I am analyzing a metasploit exploit here and I am trying to figure out where does the payload in payload.encoded come from on line 358. I am newbie to exploit development but basic programming rules say that payload should be initialized before calling any function on it. I don't see payload being initialized to any value. There is a Payload on line 56 but its first alphabet is capital, so that's something different (Ruby is case-sensitive). That means payload is probably inherited from some class. But if its inherited from some class why encode it? Why not fill a new value in it? Especially, I am looking for what is the value that is being taken by payload for encoding. It would be a great help if anyone would help me understand that. Thanks a ton!
- 3,643
- 8
- 35
- 53
-
The actual payload is generated and encoded by a lower level, i. e., by [`Msf::Exploit::Remote`](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit.rb) and [`Msf::EncodedPayload`](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/encoded_payload.rb). With `payload.encoded` you just get the result of that process. – Gumbo Feb 16 '14 at 11:59
-
Thanks, but is there any value in that code which is being taken `payload.encoded` for encoding? – TheRookierLearner Feb 16 '14 at 12:53
2 Answers
So, it's Ruby, and the exploit class derives from Msf::Exploit::Remote, and that that comes from msf/core. Navigate a bit through the code into lib/msf/core.rb, and see that it requires from core/payload. Open that file:
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/payload.rb
Line 179, a function payload defined, and you can see that it pulls the payload from return module_info['Payload'] ? module_info['Payload']['Payload'] : nil
Back to the original exploit, we see that that is initialized with a module_info function and this value:
'Payload' =>
{
'Space' => 4096,
# NOTE: \xff are avoided here so we can control the number of them being sent.
'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\xff",
'DisableNops' => 'True',
},
Some more poking around gives us this in lib/msf/base/simple/payload.rb:
payload._import_extra_options(opts)
framework = payload.framework
# Generate the payload
e = EncodedPayload.create(payload,
and we find EncodedPayload in lib/msf/core/encoded_payload.rb, and see that it calls the generate method, which is what sets the encoded method. Poke around a little more in that file, and we find the encode method for generating that. The encoders are pulled from lists of "compatible encoders" which are evidently pulled from the platform (see https://github.com/rapid7/metasploit-framework/blob/f0fd2f05983083d84d635d8689237151663902e5/lib/msf/core/payload.rb#L413)
Long story short, the payload comes from BadChars above, and it's encoded with an encoder that is platform-dependent.
- 8,534
- 1
- 26
- 39
-
I am sorry about "unaccepting" the answer but I came across some web-pages ([here](https://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit) and [here](http://redstack.net/blog/writing-exploits-for-metasploit-30.html)) which say that `BadChars` is the list of characters the payload should *not* contain. So, I am still not sure about what `payload` contains. – TheRookierLearner Feb 16 '14 at 23:11
-
Ho ho, good catch. Poke around some more in encoded_payload.rb, I evidently didn't peer into it hard enough. My guess is that the payload is either generated on the fly, or stuck into a fixture file somewhere – A. Wilson Feb 17 '14 at 23:22
I did not look around the code in as much detail as A. Wilson did. But when I run exploit in MetaSploit without using selecting any payload (available payloads can be seen with show payloads command), it shows before exploiting that the payload being selected is the reverse handler (which I guess is the default payload). Looking in the folders of metasploit showed me that the code for this handler can be found in /opt/metasplot/apps/pro/msf3/lib/msf/core/handler
- 3,643
- 8
- 35
- 53