Joshua-Tan

Looking for WaitForSingleObject call within modern msfvenom generated payload.

---

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents:

Joshua-Tan

set nocompatible
set number
set backspace=2
set autoindent
set smartindent

Joshua-Tan

#include<stdio.h>
#include<stdint.h>
#include<string.h>
#include<unistd.h>
#include<assert.h>
#include<stdlib.h>

#define CHUNK 1024

int j;

Joshua-Tan

Taken from https://web.archive.org/web/20130517134339/http://bulba.sdsu.edu/jeanette/thesis/PennTags.html (since the source document now appears to be offline)

Penn Treebank II Tags

Note: This information comes from "Bracketing Guidelines for Treebank II Style Penn Treebank Project" - part of the documentation that comes with the Penn Treebank.

Contents:

Bracket Labels
Clause Level

Joshua-Tan

HTML File

<html xmlns = "http://www.w3.org/1999/xhtml"><head>
<script type="text/javascript">
	function bin_to_deci(){
		var deciNum=0;
		var binaryForm = document.getElementById("binaryForm");
		for(i=0; i < binaryForm.elements["binNum"].length; i++)
			if(binaryForm.elements["binNum"][i].checked)

Joshua-Tan

Keybase proof

I hereby claim:

• I am joshua-tan on github.
• I am joshtan (https://keybase.io/joshtan) on keybase.
• I have a public key ASDgqVCp9Xf4_TQ_NZGyn2_MKqJw3KZIdgfHwBzb-zcd2go

To claim this, I am signing this object:

Joshua-Tan

group: T6Q6
R = {
	a:number, b:number
	7, 14
	19, 38
	3, 6
	28, 56
}