Thursday, February 18, 2016

Post-Exploitation Shellcode

Recently I was experimenting with Office Macro shellcode. And it kept getting flagged/caught by EMET!

Increasingly I find myself needing Post-Exploit Shellcode fragments...
I realized, if I am executing shellcode Post-Exploit, there really is no reason to scan memory for kernel32.dll , loadlibary, and getprocadress etc...

I already HAVE access to the API in Office Macros and PowerShell.

I know, I'm slow... Should have dawned on me earlier...

Realize I am trying to exec stub shellcode to preserve existing infrastructure... Metasploit or CobaltStrike for example

There is a lot that could be done Post-Exploit

So, Post-Exploit shellcode execution has a different set of requirements/capabilities.


So early this morning I wrote a quick proof of concept found here:

We can let the Macro or PowerShell provide the handle to the necessary calls, in a way more natural, that is more difficult to pick up by EMET.

Again, this is a really rough draft, an area I continue to experiment with. But I suspect, there is a lot more to this.

Probably has application to the way we call Invoke-Shellcode.ps1, etc...

These are all Post-Exploit calls.

Time to crank out some more asm.
Thats all for now.


Cheers,
Casey @subt0x10

No comments:

Post a Comment