Re: msfencode -k

[scriptjunkie <scriptjunkie1 () googlemail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's very difficult. The existing method creates a new section provided
there is enough room for a new section header (almost always is), and a
all the data in the file is defined by sections. It will then append the
new section to the end of the file. Unfortunately, UPX, and, I assume,
many other packers, does not create a nicely formatted EXE. The
compressed data from the original EXE is appended onto the file, not as
part of any defined section, but as end junk. So it is more difficult to
add a section to the end without interfering with the existing data
there. (I haven't spent too much time trying, maybe somebody from the
UPX team can enlighten us) It is also not practical to add data at the
beginning of an EXE since that would require moving sections, and
relocating all kinds of data, and I am too lazy to write a
disassembler/reassembler.

On the other hand, most of the time there is about 300-400 unused bytes
at the end of the .text section, so it is possible to drop code there.
This doesn't give enough room for the standard rwx_alloc_exec payload
stager and payload, but a simple exec payload will work, especially if
the target exe already has an import for CreateThread. Or custom
shellcode can be entered. I have implemented this in a C++ program that
the -k option was based on. See at
http://scriptjunkie1.wordpress.com/2010/03/26/exe-injection-plus/

Another idea is write a new program that would store the original
program as a resource or other data, and write it out and execute it
without changing it, then launch a payload.

Or just have a meterpreter script autorun to upload and execute the
original program.

On 04/16/10 16:49, NetEvil wrote:
> Worked!
> But I'm wondering if with this method could be applied also on already
> packet exe..
>
> David
>
> Sent from my mobile device
> --------------------------------------
>
> Il giorno 15/apr/2010, alle ore 15.53, Rob Fuller <mubix () room362 cha
> scritto:
>
> > It works wonderfully with the original exe running with the payload
> > working in another thread, and I think if you pack it after the fact
> > that it will still work, but trying to use a packed binary as a
> > template for msfpayload or msfencode I believe will always fail, (in
> > its current incarnation)
> >
> >
> > -- 
> > Rob Fuller | Mubix
> > Room362.com | Hak5.org | TheAcademyPro.com
> > Ignore this:
> > X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> >
> >
> >
> >
> > On Thu, Apr 15, 2010 at 9:32 AM, NetEvil <netevil () hackers it> wrote:
> > > Hi Rob
> > > With a packed exe the encoding stops saying "is it a packet binary?"
> > > ..and i
> > > have no output generated...
> > > Then I've tried with surely not packed bins...all went ok ..but i still
> > > cannot see this feature working....with the original exe running +
> > > payload
> > > in another thread....
> > >
> > >
> > >
> > > Sent from my mobile device
> > > --------------------------------------
> > >
> > > Il giorno 15/apr/2010, alle ore 15.22, Rob Fuller <mubix () room362 com> ha
> > > scritto:
> > >
> > > > I could be wrong, but I doubt that msfencode and msfpayload deal with
> > > > packed binaries, try unpacking and repacking them after MSF-symbiosis
> > > > is achieve.
> > > >
> > > >
> > > > -- 
> > > > Rob Fuller | Mubix
> > > > Room362.com | Hak5.org | TheAcademyPro.com
> > > > Ignore this:
> > > > X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, Apr 15, 2010 at 3:45 AM, NetEvil <netevil () hackers it> wrote:
> > > > > Hi guys,
> > > > > I've tried to msfencode shikata ga nai with the -k option using
> > > > > various
> > > > > templates...but in most of cases.. stops encoding cause finds an
> > > > > incorrect
> > > > > eof on packed files...or when goes well on unpacked exe the
> > > > > resulting bin
> > > > > in
> > > > > not working as the original...got running just the payload  ...on
> > > > > my xp
> > > > > sp3
> > > > > box..
> > > > > Am i missing something?
> > > > >
> > > > > Thanks.
> > > > > David
> > > > >
> > > > > Sent from my mobile device
> > > > > --------------------------------------
> > > > > _______________________________________________
> > > > > https://mail.metasploit.com/mailman/listinfo/framework
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJL1movAAoJELImaGL4z6lTXvEQALKSWXTiPSgFY0hgbEZ/Tzbw
RSbN9ulYuKaR2QEfc5OG8MBTGc825mjhJi5Y6Q5Tg+TY49TOv6UfWprNLrmKFgOD
7YL/7DKB5unBUHaFjFSqc51YPiQaGKI0joGABmWmkoNmHUiFMRiCRVZFdqCcX6Kh
VQvKTSgefFTU04UG63fi0a0VRTMm/2StJKCe/MRV4pL6Hq8eeRCTkStuibupommX
GTE/fLFO4t/S3QAx2sUNAD/Aa4l9LGjDp9mWNn6khvvHxJS38Yzx40RVidZumiAj
UxI4WDd1QFzJOWydm6sAj+aEra+hKTPrtSf4llDyps6/2d7IUuOhNgFnVhPNwldO
jcmOiQTmHuWJ6U7ewobmrubkf+muBpRNY9inamFXA7yqeczg65TQK0fXqBZ5GBFZ
oNWqn9zxaoBLgM1Aot5XNvnkk7YZio3dpKtODsZJ1cbHnUZ2G0/N2F2+BTP3UXPC
YCzkn3tQWp9zkEIF7ZZOhdhx62RlxcqsrQgfip7x601bWtGhcacbfaz4+JG05FeC
6aQnyaboeaQR72D6C4yEsXjEov3tHpR4Yj69hlJkljd48nKgoSqjIntQkdlGQDyw
b7th1V2Bl8ZWqNfWCqu+bYTkVQ7NOQi/kIte/PhdJrJnnarUpA5peLgPbQVNOidz
cfNMdYHoPJo2lwQHWn4F
=eo5b
-----END PGP SIGNATURE-----
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework