able to help better, please give us more info. "...known<br>
>> issues..." is not very descriptive, isn't it? :)<br>
>><br>
>> Sherif Eldeeb.<br>
>><br>
>> On Sat, Jun 23, 2012 at 9:47 PM, <<a \
href="mailto:brian.milliron@ecrsecurity.com">brian.milliron@ecrsecurity.com</a>> \
wrote:<br> >>> Are there known issues with using Windows 7 executables as a \
template in<br> >>> msfencode? I've searched the archives and didn't \
find anything.<br> >>><br>
>>> Brian<br>
>>><br>
>>> _______________________________________________<br>
>>> <a href="https://mail.metasploit.com/mailman/listinfo/framework">https://mail.metasploit.com/mailman/listinfo/framework</a><br>
>>><br>
</div>
</blockquote></span></body></html>
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic