Thanks. I was a little confused since on the show it seemed that Dave was saying it acted like a binder.
I''ve used iexpress before: http://www.irongeek.com/i.php?page=videos/binders-iexpress-trojans nice thing about it as a binder, since it's made by Microsoft, AV won't bother it. I'd still love to use msfencode with an arbitrary exe however. Adrian On Tue, Dec 1, 2009 at 9:05 PM, Rob Fuller <[email protected]> wrote: > Correct, the actual execution of the original binary is somewhat destroyed > in trade though it's nearly undetectable at this point in time. So > technically you could use this with my IExpress 'hack' > http://www.room362.com/blog/2009/3/2/metasploit-hearts-microsoft.html - > but your going to have to manually change the Icon and the file size will > change. > > The reason why your exe | to encode isn't working is because when you do > msfpayload in raw format it is just the shellcode instruction set that is > getting sent to msfencode, where as you cat or echo is including all the PE > headers and sections of a compiled binary, which "at this time" msfencode > does not know how to handle. As you stated, this in 'binder' territory. > > Now back to the original topic, shoving shellcode into binaries is a tricky > process, well, if you want it to go unnoticed, because you have to do a > couple things: > > 1: Find a 'code cave' (a location in the binary that full of null bytes and > (here is the tricky part) isn't used by the binary for extraction, > compression or decompression at any time during execution. > 2. Reroute execution to your shell code, safely and in a manor that doesn't > hang the process until you close your shell. > 3. Correct the registers so that after your shell code executes, the > trojan'd binary doesn't fall over and die because it couldn't find the > things it needed in memory. > > to do this all successfully and *arbitrarily* you need to get > pretty intimate with the entire life of a process. > > -- > Rob Fuller | Mubix > Room362.com | Hak5.org | TheAcademyPro.com > > > On Tue, Dec 1, 2009 at 5:17 PM, Adrian Crenshaw <[email protected]>wrote: > >> Ok, I just read Rob post here: >> >> http://www.room362.com/blog/2009/11/3/metasploit-blends-in-new-msfpayloadencode.html >> >> and checked my exes. Since both are the same size, I'm guessing it's not >> working as a binder but as a "cloaker" of sorts. >> >> Adrian >> >> >> On Tue, Dec 1, 2009 at 5:12 PM, Adrian Crenshaw <[email protected]>wrote: >> >>> Ok, I did this: >>> >>> $ msfpayload windows/adduser user=test pass=test exitfunc=seh R | >>> msfencode -t exe -x notepad.exe -o MYNEWFILE.exe >>> >>> The exe made has the same icon an metadata as the original. The payload >>> runs since the "test" account is created, but notepad never comes up, so it >>> doen not make much of a binder. Any ideas? >>> >>> Adrian >>> >> >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
