Having covered Metasploit’s three main interfaces, it’s time to cover a few utilities. Metasploit’s utilities are direct interfaces to particular features of the Framework that can be useful in specific situations, especially in exploit development. We will cover some of the more approachable utilities here and introduce additional ones throughout the book.
The msfpayload component of Metasploit allows you to generate shellcode, executables, and much more for use in exploits outside of the Framework.
Shellcode can be generated in many formats including C, Ruby, JavaScript, and even Visual Basic for Applications. Each output format will be useful in various situations. For example, if you are working with a Python-based proof of concept, C-style output might be best; if you are working on a browser exploit, a JavaScript output format might be best. After you have your desired output, you can easily insert the payload directly into an HTML file to trigger the exploit.
To see which options the utility takes, enter msfpayload -h at the command line, as shown here:
root@bt:/# msfpayload -hAs with msfcli, if you find yourself stuck on the required options for a payload module, append the letter O on the command line for a list of required and optional variables, like so:
root@bt:/# msfpayload windows/shell_reverse_tcp OWe will dive much deeper into msfpayload as we explore exploit development in later chapters.
The shellcode generated by msfpayload is fully functional, but it contains several null characters that, when interpreted by many programs, signify the end of a string, and this will cause the code to terminate before completion. In other words, those x00s and xffs can break your payload!
In addition, shellcode traversing a network in cleartext is likely to be picked up by intrusion detection systems (IDSs) and antivirus software. To address this problem, Metasploit’s developers offer msfencode, which helps you to avoid bad characters and evade antivirus and IDSs by encoding the original payload in a way that does not include “bad” characters. Enter msfencode -h to see a list of msfencode options.
Metasploit contains a number of different encoders for specific situations. Some will be useful when you can use only alphanumeric characters as part of a payload, as is the case with many file format exploits or other applications that accept only printable characters as input, while others are great general purpose encoders that do well in every situation.
When in doubt, though, you really can’t go wrong with the x86/shikata_ ga_nai encoder, the only encoder with the rank of Excellent, a measure of the reliability and stability of a module. In the context of an encoder, an Excellent ranking implies that it is one of the most versatile encoders and can accommodate a greater degree of fine-tuning than other encoders. To see the list of encoders available, append -l to msfencode as shown next. The payloads are ranked in order of reliability.
root@bt:˜# msfencode -lThe nasm_shell.rb utility can be handy when you’re trying to make sense of assembly code, especially if, during exploit development, you need to identify the opcodes (the assembly instructions) for a given assembly command.
For example, here we run the tool and request the opcodes for the jmp esp command, which nasm_shell tells us is FFE4.
root@bt:/opt/framework3/msf3/tools#./nasm_shell.rbnasm >jmp esp00000000 FFE4 jmp esp