module
Sub Encoder (optimised)
| Disclosed | Created |
|---|---|
| N/A | May 30, 2018 |
Disclosed
N/A
Created
May 30, 2018
Description
Encodes a payload using a series of SUB instructions and writing the
encoded value to ESP. This concept is based on the known SUB encoding
approach that is widely used to manually encode payloads with very
restricted allowed character sets. It will not reset EAX to zero unless
absolutely necessary, which helps reduce the payload by 10 bytes for
every 4-byte chunk. ADD support hasn't been included as the SUB
instruction is more likely to avoid bad characters anyway.
The payload requires a base register to work off which gives the start
location of the encoder payload in memory. If not specified, it defaults
to ESP. If the given register doesn't point exactly to the start of the
payload then an offset value is also required.
Note: Due to the fact that many payloads use the FSTENV approach to
get the current location in memory there is an option to protect the
start of the payload by setting the 'OverwriteProtect' flag to true.
This adds 3-bytes to the start of the payload to bump ESP by 32 bytes
so that it's clear of the top of the payload.
encoded value to ESP. This concept is based on the known SUB encoding
approach that is widely used to manually encode payloads with very
restricted allowed character sets. It will not reset EAX to zero unless
absolutely necessary, which helps reduce the payload by 10 bytes for
every 4-byte chunk. ADD support hasn't been included as the SUB
instruction is more likely to avoid bad characters anyway.
The payload requires a base register to work off which gives the start
location of the encoder payload in memory. If not specified, it defaults
to ESP. If the given register doesn't point exactly to the start of the
payload then an offset value is also required.
Note: Due to the fact that many payloads use the FSTENV approach to
get the current location in memory there is an option to protect the
start of the payload by setting the 'OverwriteProtect' flag to true.
This adds 3-bytes to the start of the payload to bump ESP by 32 bytes
so that it's clear of the top of the payload.
Author
OJ Reeves oj@buffered.io
Platform
All
Architectures
x86
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.