April 27, 2012 Leave a comment
1. Grepping msfvenom, msfpayload
To search through payloads in metasploit. One thing that doesn’t work is:
./msfvenom -l payloads |grep php
because output is directed to STDERR. So to search through metasploit modules from the command line, one way is to redirect STDERR to STDOUT.
./msfvenom -l payloads 2>&1 |grep php
2. Using ‘reload’, ‘jobs’, and ‘resource’ for module testing
When I was first modifying metasploit code, I restarted metasploit… which takes quite a bit of time and is a pain if you’ve only done like a one line change. But there’s a reload command that just reloads the module you’re working on, so that’s obviously much nicer.
Another couple commands that are handy for testing are ‘jobs’ and ‘resource’. ‘jobs’ will enumerate things that are running (and kill them, if you tell it to). ‘resource’ simply is a set of commands which will execute as if you entered them in the console. I used ‘resource’ for unit testing, and when I demo some more complicated attacks that will require actual code (coming soon), I’ll need to put that in a resource file.
3. Nop sled Generation
I recently ran into an exploit where the binary would look for repeating sequences (e.g. ‘x90x90…’), so I needed a custom nop sled. Also, I wanted to save the value of some registers. I was (coincidentally) pointed at Metasploit’s Opty2. The usage is:
> use nop/x86/opty2
msf nop(opty2) > generate -h
Usage: generate [options] length
Generates a NOP sled of a given length.
-b The list of characters to avoid: ‘x00xff’
-h Help banner.
-s The comma separated list of registers to save.
-t The output type: ruby, perl, c, or raw.