Vulnerability Development mailing list archives
Metasploit Win32 Shellcode Updates
From: H D Moore <sflist () digitaloffense net>
Date: Thu, 8 Apr 2004 03:45:28 -0500
Hello everyone, The shellcode section at metasploit.com has been updated with the complete build environment for the Metasploit Framework Win32 payloads. These payloads are fairly small and can be compiled either all at once, or broken up into separate stages to save space. A CGI application is also available that allows you to generate and encode any of the Framework payloads from the web, this can be handy for quick exploit-dev. The URL for all this stuff is: http://metasploit.com/shellcode.html --- cut from the README --- The 'nasm' executable must be in your path to use the included build tool. The included 'build' script automatically creates a number of file types each time it is used to compile a payload. These file types are: - Native ELF executable - Win32 PE executable - Generated C source code - Raw opcodes in ".bin" format The PE executable templates were developed by Rix and used with permission. To use this script, simply run ./build <name of payload>, where the name does not include the ".asm" suffix. To build win32_stage_api.asm, the command line would be "./build win32_stage_api". The Win32 payloads are somewhat modular, each component includes other components to create the final payload. The dependency tree for the reverse connect shell is: win32_stage_api.asm win32_stage_boot_winsock_conn.asm win32_stage_boot_reverse.asm win32_stage_boot_reverse.asm win32_stage_shell.asm This allows the different components to be maintained invidually, shared among multiple payloads, and converted into multi-stage payloads almost instantly. This release includes the following last-stage payloads: win32_stage_shell.asm Executes cmd.exe with in/out redirected to socket, this is used by the reverse connect and bind stagers. win32_stage_winexec.asm This payload simply executes an arbitrary command line, it can be used to accomplish things such as ftp/download/execute sequences, adding a user accounts, or just signaling that the exploit was successful. win32_stage_inlineegg.asm Writes GetProcAddress/LoadLibaryA address to socket, then reads and execs the rest of the payload from the socket. This allows us to send InlineEgg generated payloads as a last stage. win32_stage_uploadexec.asm Reads a file size from socket, then opens up a hidden/system local file (c:\metasploit.exe) and downloads the executable from the socket into this file. Once the download is complete, it then executes this file with in/out redirected to the socket. This can be extremely useful when combined with a self-extracting/executing rootkit or language intepreter (perl.exe). EOF
Current thread:
- Metasploit Win32 Shellcode Updates H D Moore (Apr 08)