msfpaylod question

[kerpap]

so I have been reading some tutorials on anti-virus evasion and came across several references to msfpayload's ability to download part or most of the content of the exploit payload from a remote location as this is effective on some anti virus platforms to avoid detection.

the thing is, (unless im missing something) there has never been any reference to how to create your payload to do that.

so with that, can anyone point me in the right direction as to where I can read up on how to do that?

mother google is not being very kind to me on this. perhaps I am not entering the correct search criteria.

thanks!

[no42]

Sounds like your asking about stagers - notice the "staged" keyword in brackets at the end.

windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged)
windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged)
windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged)
windows/shell/find_tag Use an established connection, Spawn a piped command shell (staged)
windows/shell/reverse_http Tunnel communication over HTTP, Spawn a piped command shell (staged)
windows/shell/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Spawn a piped command shell (staged)
windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged)
windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged)
windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged)

Basically, the shellcode in the exploit is a simple reverse connect, download & execute; which generally AV's will allow as it appears non-malicious. The shellcode it downloads from your metsploit instance is the malicious part that contains the body of the main exploit. Once this has finished downloading into memory, the shellcode will execute this new code triggering the exploit. As this doesnt touch the disk, some fairly rubbish AV configurations wont flag/discover the exploit code. If however, you use a high end product like McAfee with "Memory On-Access Scanning" capabilities - this exploit will still be detected!

Check out corelancoders website on generating shellcode if you wish to learn more, as a start:

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

Edited August 29, 2013 by midnitesnake

[kerpap]

Thanks!

much appreciated!

[kerpap]

ok so I think I get it.

what I did was generate the shell code and output to c

if I understand it correctly, the LHOST ip address is where it will look to download the rest of the code.

if not, im not sure how to call out for it.

if, it is calling back to the listening machine (LHOST) where do I put the code to download to complete the exploit? there is no option in the generator to specify

it generates stage 1 and 2 thats it.

am I on target? or way off?

im really not sure how to get this to work in the lab.

[TeCHemically]

I am very interested in this as well. I was looking at scriptjunkie's article "Why Encoding Does not Matter and How Metasploit Generates EXEs" and was wondering how I could implement the c output of my custom shellcode into a custom or pre-existing exe. Any resources and/or advice is greatly appreciated!

[hexophrenic]

Stagers have less to do with AV evasion and more to do with the limitations of the buffer for the exploit. If your exploit only allows a small amount of shellcode, then a stager is useful because the code in the exploit is minimized.