Jump to content

msfpaylod question


kerpap

Recommended Posts

so I have been reading some tutorials on anti-virus evasion and came across several references to msfpayload's ability to download part or most of the content of the exploit payload from a remote location as this is effective on some anti virus platforms to avoid detection.

the thing is, (unless im missing something) there has never been any reference to how to create your payload to do that.

so with that, can anyone point me in the right direction as to where I can read up on how to do that?

mother google is not being very kind to me on this. perhaps I am not entering the correct search criteria.

thanks!

Link to comment
Share on other sites

Sounds like your asking about stagers - notice the "staged" keyword in brackets at the end.

windows/shell/bind_ipv6_tcp Listen for a connection over IPv6, Spawn a piped command shell (staged)
windows/shell/bind_nonx_tcp Listen for a connection (No NX), Spawn a piped command shell (staged)
windows/shell/bind_tcp Listen for a connection, Spawn a piped command shell (staged)
windows/shell/find_tag Use an established connection, Spawn a piped command shell (staged)
windows/shell/reverse_http Tunnel communication over HTTP, Spawn a piped command shell (staged)
windows/shell/reverse_ipv6_http Tunnel communication over HTTP and IPv6, Spawn a piped command shell (staged)
windows/shell/reverse_ipv6_tcp Connect back to the attacker over IPv6, Spawn a piped command shell (staged)
windows/shell/reverse_nonx_tcp Connect back to the attacker (No NX), Spawn a piped command shell (staged)
windows/shell/reverse_ord_tcp Connect back to the attacker, Spawn a piped command shell (staged)
windows/shell/reverse_tcp Connect back to the attacker, Spawn a piped command shell (staged)

Basically, the shellcode in the exploit is a simple reverse connect, download & execute; which generally AV's will allow as it appears non-malicious. The shellcode it downloads from your metsploit instance is the malicious part that contains the body of the main exploit. Once this has finished downloading into memory, the shellcode will execute this new code triggering the exploit. As this doesnt touch the disk, some fairly rubbish AV configurations wont flag/discover the exploit code. If however, you use a high end product like McAfee with "Memory On-Access Scanning" capabilities - this exploit will still be detected!

Check out corelancoders website on generating shellcode if you wish to learn more, as a start:

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

Edited by midnitesnake
Link to comment
Share on other sites

ok so I think I get it.

what I did was generate the shell code and output to c

if I understand it correctly, the LHOST ip address is where it will look to download the rest of the code.

if not, im not sure how to call out for it.

if, it is calling back to the listening machine (LHOST) where do I put the code to download to complete the exploit? there is no option in the generator to specify

it generates stage 1 and 2 thats it.

am I on target? or way off?

im really not sure how to get this to work in the lab.

Link to comment
Share on other sites

  • 1 month later...

I am very interested in this as well. I was looking at scriptjunkie's article "Why Encoding Does not Matter and How Metasploit Generates EXEs" and was wondering how I could implement the c output of my custom shellcode into a custom or pre-existing exe. Any resources and/or advice is greatly appreciated!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...