Payloads

Types by Usage

  • There are three main types of payload modules in Metasploit: Singles, Stagers, and Stages.

  • Whether or not a payload is staged, is represented by ‘/’ in the payload name.

    • windows/shell_bind_tcp is a single payload with no stage.

    • windows/shell/bind_tcp consists of a stager (bind_tcp) and a stage (shell).

Singles

  • Singles are payloads that are self-contained and completely standalone.

  • Inline, Non Staged, and more Stable.

Stagers

  • Stagers setup a network connection between the attacker and victim and are designed to be small and reliable.

  • It is difficult to always do both (small/reliable) of these well so the result is multiple similar stagers.

  • Metasploit will use the best one when it can and fall back to a less-preferred one when necessary.

  • Windows NX vs. NO-NX Stagers

    • Reliability issue for NX CPUs and DEP

    • NX stagers are bigger (VirtualAlloc)

    • Default is now NX + Win7 compatible

Stages

  • Stages are payload components that are downloaded by Stagers modules.

  • The various payload stages provide advanced features with no size limits.

Types by Function

Meterpreter

  • Short form of Meta-Interpreter.

  • The Meterpreter resides completely in the memory of the remote host and leaves no traces on the hard drive.

  • Scripts and plugins can be loaded and unloaded dynamically as required.

PassiveX

  • PassiveX help in circumventing restrictive outbound firewalls by using an ActiveX control to create a hidden instance of Internet Explorer.

  • Using the new ActiveX control, it communicates with the attacker via HTTP requests and responses.

NoNX

  • The NX (No eXecute) bit is a feature built into some CPUs to prevent code from executing in certain areas of memory. In Windows, NX is implemented as Data Execution Prevention (DEP).

  • The Metasploit NoNX payloads are designed to circumvent DEP.

Ord

  • Ordinal payloads are Windows stager based payloads.

  • Advantages

    • It works on every flavour and language of Windows without the explicit definition of a return address.

    • They are also extremely tiny.

  • Disadvantages

    • It relies on the fact that ws2_32.dll is loaded in the process being exploited before exploitation.

    • It’s a bit less stable than the other stagers.

IPv6

  • The Metasploit IPv6 payloads, as the name indicates, are built to function over IPv6 networks.

Reflective DLL Injection

  • Reflective DLL Injection is a technique whereby a stage payload is injected into a compromised host process running in memory, never touching the host hard drive.

  • The VNC and Meterpreter payloads both make use of reflective DLL injection.

Generating Payloads

  • When you use a certain payload, Metasploit adds the generate, pry, and reload commands.

Unwanted Bytes (-b)

  • To remove unwanted bytes or bad characters, e.g., the null byte (\x00), we issue the generate command followed by the -b switch with accompanying bytes we wish to be disallowed during the generation process.

  • Note that the shellcode’s total byte size and the encoder changed.

  • By default Metasploit will select the best encoder to accomplish the generation when using the -b switch to remove restricted byte list.

  • If too many restricted bytes are given no encoder may be up for the task.

Encoders (-e)

  • To choose a specific encoder, use the -e switch followed by the encoder’s name.

  • Be careful when using a different encoder other than the default, as it tends to give us a larger payload.

Saving to a File (-f)

  • To save our generated payload to a file instead of displaying it on the screen, use the -f switch.

Iterations (-i)

  • To evade anti-virus and make payloads less prone to detection, use the iteration switch -i to specify how many encoding passes must be done before producing the final payload.

  • The more iterations one does the larger our payload will be.

Options (-o)

  • Issue the show options command to see which options we can change for this payload.

  • To change the default values, use the -o switch followed by the value we wish to change. The syntax is VARIABLE=VALUE separated by a comma between each option.

Output Formats (-t)

  • When generating payloads, the default output format given is ‘ruby’.

  • To specify a different output format, use the -t switch followed by the format name.

NOP Sled (-s)

  • Adding a NOP (No Operation or Next Operation) sled is accomplished with the -s switch followed by the number of NOPs. This will add the sled at the beginning of our payload.

  • The larger the sled the larger the shellcode will be. So adding a 10 NOPs will add 10 bytes to the total size.

References

LogoMetasploit Unleashed | Payloadswww.offensive-security.com
LogoMetasploit Unleashed | Payload Typeswww.offensive-security.com
LogoMetasploit Unleashed | Generating Payloadswww.offensive-security.com
PreviousExploitsNextDatabases

Last updated