54 lines
2.2 KiB
Plaintext
Executable File
54 lines
2.2 KiB
Plaintext
Executable File
This directory contains the win32 payload development environment used
|
|
for creating the payloads in version 2.2 of the Metasploit Framework.
|
|
|
|
The 'nasm' executable must be in your path to use the included build tool.
|
|
|
|
The included 'build' script automatically creates a number of file types
|
|
each time it used to compile a payload. These file types are:
|
|
|
|
- Native ELF executable
|
|
- Win32 PE executable
|
|
- Generated C source code
|
|
- Raw opcodes in ".bin" format
|
|
|
|
The PE executable templates were developed by 'rix' and used with permission.
|
|
|
|
To use this script, simply run ./build <name of payload>, where the name
|
|
does not include the ".asm" suffix. To build win32_stage_api.asm, the
|
|
command line would be "./build win32_stage_api".
|
|
|
|
The Win32 payloads are somewhat modular, each component includes other
|
|
components to create the final payload. The dependency tree for the
|
|
reverse connect shell is:
|
|
|
|
win32_stage_api.asm
|
|
win32_stage_boot_winsock_conn.asm
|
|
win32_stage_boot_reverse.asm
|
|
win32_stage_shell.asm
|
|
|
|
|
|
This allows the different components to be maintained invidually, shared
|
|
among multiple payloads, and converted into multi-stage payloads almost
|
|
instantly. This release includes the following last-stage payloads:
|
|
|
|
win32_stage_shell.asm
|
|
Executes cmd.exe with in/out redirected to socket, this is used by
|
|
the reverse connect and bind stagers.
|
|
|
|
win32_stage_winexec.asm
|
|
This payload simply executes an arbitrary command line, it can be used to
|
|
accomplish things such as ftp/download/execute sequences, adding a user
|
|
accounts, or just signaling that the exploit was successful.
|
|
|
|
win32_stage_inlineegg.asm
|
|
Writes GetProcAddress/LoadLibaryA address to socket, then reads and execs
|
|
the rest of the payload from the socket. This allows us to send InlineEgg
|
|
generated payloads as a last stage.
|
|
|
|
win32_stage_uploadexec.asm
|
|
Reads a file size from socket, then opens up a hidden/system local file
|
|
(c:\metasploit.exe) and downloads the executable from the socket into this
|
|
file. Once the download is complete, it then executes this file with in/out
|
|
redirected to the socket. This can be extremely useful when combined with
|
|
a self-extracting/executing rootkit or language intepreter (perl.exe).
|