epi052 / osed-scripts Goto Github PK

An instruction when pushing potentially non DWORD-aligned strings to the stack can potentially cause the SP to become a value non-divisible by 4. Aside from the serious performance hit from a misaligned stack, NT Kernel calls rightfully fail to execute in non-apparent ways.

ie running "MoveFileA" after misaligning the stack fails with GetErrorCode ERROR_NOACCESS = 998 (0x3E6)

Which deceptively is unrelated to file permissions/access

Anyone else getting a crash in the shellcode generated by shellcoder.py (crash occurs in WSAStartup)...I am taking a closer look.

ws2_32!WSAStartup+0x86:
75e99d46 668903 mov word ptr [ebx],ax ds:002b:ffb4f2d4=????

My guess is that the undocumented WSAData (https://docs.microsoft.com/en-us/windows/win32/api/winsock/ns-winsock-wsadata) structure have changed. I'll try to compare the msf stagers with this shellcode to figure out whats broken.

The script assumes that its running on Linux, e.g. it downloads https://github.com/0vercl0k/rp/releases/download/v2-beta/rp-lin-x64

Unfortunately, the updated https://github.com/0vercl0k/rp/tree/next branch does not have official macOS binaries. The old master branch is pretty outdated and lacks features.

One solution could be to check the OS platform before download, and if it is macOS, use the macOS build.
I can provide the binary if needed, and can be hosted in this repo.