Manually embedding shellcode into executables

[irongeek at irongeek.com (Adrian Crenshaw)]

Thanks. I was a little confused since on the show it seemed that Dave was
saying it acted like a binder.

I''ve used iexpress before:
http://www.irongeek.com/i.php?page=videos/binders-iexpress-trojans

nice thing about it as a binder, since it's made by Microsoft, AV won't
bother it.

I'd still love to use msfencode with an arbitrary exe however.

Adrian


On Tue, Dec 1, 2009 at 9:05 PM, Rob Fuller <jd.mubix at gmail.com> wrote:

> Correct, the actual execution of the original binary is somewhat destroyed
> in trade though it's nearly undetectable at this point in time. So
> technically you could use this with my IExpress 'hack'
> http://www.room362.com/blog/2009/3/2/metasploit-hearts-microsoft.html -
> but your going to have to manually change the Icon and the file size will
> change.
>
> The reason why your exe | to encode isn't working is because when you do
> msfpayload in raw format it is just the shellcode instruction set that is
> getting sent to msfencode, where as you cat or echo is including all the PE
> headers and sections of a compiled binary, which "at this time" msfencode
> does not know how to handle. As you stated, this in 'binder' territory.
>
> Now back to the original topic, shoving shellcode into binaries is a tricky
> process, well, if you want it to go unnoticed, because you have to do a
> couple things:
>
> 1: Find a 'code cave' (a location in the binary that full of null bytes and
> (here is the tricky part) isn't used by the binary for extraction,
> compression or decompression at any time during execution.
> 2. Reroute execution to your shell code, safely and in a manor that doesn't
> hang the process until you close your shell.
> 3. Correct the registers so that after your shell code executes, the
> trojan'd binary doesn't fall over and die because it couldn't find the
> things it needed in memory.
>
> to do this all successfully and *arbitrarily* you need to get
> pretty intimate with the entire life of a process.
>
> --
> Rob Fuller | Mubix
> Room362.com | Hak5.org | TheAcademyPro.com
>
>
> On Tue, Dec 1, 2009 at 5:17 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
>
> > Ok, I just read Rob post here:
> >
> > http://www.room362.com/blog/2009/11/3/metasploit-blends-in-new-msfpayloadencode.html
> >
> > and checked my exes. Since both are the same size, I'm guessing it's not
> > working as a binder but as a "cloaker" of sorts.
> >
> > Adrian
> >
> >
> > On Tue, Dec 1, 2009 at 5:12 PM, Adrian Crenshaw <irongeek at irongeek.com>wrote:
> >
> > > Ok, I did this:
> > >
> > > $ msfpayload windows/adduser user=test pass=test exitfunc=seh R |
> > > msfencode -t exe -x notepad.exe -o MYNEWFILE.exe
> > >
> > > The exe made has the same icon an metadata as the original. The payload
> > > runs since the "test" account is created, but notepad never comes up, so it
> > > doen not make much of a binder. Any ideas?
> > >
> > > Adrian
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091202/190ad6c1/attachment.htm