PaulDotCom mailing list archives
Manually embedding shellcode into executables
From: jd.mubix at gmail.com (Rob Fuller)
Date: Tue, 1 Dec 2009 21:05:50 -0500
Correct, the actual execution of the original binary is somewhat destroyed in trade though it's nearly undetectable at this point in time. So technically you could use this with my IExpress 'hack' http://www.room362.com/blog/2009/3/2/metasploit-hearts-microsoft.html - but your going to have to manually change the Icon and the file size will change. The reason why your exe | to encode isn't working is because when you do msfpayload in raw format it is just the shellcode instruction set that is getting sent to msfencode, where as you cat or echo is including all the PE headers and sections of a compiled binary, which "at this time" msfencode does not know how to handle. As you stated, this in 'binder' territory. Now back to the original topic, shoving shellcode into binaries is a tricky process, well, if you want it to go unnoticed, because you have to do a couple things: 1: Find a 'code cave' (a location in the binary that full of null bytes and (here is the tricky part) isn't used by the binary for extraction, compression or decompression at any time during execution. 2. Reroute execution to your shell code, safely and in a manor that doesn't hang the process until you close your shell. 3. Correct the registers so that after your shell code executes, the trojan'd binary doesn't fall over and die because it couldn't find the things it needed in memory. to do this all successfully and *arbitrarily* you need to get pretty intimate with the entire life of a process. -- Rob Fuller | Mubix Room362.com | Hak5.org | TheAcademyPro.com On Tue, Dec 1, 2009 at 5:17 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
Ok, I just read Rob post here: http://www.room362.com/blog/2009/11/3/metasploit-blends-in-new-msfpayloadencode.html and checked my exes. Since both are the same size, I'm guessing it's not working as a binder but as a "cloaker" of sorts. Adrian On Tue, Dec 1, 2009 at 5:12 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:Ok, I did this: $ msfpayload windows/adduser user=test pass=test exitfunc=seh R | msfencode -t exe -x notepad.exe -o MYNEWFILE.exe The exe made has the same icon an metadata as the original. The payload runs since the "test" account is created, but notepad never comes up, so it doen not make much of a binder. Any ideas? Adrian_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091201/2249b965/attachment.htm
Current thread:
- Manually embedding shellcode into executables Matthew Raspberry (Dec 01)
- Manually embedding shellcode into executables Dimitrios Kapsalis (Dec 01)
- Manually embedding shellcode into executables Adrian Crenshaw (Dec 01)
- Manually embedding shellcode into executables Rob Fuller (Dec 01)
- Manually embedding shellcode into executables Adrian Crenshaw (Dec 01)
- Manually embedding shellcode into executables Adrian Crenshaw (Dec 01)
- Manually embedding shellcode into executables Rob Fuller (Dec 01)
- Manually embedding shellcode into executables Adrian Crenshaw (Dec 01)
- Manually embedding shellcode into executables Dimitrios Kapsalis (Dec 01)
- Manually embedding shellcode into executables Dimitrios Kapsalis (Dec 01)
- <Possible follow-ups>
- Manually embedding shellcode into executables Matthew Raspberry (Dec 02)
- Manually embedding shellcode into executables Robert Portvliet (Dec 30)