Correct, the actual execution of the original binary is somewhat destroyed in trade though it's nearly undetectable at this point in time. So technically you could use this with my IExpress 'hack' http://www.room362.com/blog/2009/3/2/metasploit-hearts-microsoft.html - but your going to have to manually change the Icon and the file size will change.
The reason why your exe | to encode isn't working is because when you do msfpayload in raw format it is just the shellcode instruction set that is getting sent to msfencode, where as you cat or echo is including all the PE headers and sections of a compiled binary, which "at this time" msfencode does not know how to handle. As you stated, this in 'binder' territory. Now back to the original topic, shoving shellcode into binaries is a tricky process, well, if you want it to go unnoticed, because you have to do a couple things: 1: Find a 'code cave' (a location in the binary that full of null bytes and (here is the tricky part) isn't used by the binary for extraction, compression or decompression at any time during execution. 2. Reroute execution to your shell code, safely and in a manor that doesn't hang the process until you close your shell. 3. Correct the registers so that after your shell code executes, the trojan'd binary doesn't fall over and die because it couldn't find the things it needed in memory. to do this all successfully and *arbitrarily* you need to get pretty intimate with the entire life of a process. -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com On Tue, Dec 1, 2009 at 5:17 PM, Adrian Crenshaw <[email protected]>wrote: > Ok, I just read Rob post here: > > http://www.room362.com/blog/2009/11/3/metasploit-blends-in-new-msfpayloadencode.html > > and checked my exes. Since both are the same size, I'm guessing it's not > working as a binder but as a "cloaker" of sorts. > > Adrian > > > On Tue, Dec 1, 2009 at 5:12 PM, Adrian Crenshaw <[email protected]>wrote: > >> Ok, I did this: >> >> $ msfpayload windows/adduser user=test pass=test exitfunc=seh R | >> msfencode -t exe -x notepad.exe -o MYNEWFILE.exe >> >> The exe made has the same icon an metadata as the original. The payload >> runs since the "test" account is created, but notepad never comes up, so it >> doen not make much of a binder. Any ideas? >> >> Adrian >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
