Exploit Payloads

Metasploit helps deliver our exploit payloads against a target system. When creating an Exploit Payload, we have several things to consider, from the operating system architecture, to anti-virus, IDS, IPS, etc. In evading detection of our exploits, we will want to encode our payloads to remove any bad characters and add some randomness to the final output using NOPs.

Metasploit comes with a number of payload encoders and NOP generators to help aid us in this area.

Select a payload encoder:

• Must not touch certain registers
• Must be under the max size
• Must avoid BadChars
• Encoders are ranked

Select a nop generator:

• Tries the most random one first
• NOPs are also ranked

• The defined Payload Space is 900 bytes
• The Payload is 300 bytes long
• The Encoder stub adds another 40 bytes to the payload
• The NOPs will then fill in the remaining 560 bytes bringing the final payload.encoded size to 900 bytes
• The NOP padding can be avoided by adding ‘DisableNops’ => true to the exploit

As is the case for most things in the Framework, payloads can be tweaked by exploits.

• ‘StackAdjustment’ prefixes “sub esp” code
• ‘MinNops’, ‘MaxNops’, ‘DisableNops’
• ‘Prefix’ places data before the payload
• ‘PrefixEncoder’ places it before the stub

These options can also go into the Targets block, allowing for different BadChars for targets and allows Targets to hit different OS architectures.