Michael Schierl
cb06262002
Those stagers will encrypt the initial stage with a 128-bit RC4 key and the stage length with a XOR key. Both keys are embedded in the stager. This should provide good evasion capabilities in addition to some protection against MITM reversing (if the stager is sent a different route, like in an executable on an USB key). Note that, from a cryptanalyst's standpoint, it is a bad idea to reuse the same stager (or stagers with the same RC4 and XOR keys) more than once since an identical key will result in an identical keystream and make correlation attacks easy. But I doubt that matters in practice. Also note that since communication after the initial statging is not encrypted, these stagers should be used in combination with additional encryption support in the payloads (like Meterpreter).
This directory contains the win32 payload development environment used
for creating the payloads in version 3 of the Metasploit Framework.
The 'nasm' executable must be in your path to use the included build.sh tool.
The included 'build' script automatically creates a number of file types
each time it used to compile a payload. These file types are:
- Native ELF executable
- Win32 PE executable
- Generated C source code
- Raw opcodes in ".bin" format
The PE executable templates were developed by 'rix' and used with permission.
To use this script, simply run ./build.sh <name of payload>, where the name
does not include the ".asm" suffix. To build win32_stage_api.asm, the
command line would be "./build.sh win32_stage_api".