Metasploit mailing list archives
making your own payload
From: andre.ludwig at gmail.com (Andre Ludwig)
Date: Tue, 6 Dec 2005 12:26:33 -0500
use meterpreter and then push pwdump to the client and then execute it... The gods that be (skape, HD, spoon, etc) can correct me, as i am a bit rusty but i do rem something about meterpreter being able to utilize encryption (simple encry but none the less it wouldnt be clear text). If that is the case you would get at least +1 l33t points for doing that way, for a bonus of +10 l33t points you could create a meterpter module that could be loaded that did the pwdump for you (no need to push a file to the filesystem that way). (didnt someone mention that they already had such a module?) again feel free to correct me if i am wrong, been a while since i have toyed around with things (sad huh)... Dre On 12/6/05, pagvac <unknown.pentester at gmail.com> wrote:
I'll probably use the upexec payload since it seems very ideal in this case. Let me explain my exact scenario: When pentesting, some of the things we all do are very much the same all the time. For instance, I do the following steps all the time after getting a shell with admin privileges on a Windows machine (workstation, server or domain controller): -enable a tftp server on my laptop (I use Solarwinds TFTP server) -connect to my tftp server from the compromised target and download the pwdump executable and dll file (which is required to run the executable) So what I did is the following. I wrote a simple and crappy program in C that drops pwdump2.exe and samdump.dll once it's executed. After that it dumps the passwords hashes (by calling the dropped pwdump2.exe) and prints them on the screen. From this point on I can just grab the hashes from the remote shell with a simple-and-lame copy and paste. Anyways, I attached the .c and .exe file in case anyone is interested. The reason why I wrote this is because I wanted make the root-shell/dump-hashes process a single shot attack. But now that you guys pointed me out the upexec payload, it seems to me very stupid to waste my time setting up a tftp server on my laptop, when I can just tell metasploit to transfer and execute my "pwdump2.payload.exe" file when exploiting the target. Thank you very much for your help to both of you. On 12/6/05, mmiller at hick.org <mmiller at hick.org> wrote:On Tue, Dec 06, 2005 at 04:24:04PM +0000, pagvac wrote:I have an executable file which I would like to convert into a payload. That way I could use it with all the exploits that metasploit supports. This executable automates many tasks that I usually do on the target machines after comprising them when doing penetration testing. The problem is that I have no idea on how to remove all the nulls (0x00) so that the exploit doesn't break. I'd like to have some references on documentation/tools that can help me create this payload and successfully run it with metasploit on existing exploit modules. Question: are all payloads compatible with metasploit? In other words, can I get a shellcode from an external resource and use it successfully with metasploit?Converting an executable into shellcode is typically infeasible due to the nature in which most executables are compiled. One of the constraints also becomes the size of the shellcode produced and the manner in which it is to be transferred to the target. Is there a reason that you can't use the upexec payloads (upload and execute)? win32_xxx_upexec
Current thread:
- making your own payload pagvac (Dec 06)
- making your own payload H D Moore (Dec 06)
- making your own payload mmiller at hick.org (Dec 06)
- making your own payload pagvac (Dec 06)
- making your own payload mmiller at hick.org (Dec 06)
- making your own payload H D Moore (Dec 06)
- making your own payload Andre Ludwig (Dec 06)
- making your own payload Jerome Athias (Dec 06)
- making your own payload pagvac (Dec 06)