Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

metaphish win32pe corrupt binary

From: reydecopas at gmail.com (reydecopas at gmail.com)
Date: Mon, 17 Aug 2009 11:24:20 -0400
svn  At revision 6954.

Metaphish works but win32exe generated is corrupted.

 modules/exploits/windows/browser/meta-phish.rb:
         @msf_payload = Msf::Util::EXE.to_win32pe(framework,payload.encoded)


*******************************************************
Basic options:
  Name             Current Setting                          Required
Description
  ----             ---------------                          --------
-----------
  COMPANY_NAME     MetaPhish LLC.                           yes
Company Name
  COMPANY_WEBSITE  http://carnal0wnage.attackresearch.com/  yes
Company Website
  OUTPUTPATH       /tmp/                                    yes
Working directory location.
  SRVHOST          0.0.0.0                                  yes       The
local host to listen on.
  SRVPORT          8080                                     yes       The
local port to listen on.
  SSL              false                                    no        Use
SSL
  URIPATH                                                   no        The
URI to use for this exploit (default is random)

Payload information:
  Space: 8192

Description:
  This module deploys a payload via a signed Java applet.

msf exploit(meta-phish) > exploit
[*] Exploit running as background job.
msf exploit(meta-phish) >
[*] File hCqQQpHf.java created.
[*] File hCqQQpHf.class created.
[*] Store Password = ksHodVRZ
[*] Key Password = OkZjzZtE
[*] Building Keystore....
[*] Keystore metaphish_keystore Built!!
[*] Creating Signed jar file....
[*] Jar hCqQQpHf.jar created.

Warning:
The signer certificate will expire within six months.
[*] Signed Jar shCqQQpHf.jar created.
[*] Added URL: http://0.0.0.0:8080/uJrrejYW.exe
[*] Added URL: http://0.0.0.0:8080/hCqQQpHf.class
[*] Added URL: http://0.0.0.0:8080/shCqQQpHf.jar
[*] Using URL: http://0.0.0.0:8080/4OmVmn2iWaL1IR
[*]  Local IP: http://192.168.1.200:8080/4OmVmn2iWaL1IR
[*] Server started.
[*] Sending Applet.
[*] Sending signed jar: shCqQQpHf.jar
[*] Sending signed jar: shCqQQpHf.jar
[*] Sending EXE: /uJrrejYW.exe
*******************************************

binary /uJrrejYW.exe is CORRUPTED

PE import section  is corrupted. binary  attached in rar with password
corrupted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090817/f5ad4a6b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3#uJrrejYW.rar
Type: application/octet-stream
Size: 9396 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090817/f5ad4a6b/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4#Part.003
Type: application/octet-stream
Size: 105 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090817/f5ad4a6b/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: GWAVADAT.TXT
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090817/f5ad4a6b/attachment.ksh>
Previous By Date Next
Previous By Thread Next

Current thread: