Home page logo
/

metasploit logo Metasploit mailing list archives

Re: msfencode -k
From: scriptjunkie <scriptjunkie1 () googlemail com>
Date: Tue, 27 Apr 2010 00:38:12 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's very difficult. The existing method creates a new section provided
there is enough room for a new section header (almost always is), and a
all the data in the file is defined by sections. It will then append the
new section to the end of the file. Unfortunately, UPX, and, I assume,
many other packers, does not create a nicely formatted EXE. The
compressed data from the original EXE is appended onto the file, not as
part of any defined section, but as end junk. So it is more difficult to
add a section to the end without interfering with the existing data
there. (I haven't spent too much time trying, maybe somebody from the
UPX team can enlighten us) It is also not practical to add data at the
beginning of an EXE since that would require moving sections, and
relocating all kinds of data, and I am too lazy to write a
disassembler/reassembler.

On the other hand, most of the time there is about 300-400 unused bytes
at the end of the .text section, so it is possible to drop code there.
This doesn't give enough room for the standard rwx_alloc_exec payload
stager and payload, but a simple exec payload will work, especially if
the target exe already has an import for CreateThread. Or custom
shellcode can be entered. I have implemented this in a C++ program that
the -k option was based on. See at
http://scriptjunkie1.wordpress.com/2010/03/26/exe-injection-plus/

Another idea is write a new program that would store the original
program as a resource or other data, and write it out and execute it
without changing it, then launch a payload.

Or just have a meterpreter script autorun to upload and execute the
original program.

On 04/16/10 16:49, NetEvil wrote:
Worked!
But I'm wondering if with this method could be applied also on already
packet exe..

David

Sent from my mobile device
--------------------------------------

Il giorno 15/apr/2010, alle ore 15.53, Rob Fuller <mubix () room362 cha
scritto:

It works wonderfully with the original exe running with the payload
working in another thread, and I think if you pack it after the fact
that it will still work, but trying to use a packed binary as a
template for msfpayload or msfencode I believe will always fail, (in
its current incarnation)


-- 
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com
Ignore this:
X5O!P% () AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*




On Thu, Apr 15, 2010 at 9:32 AM, NetEvil <netevil () hackers it> wrote:
Hi Rob
With a packed exe the encoding stops saying "is it a packet binary?"
..and i
have no output generated...
Then I've tried with surely not packed bins...all went ok ..but i still
cannot see this feature working....with the original exe running +
payload
in another thread....



Sent from my mobile device
--------------------------------------

Il giorno 15/apr/2010, alle ore 15.22, Rob Fuller <mubix () room362 com> ha
scritto:

I could be wrong, but I doubt that msfencode and msfpayload deal with
packed binaries, try unpacking and repacking them after MSF-symbiosis
is achieve.


-- 
Rob Fuller | Mubix
Room362.com | Hak5.org | TheAcademyPro.com
Ignore this:
X5O!P% () AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*




On Thu, Apr 15, 2010 at 3:45 AM, NetEvil <netevil () hackers it> wrote:

Hi guys,
I've tried to msfencode shikata ga nai with the -k option using
various
templates...but in most of cases.. stops encoding cause finds an
incorrect
eof on packed files...or when goes well on unpacked exe the
resulting bin
in
not working as the original...got running just the payload  ...on
my xp
sp3
box..
Am i missing something?

Thanks.
David

Sent from my mobile device
--------------------------------------
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework





_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJL1movAAoJELImaGL4z6lTXvEQALKSWXTiPSgFY0hgbEZ/Tzbw
RSbN9ulYuKaR2QEfc5OG8MBTGc825mjhJi5Y6Q5Tg+TY49TOv6UfWprNLrmKFgOD
7YL/7DKB5unBUHaFjFSqc51YPiQaGKI0joGABmWmkoNmHUiFMRiCRVZFdqCcX6Kh
VQvKTSgefFTU04UG63fi0a0VRTMm/2StJKCe/MRV4pL6Hq8eeRCTkStuibupommX
GTE/fLFO4t/S3QAx2sUNAD/Aa4l9LGjDp9mWNn6khvvHxJS38Yzx40RVidZumiAj
UxI4WDd1QFzJOWydm6sAj+aEra+hKTPrtSf4llDyps6/2d7IUuOhNgFnVhPNwldO
jcmOiQTmHuWJ6U7ewobmrubkf+muBpRNY9inamFXA7yqeczg65TQK0fXqBZ5GBFZ
oNWqn9zxaoBLgM1Aot5XNvnkk7YZio3dpKtODsZJ1cbHnUZ2G0/N2F2+BTP3UXPC
YCzkn3tQWp9zkEIF7ZZOhdhx62RlxcqsrQgfip7x601bWtGhcacbfaz4+JG05FeC
6aQnyaboeaQR72D6C4yEsXjEov3tHpR4Yj69hlJkljd48nKgoSqjIntQkdlGQDyw
b7th1V2Bl8ZWqNfWCqu+bYTkVQ7NOQi/kIte/PhdJrJnnarUpA5peLgPbQVNOidz
cfNMdYHoPJo2lwQHWn4F
=eo5b
-----END PGP SIGNATURE-----
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault