Msfvenom Windows Download_exec
Bok Mull
I was trying a bunch of ways to download and run programs then I was like ok there's a metasploit payload that does it. But it doesn't seem to want to work. I generated it with msfvenom a couple of different ways.
The best way to deliver the executable via Metasploit is to load up your exploit, and then set the PAYLOAD to windows/download_exec, and upload the executable to a web server. Sample configuration:
Now we need to send our payload to the target machine. Simply paste the powershell_attacks.txt command in any command prompt window or where you have the ability to call the powershell executable and it will give a shell back to you. This attack also supports windows/download_exec for a payload method instead of just Meterpreter payloads.
Starting the multi/handler requires a few simple commands. First is "use multi/handler". Next, set your payload to one that is compatible with the custom payload you created. If your payload contains meterpreter then you will "set payload windows/meterpreter/reverse_tcp". If it is a command prompt then you would type "set payload windows/shell/reverse_tcp". Since my Python backdoor sends a command prompt, the correct payload here is "windows/shell/reverse_tcp". This "single" payload doesn't use a stager and expect a connection from a shell. Do not confuse this with the "windows/shell_reverse_tcp" since "windows/shell_reverse_tcp" is expecting a connection from a stager not a shell. Setting LHOST to 0.0.0.0 will cause Metasploit to listen on all the network addresses on your host. This is a good shortcut from single payloads but it is not a good idea to use this for staged payloads. Some stagers, for example /*/reverse_http, will require that you have an actual routed address so that the stager knows where to download the next stage. Finally, set your LPORT to the port your custom payload is hardcoded to connect to. In this example, my payload is set to send a command prompt to port 80. Finally, you'll need to start the multi-handler but our work in Metasploit is still not finished. You'll also need to start your multi-handler as a background task. To do this, the "-j" options to the exploit command will start the multi-handler as a "job" that runs in the background.
With your handler in the background waiting to receive a connection, you're ready to exploit the target. Just about any exploit could be used, but remembering my Penetration Tester's Pledge , I'll use PSEXEC. First, I use "windows/smb/psexec" and set it up with the correct username and password for the target. Then I set my payload by typing "set PAYLOAD download/exec". The options are pretty simple. You set the URL to point to the custom payload on the web server that you setup in step 1. You can change the name of the file that will be saved to the target if you like.
Starting the multi/handler requires a few simple commands. First is "use multi/handler". Next, set your payload to one that is compatible with the custom payload you created. If your payload contains meterpreter then you will "set payload windows/meterpreter/reverse_tcp". If it is a command prompt then you would type "set payload windows/shell/reverse_tcp". Since my Python backdoor sends a command prompt, the correct payload here is "windows/shell/reverse_tcp". This "single" payload doesn\'t use a stager and expect a connection from a shell. Do not confuse this with the "windows/shell_reverse_tcp" since "windows/shell_reverse_tcp" is expecting a connection from a stager not a shell. Setting LHOST to 0.0.0.0 will cause Metasploit to listen on all the network addresses on your host. This is a good shortcut from single payloads but it is not a good idea to use this for staged payloads. Some stagers, for example /*/reverse_http, will require that you have an actual routed address so that the stager knows where to download the next stage. Finally, set your LPORT to the port your custom payload is hardcoded to connect to. In this example, my payload is set to send a command prompt to port 80. Finally, you\'ll need to start the multi-handler but our work in Metasploit is still not finished. You\'ll also need to start your multi-handler as a background task. To do this, the "-j" options to the exploit command will start the multi-handler as a "job" that runs in the background.
With your handler in the background waiting to receive a connection, you\'re ready to exploit the target. Just about any exploit could be used, but remembering my Penetration Tester\'s Pledge , I\'ll use PSEXEC. First, I use "windows/smb/psexec" and set it up with the correct username and password for the target. Then I set my payload by typing "set PAYLOAD download/exec". The options are pretty simple. You set the URL to point to the custom payload on the web server that you setup in step 1. You can change the name of the file that will be saved to the target if you like.
Creating NASM (Netwide Assembler) files for different types of shellcode using msfvenom involves generating the shellcode in a raw format and then formatting it into NASM syntax. Below are five examples of different shellcode types generated using msfvenom, each formatted as a NASM file.
Given that most antivirus vendors probably have signatures for Metasploit executable templates we decided to instead create our own executable to execute Metasploit shellcode. Once again, msfvenom was used, but in this instance only to generate shellcode and not the full executable:
A function called get_shellcode() was created to remotely retrieve the msfvenom shellcode used in the previous examples from another machine. The function used various methods from the winhttp library to retrieve the shellcode over HTTP. Also as the shellcode is retrieved from the remote location as ASCII an additional step was needed to cast the instructions to raw binary format ready for execution.
The first two examples in this post contained shellcode within the binary itself whereas the final binaries would dynamically download and store shellcode within memory. In both scenarios it would be possible to detect the shellcode as default msfvenom payloads (like windows/meterpreter/reverse_tcp) have common hex instructions regardless of the ip/port used. The C++ code for our file is below:
To get msfgui on Windows, first install the Metasploit Framework. Last I checked when this page was updated, it was at this link: -latest-windows-installer.exe Then download the Windows msfgui installer here to get started. If you don't have Java installed, install that from java.com. You can also see an installation video on Windows 10 here.
Venom is a payload generating framework that uses msfvenom to create shellcodes for different operating systems and environment. Msfvenom is a Metasploit utility that combines payloads generation and encoding techniques. Venom can generate payloads (shellcodes) in different formats, such as Python, Ruby, C, DLL, MSI (Microsoft Installer), HTA (HTML Application), and PSH. The shellcodes are transformed into executable files with the help of compilers like Pyinstaller, mingw32, and gnu cross compiler (gcc).
Önceki yazılarımda msfvenom ile payload oluşturmaktan bahsetmiştim. Orada payloadı kurban makineye Flash, mail vb. yöntemlerle kendi elimizle bulaştırıyorduk. İşte bizim bu yaptığımız bulaştırma işlemi aslında işin exploitleme kısmı oluyor. Exploitleme kısmını bulaştırarak yapıyoruz ardından karşı taraf çalıştırdığı anda artık exploitleme kısmı bitiyor ve payload devreye giriyor.
Ayrıca meterpreter ve shell gibi payloadlar dışında adduser, download_exec gibi payloadlar da mevcut, peki bunlar nedir? Şimdi şöyle bir durum var meterpreter gibi payloadlar birçok fonksiyonu içerisinde barındırır. Yani örnek olarak kullanıcı ekleme işlevini de barındırır, kurban makineden dosya çekme işlevini de içerisinde barındırır. Ancak diyelim ki biz böyle büyük bir payload kullanmak istemiyoruz sadece hedef sisteme bir kullanıcı ekleyeceğiz. İşte bu durumda adduser payloadı kullanılabilir. Çünkü bunun kullanıcı eklemekten başka bir işlevi yoktur. Ve bu stager payloadına ihtiyaç duymaz. Gider kullanıcıyı ekler ve işini bitirir.
08ab062aa8