Shulou(Shulou.com)06/01 Report--

I believe many people can't find the msfpayload they used to be familiar with after upgrading their latest msf (so it's a good thing to like collecting shellcode), and I can't fucking find it either. Actually, you can use to the payload you want to use, and then make it. But there are also people who like to produce their own shellcode directly in the terminal. In addition, I don't think I can find msfencode. Msfencode is the encoder of shellcode. To be exact, if you write an shellcode yourself and don't need an encoder, the probability of killing soft is small, and even the shellcode generated by msf is very likely not to be killed (maybe I didn't kill soft), so I didn't think the encoder might be used before.

I often think about problems theoretically without actually sabotaging them, so I didn't until later that the encoder was important, because the shellcode generated by msf is often unusable! Encoder processing is required, which includes shelling, filtering bad characters, iterative compilation, and even controlling string size. Of course, the encoder also has other functions.

First talk about the relationship between payload and encode, or I think some people will be confused. The payload module in msf is used to make shellcode, that is, machine code that is understood to be used to do sabotage. For people who do not have the basis of compilation, it is almost difficult to write a practical shellcode. In the past, I felt helpless. I felt rejected outside the security gate. Fortunately, there was msfpayload, which fulfilled a mischievous heart. Of course, I have been learning! I'm sure a lot of people don't even know how shellcode works on the stack, but they can already use shellcode to do damage. I hope not. I don't like this readily available and dangerous technology in the hands of a person who can't control it. For example, the flash0day in the Hacking team leak incident not long ago can be used by directly installing a shellcode generated by msf without knowing too much about the principles of vulnerabilities or shellcode.

A little too much. Encode is an encoder and is also designed for payload, because antivirus will be carried out according to the characteristics of shellcode, so we need encode to shell payload. The theoretical knowledge here is the same as the principle of software immunity, but now there is a sandbox function to kill software. we can check and kill from the behavior judgment in the memory stage, so some shellcode may end up coding with encoders. Of course, I brag about it, because I haven't tried it. I might as well cook at that time.

In general, msfvenom combines the functions of payload and encode. The shellcode generated by these two modules should be installed in the exp to be used, just like the warhead is installed on × ×. Let's talk about how to use it.

The Chinese translation goes something like this (I found it on the Internet):

Options:

-p,-- payload specifies the payload (* load) to be used. If you need to use a custom payload, use & # 039; or stdin to specify

-l,-- list [module_type] lists all available resources for the specified module. Module types include: payloads, encoders, nops, all

-n,-- nopsled specifies a NOP sliding length for payload in advance

-f,-- format specify the output format (use-- help-formats to get a list of output formats supported by msf)

-e,-- encoder [encoder] specifies the encoder (encoder) to be used

-a,-- arch specifies the target schema of the payload

-- platform specifies the target platform for payload

-s,-- space sets the maximum length of the valid load

-b,-- bad-chars sets the circumvention character set, for example: & # 039;\ x00\ xff'

-I,-- iterations specifies the number of payload encodings

-c,-- add-code specifies an additional win32 shellcode file

-x,-- template specifies a custom executable file as the template

-k,-- keep protects the action of the template program, and the injected payload runs as a new process

-- payload-options lists the standard options for payload

-o,-- out saves payload

-v,-- var-name specifies a custom variable to determine the output format

-- shellest minimizes generation of payload

-h,-- help view help options

-- help-formats views the list of output formats supported by msf

Let me first make a list of payload related to Linux.

Ok, use any payoad under Linux. The simplest shellcode generation requires at least two options-p-f.

Here I specified the payload module shown in the screenshot above, you can see that there are some warnings, because there is no specified cpu architecture and no encoder, as to whether this shellcode can be used, please verify it yourself, I will explain it for convenience, but at the end of the article I will give a simple loader to load shellcode. Other articles on evil0x.com have more loaders that you can check by yourself. Some people wonder how I know the options in the red box. I'm sorry, I don't know either. I just use in and show options takes a look at it. In fact, I encourage to take a look at the source code, ruby is a very simple language.

Let's take a look at a shellcode generation case under win. I think win is what you want more. I chose a relatively simple and classic shellcode that executes the exec command. Here I still open the calculator.

Notice my red box, where the necessary options are described, as well as default values

EXITFUNC specifies whether to exit the thread or the process or other options when the process is completed. If you do the injection, you must specify the thread, otherwise your shellcode will be returned after running. -o option is easy to understand, output to a location, after all, the exe file, terminal output who can understand, double-click under the win to execute is to open the calculator, but was killed by my soft kill, from the quarantine recovery can be verified.

So how to construct a kill-free shellcode, of course need an encoder, I used an XOR algorithm encoder,-I iterated 8 times, the result is that hehe failed the AV winner 360. maybe it is because my encoder is not good, maybe it is the memory killing technology of AV that makes this simple shellcode impassable. ╮ (╯▽╰) ╭, how to pass, the principle is to kill encoders that have never been seen before. If killing software supports memory checking, it can only be replaced by shellcode. I can't pass with this old shellcode. So it's important to collect good shellcode, but I don't have one. Welcome to share it with me.

The-b option is used to filter "bad characters". Different loopholes filter different bad characters according to their needs. You need to have a good understanding of assembly to say this part. At present, I can't say it in a good way, but the longest filter is 0x00, because the string is truncated when it is encountered.

This command is not necessarily valid, I am just explaining the usage. If I want to know which bad characters can't be used, I usually look at the exp description of the expert, or use OD to debug when my shellcode can't run, see what caused it, and then modify the setting options.

-x should be a commonly used command, which is used for program injection. Is it better to parasite your shellcode program on another program, and then the target person opens another program and executes shellcode?

The generated file can not be run under WIN7, but can be run under XP, indicating that some functions of the current free version of msf are not applicable to win7. Look back at OD to see why it cannot be run directly, but this is the way to use it. You can also add-e to code.

Let me show you the results under XP. Of course, I did not inject win7 successfully, but I can OD to see why (that is, it takes a lot of time). I don't know whether it can be successfully injected under the paid version of win7.

The-k option will run your payload as a new process. But currently this option only supports older versions of windows systems such as windows xp.

-b set the length of the payload, which depends on EXP. Do not set it if there is no size requirement.

The MSF graphical tool is the WEB tool. I don't know if the new version is it, because the paid version has never been used before. In addition, there is a GUUI tool armitage,CobaltStrike is a paid version of armitage, armitage is a graphical msf tool, but the function is not complete, the paid version of the individual will not buy, so can only use the command line.

What I want to say here is that the automatically generated shellcode does not work very often. We often need to modify some characters manually. Finally, please work hard to collect the shellcode and give it to me.

Here is a simple shellcode loader, that is to say, you can use shellcode in it. You can find one on the Internet. Evil0x.com has written several articles. If you are interested, you can check it out.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.