Posted on

Shellcode Injection into Windows Binaries

Hello aspiring Ethical Hackers. In this article, we will see how to perform Shellcode Injection into Windows executables. In hacking, Shellcode is a code usually written in machine language instructions that starts a command shell from which a hacker can control the compromised machine. Shellcode is normally used as a payload.

Windows binaries are those binaries that are already present by default on a Windows system. Just imagine you are pen testing a Windows machine and you want to gain access to it without bringing any third party Malware to the target system. How about using the files already present on the target system to execute your payload. This is also known as file less malware.

Windows by default has some binaries for its own genuine functions. However these can be utilized by malicious actors to execute their own payload which is not benign. Examples of these binaries are regsrvr32.exe, notepad.exe, calc.exe and rundll32.exe etc. Rundll32.exe is a binary used in Windows to link library for other Windows applications. Of course, readers know about Notepad and Calculator.

In this article, we will see how to inject shellcode into these Windows executables. For this, we will be using a tool named CactusTorch. CactusTorch is a shellcode launcher tool that can be used to launch 32 bit shellcode which can then be injected into any Windows binaries.

Let’s see how this tool works. CactusTorch can be cloned from GitHub as shown below from here.

Cactustorch 1

Once the repository is cloned successfully, we need to create shellcode. Cactus torch is compatible with Metasploit and Cobalt strike. So let’s use msfvenom to create 32 bit shellcode.

Cactustorch 2

The shellcode is successfully created and is stored in payload.bin file.

Cactustorch 2a

Next, encode this payload using base64 encoding as shown below.

shellcode injection

This shellcode can be hosted in different formats as shown below. These formats are already provided by Cactustorch.

Cactustorch 4

Let’s see the example of hta file. Open the cactustorch.hta file using any text editor.

Cactustorch 7

We can specify the binary you want to inject this shellcode into. For example, here we want to inject shellcode into rundll32.exe. Copy the base64 encoded shellcode at “Dim code”. Save the file. Start a Metasploit listener as shown below.

Cactustorch 8

Next, all we have to do is make the user on target system execute the cactus torch.hta file. This can be done using social engineering. Now once someone clicks on it, we should get a successful meterpreter session as shown below.

Cactustorch 9

Similarly, this shellcode can be hosted in JavaScript and also VB script and VBA files. That’s how shellcode injection can be performed in Windows binaries.

Posted on

Shellcode Injection with Metasploit

Shellcode Injection Module is a Metasploit module which as its name suggests, injects shellcode into the target Windows system on which we already have access. In our previous article, we have learnt what is shellcode and how it is created. Shellcode is a bit assembly code or machine language and it plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing.

Let’ s see how this module works. Get a meterpreter session on a Windows system. Background the current session and load the post windows shellcode inject module as shown below.

Shellcodeinject2

We will use Donut tool to create a shellcode of the mimikatz program. Mimikatz is a tool used to experiment with Windows security. Its known to extract plaintext passwords and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

Shellcodeinject6

Set the SESSION ID and other options given below.

Shellcodeinject7

Set the interactive option to TRUE . We need to do this so that we are not taken directly to the mimikatz shell. We also need to set the correct target architecture.

Shellcodeinject9

After all the options are set, we need to just execute the module as shown below.

shellcode injection with Metasploit
Shellcodeinject10

That’s all about the Metasploit Shellcode Injection Module.

If you liked this article you can Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on 1 Comment

Donut shellcode generator

Donut shellcode generator is a tool that generates shellcode from VBScript, JScript, EXE, DLL files and DOTNET assemblies. Although there are many tools that can do this, Donut does this with position independent code that enables in-memory execution of the compiled assemblies. This compiled shellcode assembly can either be staged from a HTTP server or embedded directly in the file itself. After the compiled shellcode is loaded and executed in memory, the original reference is erased immediately to avoid memory scanners.

The features supported by the Donut generator are

  1. Compression of the generated files with aPLib and LZNT1, Xpress, Xpress Huffman.
  2. Using entropy for generation of strings 128-bit symmetric encryption of files.
  3. Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
  4. Patching command line for EXE files.
  5. Patching exit-related API to avoid termination of host process.
  6. Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
  7. What exactly is shellcode? Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing. In this article, let us learn about this awesome tool. This tool can be installed in Kali Linux by cloning it from Github as shown below. This will create a new directory named “Donut”
donut1

Navigating into the Donut shellcode generator directory, let’s create the shellcode of mimikatz.exe as shown.

How to use donut shellcode generator

Mimikatz.exe is a simple tool that is used to play with windows security. If you take this executable of Mimikatz into a Windows system, any antivirus or Windows Defender will detect this as malware. Just try it on your machine first before turning it into shellcode. It is found in Kali Linux. Here we copied it into the Donut folder.
When we run above command, shellcode is created as a file named “loader.bin” in the same directory of Donut.

Donut4

By default, Donut creates shellcode for x86 (32bit) and amd64 (64bit). To create only a x86 shellcode, the command is as shown below.

Donut3

The “-b” option is used to set the shellcode’s behavior when faced with AMSI/WLDP. Anti Malware Scan Interface and Windows Lock Down Policy are security features. These both features help in defending against malware.

Donut5

By default, Donut sets the shellcode to bypass AMSI/WLDP. By setting the “-b” option to “2” as shown in the above image, it can be set to ABORT once it encounters AMSI/WLDP. Setting “1 ” will do nothing.
Entropy in general terms means the degree of randomness. It is used in malware to make detection of its code harder by Anti malware. This is called obfuscation. The more the entropy the least chances of detection of malware. Donut by default sets random names and al- so encrypts the shellcode to obfuscate the code from anti malware. It can be changed using the “-e” option. Setting it to “2” just sets random names to the payload and setting it to “1” does nothing.

Donut6

Not just binaries, we can create different output formats with Donut although by default it creates a binary payload. The “-f” option is used to set different output formats. For example, set -ting “-f” option to “2” gives a base64 format. 3 creates C, 4 creates Ruby, 5 creates Python, 6 creates Powershell, 7 creates C# and 8 creates Hexadecimal shellcodes respectively.

Donut7
Donut8
Donut9

The “-z” option is used to setting packing and compressing engines. Donut doesn’t use any compression by default. However it supports four compression engines. 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Only the aPlib compressor works in Linux. Rest of them work in windows. Compression reduces the size of the payload whereas packing is used to avoid detection by anti malware.

Donut11

We have seen that by default, Donut saves the payloads it creates in the same directory. The location as to where the payload is saved can be changed with the “-o” option.

Donut12

That’s all about the Donut shellcode generator, readers. We will learn more about this tool and how it is used in real world ethical hacking.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.