🐚Quick and Dirty: gather shellcode from a previously generated executable
Step 1: Generate the Payload Executable (example with MSFVenom)
Start by creating a Windows executable payload using msfvenom.
Command
msfvenom -p windows/x64/messagebox TEXT="shellcode run" -f exe -o payload.exe-p: Specifies the payload, in this case, a simple Windows alert box (flagged as a meterpreter, wtf).TEXT: the message displayed by the alert box-f exe: Specifies the output format as.exe.-o payload.exe: Output file name.
Once completed, you’ll have a file named payload.exe.
Step 2: Disassemble the Executable with objdump
objdumpAfter generating the executable (payload.exe), we'll use objdump to analyze the sections of the binary. This will help us determine where the payload resides in the executable.
objdump -x payload.exeThis command will print detailed information about the PE (Portable Executable) file format, including section headers. The output will look something like this:
Sections :
Idx Name Taille VMA LMA Off fich Algn
0 .text 0000104e 0000000140001000 0000000140001000 00000400 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 00000084 0000000140003000 0000000140003000 00001600 2**4
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .vvpq 00000278 0000000140004000 0000000140004000 00001800 2**2
CONTENTS, ALLOC, LOAD, CODE
⚠️ MSFVenom specification ⚠️
In a basic PE, the executable part should be stored in the .text section. In the case of MSFVenom, the tool generate a non standard section containing the payload (.vvpq in our example), we will use this custom section in this tutorial, but keep in mind that the usual section should be .text.
Key Information from objdump Output:
.vvpq section file offset:
0x1800(This is where the executable part starts in the file)..vvpq section size:
0x278(This is the size of the executable part in bytes).
Step 3: Extract the Hex Data Using xxd
xxdNow that we have the correct file offset and size for the .vvpq section, we can extract the raw shellcode using the xxd command.
Use the following command to extract the shellcode in hexadecimal format:
xxd -s 0x1800 -l 0x278 -p payload.exe > shellcode.hexCommand Breakdown:
-s 0x1800: Start reading from the file offset0x1800, where the.vvpqsection begins.-l 0x278: Read0x278bytes (632 bytes), which is the size of the.vvpqsection.-p: Output raw hexadecimal bytes without addresses.payload.exe: The input executable.> shellcode.hex: Write the extracted shellcode to a file calledshellcode.hex.
Step 4: Reformat for code embedding 📝
C/C++
xxd natively support conversion into a format suitable for embedding, such as a C-style array.
Here’s an example of how to convert the hex data into a C array:
xxd -i shellcode.hex > shellcode.cThis will create a C file (shellcode.c) that contains the shellcode in a format suitable for use in a C program.
Golang
Instead of using C-style \x formatting, Go uses a []byte slice to represent binary data. The hex dump can be reformatted into a Go-compatible byte slice like this:
Command for Go Formatting:
cat shellcode.hex | sed 's/\(..\)/0x\1,/g' | tr -d '\n' | sed 's/,$//'sed 's/\(..\)/0x\1,/g': This converts each pair of hex characters into a0xXX,format, which is the correct syntax for a byte slice in Go.tr -d '\n': Removes newlines, ensuring the output is one continuous line.sed 's/,$//': Removes the trailing comma from the last byte to ensure proper syntax for Go.
🎉 Summary
You now have your shellcode extracted from an msfvenom executable, ready to use! Keep in mind that this method is the "quick and dirty" way for getting shellcodes.
Obviously, the above tutorial is reproductible with any input executable, i used msfvenom for simplicity purposes (dont forget to adapt the procedure, while msfvenom don't use the .text section like other PE).
Last updated