Metasploit mailing list archives

Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2

From: HD Moore <hdm () metasploit com>
Date: Sun, 13 Dec 2009 13:06:15 -0600

On 12/13/2009 6:58 AM, Raul Siles wrote:

Hi there,
I've seen that the standard (reverse or bind) Meterpreter payload size
generated by msfpayload (for Windows .exe files) is an order of
magnitud bigger in MSF v3.3.1 vs. MSF v.3.2.

MSF v3.2:    9.728 bytes
MSF v3.3.1: 87.552 bytes

Without having gone in depth into the source code, is there any option
to reduce the size of the generated payload to a smaller one (like in
the range of v3.2)?

There is now (r7840) by passing -t exe-small to msfencode, which willcause it to use the old method. The old method is flagged by most majorantivirus products however and the new method is much more robust goingforward.

The reason I'm asking this is due to constraints in the integration
between sqlninja and MSF to updload bigger payloads through the
Windows debug.exe technique (max 64K) using a SQLi vulnerability.

We avoid this in mssql_payload by uploading a small EXE first (h2b) andthen using that to decode the bigger exe uploaded as raw hex. You canprobably squeeze into a binary under 64k just by picking a smallertemplate, as Joshua mentioned.


-HD
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Msfpayload output size significantly bigger in v3.3 vs. v3.2 Raul Siles (Dec 13)
- Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2 Joshua J. Drake (Dec 13)
- Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2 HD Moore (Dec 13)
  - Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2 Raul Siles (Dec 16)
    - Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2 dnc (Dec 16)
    - Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2 Raul Siles (Dec 16)
    - Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2 Raul Siles (Dec 16)