Metasploit mailing list archives
Re: msfencode -k
From: scriptjunkie <scriptjunkie1 () googlemail com>
Date: Tue, 27 Apr 2010 00:38:12 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It's very difficult. The existing method creates a new section provided there is enough room for a new section header (almost always is), and a all the data in the file is defined by sections. It will then append the new section to the end of the file. Unfortunately, UPX, and, I assume, many other packers, does not create a nicely formatted EXE. The compressed data from the original EXE is appended onto the file, not as part of any defined section, but as end junk. So it is more difficult to add a section to the end without interfering with the existing data there. (I haven't spent too much time trying, maybe somebody from the UPX team can enlighten us) It is also not practical to add data at the beginning of an EXE since that would require moving sections, and relocating all kinds of data, and I am too lazy to write a disassembler/reassembler. On the other hand, most of the time there is about 300-400 unused bytes at the end of the .text section, so it is possible to drop code there. This doesn't give enough room for the standard rwx_alloc_exec payload stager and payload, but a simple exec payload will work, especially if the target exe already has an import for CreateThread. Or custom shellcode can be entered. I have implemented this in a C++ program that the -k option was based on. See at http://scriptjunkie1.wordpress.com/2010/03/26/exe-injection-plus/ Another idea is write a new program that would store the original program as a resource or other data, and write it out and execute it without changing it, then launch a payload. Or just have a meterpreter script autorun to upload and execute the original program. On 04/16/10 16:49, NetEvil wrote:
Worked! But I'm wondering if with this method could be applied also on already packet exe.. David Sent from my mobile device -------------------------------------- Il giorno 15/apr/2010, alle ore 15.53, Rob Fuller <mubix () room362 cha scritto:It works wonderfully with the original exe running with the payload working in another thread, and I think if you pack it after the fact that it will still work, but trying to use a packed binary as a template for msfpayload or msfencode I believe will always fail, (in its current incarnation) -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com Ignore this: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* On Thu, Apr 15, 2010 at 9:32 AM, NetEvil <netevil () hackers it> wrote:Hi Rob With a packed exe the encoding stops saying "is it a packet binary?" ..and i have no output generated... Then I've tried with surely not packed bins...all went ok ..but i still cannot see this feature working....with the original exe running + payload in another thread.... Sent from my mobile device -------------------------------------- Il giorno 15/apr/2010, alle ore 15.22, Rob Fuller <mubix () room362 com> ha scritto:I could be wrong, but I doubt that msfencode and msfpayload deal with packed binaries, try unpacking and repacking them after MSF-symbiosis is achieve. -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com Ignore this: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* On Thu, Apr 15, 2010 at 3:45 AM, NetEvil <netevil () hackers it> wrote:Hi guys, I've tried to msfencode shikata ga nai with the -k option using various templates...but in most of cases.. stops encoding cause finds an incorrect eof on packed files...or when goes well on unpacked exe the resulting bin in not working as the original...got running just the payload ...on my xp sp3 box.. Am i missing something? Thanks. David Sent from my mobile device -------------------------------------- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJL1movAAoJELImaGL4z6lTXvEQALKSWXTiPSgFY0hgbEZ/Tzbw RSbN9ulYuKaR2QEfc5OG8MBTGc825mjhJi5Y6Q5Tg+TY49TOv6UfWprNLrmKFgOD 7YL/7DKB5unBUHaFjFSqc51YPiQaGKI0joGABmWmkoNmHUiFMRiCRVZFdqCcX6Kh VQvKTSgefFTU04UG63fi0a0VRTMm/2StJKCe/MRV4pL6Hq8eeRCTkStuibupommX GTE/fLFO4t/S3QAx2sUNAD/Aa4l9LGjDp9mWNn6khvvHxJS38Yzx40RVidZumiAj UxI4WDd1QFzJOWydm6sAj+aEra+hKTPrtSf4llDyps6/2d7IUuOhNgFnVhPNwldO jcmOiQTmHuWJ6U7ewobmrubkf+muBpRNY9inamFXA7yqeczg65TQK0fXqBZ5GBFZ oNWqn9zxaoBLgM1Aot5XNvnkk7YZio3dpKtODsZJ1cbHnUZ2G0/N2F2+BTP3UXPC YCzkn3tQWp9zkEIF7ZZOhdhx62RlxcqsrQgfip7x601bWtGhcacbfaz4+JG05FeC 6aQnyaboeaQR72D6C4yEsXjEov3tHpR4Yj69hlJkljd48nKgoSqjIntQkdlGQDyw b7th1V2Bl8ZWqNfWCqu+bYTkVQ7NOQi/kIte/PhdJrJnnarUpA5peLgPbQVNOidz cfNMdYHoPJo2lwQHWn4F =eo5b -----END PGP SIGNATURE----- _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- msfencode -k NetEvil (Apr 15)
- Re: msfencode -k Rob Fuller (Apr 15)
- <Possible follow-ups>
- Re: msfencode -k NetEvil (Apr 15)
- Re: msfencode -k NetEvil (Apr 15)
- Re: msfencode -k Rob Fuller (Apr 15)
- Re: msfencode -k NetEvil (Apr 16)
- Re: msfencode -k scriptjunkie (Apr 26)
- Re: msfencode -k Rob Fuller (Apr 15)
- Message not available
- Message not available
- Message not available
- Message not available
- Re: msfencode -k NetEvil (Apr 15)