making your own payload

[andre.ludwig at gmail.com (Andre Ludwig)]

use meterpreter and then push pwdump to the client and then execute it...

The gods that be (skape, HD, spoon, etc)  can correct me, as i am a
bit rusty but i do rem something about meterpreter being able to
utilize encryption (simple encry but none the less it wouldnt be clear
text).

If that is the case you would get at least +1 l33t points for doing
that way,  for a bonus of +10 l33t points you could create a meterpter
module that could be loaded that did the pwdump for you (no need to
push a file to the filesystem that way).  (didnt someone mention that
they already had such a module?)

again feel free to correct me if i am wrong, been a while since i have
toyed around with things (sad huh)...

Dre


On 12/6/05, pagvac <unknown.pentester at gmail.com> wrote:
> I'll probably use the upexec payload since it seems very ideal in this case.
>
> Let me explain my exact scenario:
>
> When pentesting, some of the things we all do are very much the same
> all the time.
>
> For instance, I do the following steps all the time after getting a
> shell with admin privileges on a Windows machine (workstation, server
> or domain controller):
>
> -enable a tftp server on my laptop (I use Solarwinds TFTP server)
> -connect to my tftp server from the compromised target and download
> the pwdump executable and dll file (which is required to run the
> executable)
>
> So what I did is the following. I wrote a simple and crappy program in
> C that drops pwdump2.exe and samdump.dll once it's executed. After
> that it dumps the passwords hashes (by calling the dropped
> pwdump2.exe) and prints them on the screen.
>
> From this point on I can just grab the hashes from the remote shell
> with a simple-and-lame copy and paste.
>
> Anyways, I attached the .c and .exe file in case anyone is interested.
> The reason why I wrote this is because I wanted make the
> root-shell/dump-hashes process a single shot attack.
>
> But now that you guys pointed me out the upexec payload, it seems to
> me very stupid to waste my time setting up a tftp server on my laptop,
> when I can just tell metasploit to transfer and execute my
> "pwdump2.payload.exe" file when exploiting the target.
>
> Thank you very much for your help to both of you.
>
> On 12/6/05, mmiller at hick.org <mmiller at hick.org> wrote:
> > On Tue, Dec 06, 2005 at 04:24:04PM +0000, pagvac wrote:
> > > I have an executable file which I would like to convert into a
> > > payload. That way I could use it with all the exploits that metasploit
> > > supports.
> > >
> > > This executable automates many tasks that I usually do on the target
> > > machines after comprising them when doing penetration testing.
> > >
> > > The problem is that I have no idea on how to remove all the nulls
> > > (0x00) so that the exploit doesn't break.
> > >
> > > I'd like to have some references on documentation/tools that can help
> > > me create this payload and successfully run it with metasploit on
> > > existing exploit modules.
> > >
> > > Question: are all payloads compatible with metasploit? In other words,
> > > can I get a shellcode from an external resource and use it
> > > successfully with metasploit?
> >
> > Converting an executable into shellcode is typically infeasible due to
> > the nature in which most executables are compiled.  One of the
> > constraints also becomes the size of the shellcode produced and the
> > manner in which it is to be transferred to the target.  Is there a
> > reason that you can't use the upexec payloads (upload and execute)?
> >
> > win32_xxx_upexec