Sunday, December 25, 2011

[Quick notes] Metasploit payload types

To start with, a vulnerability is a weakness in the target system which creates a security risk - that it can be exploited.


An exploit is a way, a piece of code that can trigger & take advantage of a vulnerability.
A payload is the actual component in the attack which 'do' things for an attacker.

Therefore, a payload must have at least 2 components in it:

1. Communications capability - set up communication channel for the attacker
2. Functionality - defines what all actions an attacker can perform

Metasploit provides 2 types of payloads:

1. Single / Stand-alone / Self-contained
2. Staged [Stager + Stage]

Here,

Stager = communication module
And
Stage = functionality

A full payload = Stager + Stage

Self-contained payloads have both Stager & Stage already bundled together. These payloads include all functionality to load itself into the memory, set up communication channel for the attacker, and lastly provide attacker with the environment & command capability to interact with the compromised system.

A few examples of single / self-contained payloads are:
exec -> runs a command
adduser -> creates a new local user and add it to local administrator group
shell_bind_tcp / shell_reverse_tcp -> sets up a standard TCP bind / reverse listener
In contrast to self-contained payloads, Staged payloads function in a slightly different manner.

A Staged payload constitutes of a Stager and a Stage. These 2 components are NOT bundled together. An attacker can specify a stager and a stage independently.

When a vulnerability is exploited successfully, the Stager component goes first as payload. The stager is responsible for uploading the Stage next, and to set up communications channel for the stage so that attacker can interact with it.

Let's look for Stagers and Stages in the Metasploit directories..

Java Stagers

ls /opt/msfo/msf3/modules/payloads/stagers/java/
bind_tcp.rb reverse_http.rb reverse_tcp.rb
ls -R /opt/msfo/msf3/modules/payloads/stagers/linux/

/opt/msfo/msf3/modules/payloads/stagers/linux/:
x64 x86
/opt/msfo/msf3/modules/payloads/stagers/linux/x64:

bind_tcp.rb reverse_tcp.rb
/opt/msfo/msf3/modules/payloads/stagers/linux/x86:

bind_ipv6_tcp.rb bind_tcp.rb find_tag.rb reverse_ipv6_tcp.rb reverse_tcp.rb
ls -R /opt/msfo/msf3/modules/payloads/stagers/windows/

/opt/msfo/msf3/modules/payloads/stagers/windows/:
bind_ipv6_tcp.rb reverse_http.rb reverse_ord_tcp.rb x64
bind_nonx_tcp.rb reverse_https.rb reverse_tcp_allports.rb
bind_tcp.rb reverse_ipv6_tcp.rb reverse_tcp_dns.rb
findtag_ord.rb reverse_nonx_tcp.rb reverse_tcp.rb
/opt/msfo/msf3/modules/payloads/stagers/windows/x64:

bind_tcp.rb reverse_tcp.rb

-> Notice that all these are setting up a communications channel.

Now looking for Stages:


ls /opt/msfo/msf3/modules/payloads/stages/

bsd bsdi java linux netware osx php windows
Java Stages

ls /opt/msfo/msf3/modules/payloads/stages/java/
meterpreter.rb shell.rb
OSX Stages

ls -R /opt/msfo/msf3/modules/payloads/stages/osx/
/opt/msfo/msf3/modules/payloads/stages/osx/:
armle ppc x86
/opt/msfo/msf3/modules/payloads/stages/osx/armle:

execute.rb shell.rb
/opt/msfo/msf3/modules/payloads/stages/osx/ppc:

shell.rb
/opt/msfo/msf3/modules/payloads/stages/osx/x86:

bundleinject.rb isight.rb vforkshell.rb
Windows Stages

ls -R /opt/msfo/msf3/modules/payloads/stages/windows/
/opt/msfo/msf3/modules/payloads/stages/windows/:

dllinject.rb patchupdllinject.rb shell.rb vncinject.rb
meterpreter.rb patchupmeterpreter.rb upexec.rb x64
/opt/msfo/msf3/modules/payloads/stages/windows/x64:

meterpreter.rb shell.rb vncinject.rb

-> All these modules provide functionality & interactive environments.

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.