teaching old shellcode new tricks - recon.cx · pdf fileteaching old shellcode new tricks...
TRANSCRIPT
![Page 1: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/1.jpg)
Teaching Old Shellcode New TricksREcon Brussels 2017
@midnite_runr
![Page 2: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/2.jpg)
C’est Moi
• US Marine (out in 2001)
• Wrote BDF/BDFProxy
• Co-Authored Ebowla
• Found OnionDuke
• Work @ Okta
• Twitter: @midnite_runr
![Page 3: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/3.jpg)
Why This Talk
• It’s fun
• It’s time to update publicly available shellcode
![Page 4: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/4.jpg)
Part 1
![Page 5: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/5.jpg)
Stephen Fewer’s Hash API
• SFHA or Hash API or MetaSploit Payload Hash
• Introduced: 8/2009
• Uses a 4 byte hash to identify DLL!WinAPI in EAT
• JMPs to the WinAPI ; return to payload
• Some code borrowed from M.Miller’s 2003 Understanding Windows Shellcode paper
http://blog.harmonysecurity.com/2009/08/calling-api-functions.html
![Page 6: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/6.jpg)
Typical SHFA Based Payload
[—SHFA—][the actual payload logic]
![Page 7: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/7.jpg)
Typical SHFA Based Payload
[—SHFA—][the actual payload logic]
1
![Page 8: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/8.jpg)
Typical SHFA Based Payload
[—SHFA—][the actual payload logic]
12
![Page 9: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/9.jpg)
Typical SHFA Based Payload
[—SHFA—][the actual payload logic]
12
3
![Page 10: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/10.jpg)
Typical SHFA Based Payload
[—SHFA—][the actual payload logic]
[some winAPI]
12
3
![Page 11: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/11.jpg)
Typical SHFA Based Payload
[—SHFA—][the actual payload logic]
[some winAPI]
12
3 4
![Page 12: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/12.jpg)
Typical SHFA Based Payload
[—SHFA—][the actual payload logic]
[some winAPI]
12
3 4
5, Continue to 2 until done
![Page 13: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/13.jpg)
Defeating SFHA
• EMET
• Piotr Bania Phrack 63:15 // HAVOC - POC||GTFO 12:7
• CFG/RFG
![Page 14: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/14.jpg)
EMET Caller/EAF(+)• EAF(+)
• Introduced: 2010/2014(+)
• Protect reading KERNEL32/NTDLL and KERNELBASE(+)
• Caller
• 2013
• Block ret/jmp into a winAPI (Anti/rop) for critical functions
![Page 15: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/15.jpg)
EMET is EOL
• Supported through July 31, 2018
• Still works**
** Depends on threat model
![Page 16: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/16.jpg)
Tor Browser Exploit vs EMET
![Page 17: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/17.jpg)
![Page 18: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/18.jpg)
Bypassing EMET EAF(+)
• 2010: Berend-Jan Wever (Skypher Blog) - ret-2-libc via ntdll
• 1/2012 Piotr Bania - Erase HW Breakpoints via NtContinue
• 9/2014 - Offensive Security - EAF+ bypass via EMET function reuse calling ZwSetContextThread directly
http://web.archive.org/web/20101125174240/http://skypher.com/index.php/2010/11/17/bypassing-eaf/http://piotrbania.com/all/articles/anti_emet_eaf.txt
https://www.offensive-security.com/vulndev/disarming-emet-v5-0/
![Page 19: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/19.jpg)
Bypassing EMET Caller
2/2014 - Jared Demot - Demo’ed a payload that directly used LoadLibraryA (LLA)
https://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf
![Page 20: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/20.jpg)
IAT Based Payloads in BDF
• May 30, 2014
• Added IAT based payloads/shellcode to BDF
• Directly used IAT API thunks
• This bypassed EMET Caller/EAF(+) checks
![Page 21: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/21.jpg)
Position Independent IAT Shellcode
• Dec, 2014
• 12/2003 - Skape (M. Miller) Understanding Windows Shellcode
• 2005 - Piotr Bania - IAT Parser - Phrack 63:15
http://www.hick.org/code/skape/papers/win32-shellcode.pdf
http://phrack.org/issues/63/15.html
![Page 22: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/22.jpg)
![Page 23: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/23.jpg)
![Page 24: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/24.jpg)
![Page 25: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/25.jpg)
Emailed the EMET Team
![Page 26: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/26.jpg)
¯\_( )_/¯
![Page 27: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/27.jpg)
![Page 28: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/28.jpg)
IAT Based Stub
• LoadLibraryA(LLA)/GetProcAddress(GPA) in Main Module
https://gist.github.com/secretsquirrel/2ad8fba6b904c2c952b8
![Page 29: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/29.jpg)
![Page 30: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/30.jpg)
IAT Based Stub(s)
• LoadLibraryA/GetProcAddress in Main Module
• LoadLibraryA/GetProcAddress in a loaded Module (dll)
![Page 31: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/31.jpg)
GetProcAddress Only Stub
![Page 32: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/32.jpg)
GetProcAddress Only Stub
GetProcAddress LoadLibraryA
![Page 33: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/33.jpg)
GetProcAddress Only Stub
GetProcAddress LoadLibraryA
LoadLibraryA.Handle = GetProcAddress(Kernel32.addr, ‘LoadLibraryA’)
![Page 34: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/34.jpg)
GetProcAddress Only Stub
GetProcAddress LoadLibraryA
LoadLibraryA.Handle = GetProcAddress(Kernel32.addr, ‘LoadLibraryA’)
Push eax; LLA is in EAX mov ebx, esp; mov ptr to LLA in ebx
… call [ebx]
![Page 35: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/35.jpg)
IAT Based Stub(s)
• LoadLibraryA(LLA)/GetProcAddress(GPA) in main module
• LLA/GPA in a loaded module (dll)
• GPA to LLA in main module
• GPA to LLA in loaded module
![Page 36: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/36.jpg)
System Binaries/DLLs with LLAGPA or GPA in IAT
LLAGPA GPA
XPSP3 1300 5426
VISTA 645 26855
WIN7 675 48383
WIN8 324 31158
WIN10 225 50522
![Page 37: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/37.jpg)
FireEye Flash Malware w/EMET Bypass Jun 06, 2016
https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html
![Page 38: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/38.jpg)
POC: https://github.com/ShellcodeSmuggler/IAT_POC
https://www.okta.com/blog/2016/07/the-emet-serendipity-emets-ineffectiveness-against-non-exploitation-uses/
![Page 39: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/39.jpg)
What now?
• More payloads
• Many MetaSploit payloads were based off of Hash API stub
• Much work
• Some ideas
![Page 40: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/40.jpg)
Part II
![Page 41: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/41.jpg)
Two Ideas
• Remove SFHA and replace it with X
• Build something to rewrite the payload logic for use with an IAT parsing stub
![Page 42: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/42.jpg)
REWRITE ALL THE THINGS
![Page 43: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/43.jpg)
MSF Winx86 Payloads Follow a pattern
https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_recv.asm
![Page 44: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/44.jpg)
Workflow
• Take Input via stdin or from file
• Disassemble
• Capture blocks of instructions
• Capture API calls
• Capture control flow between two locations
• Protect LLA/GPA registers from being clobbered
![Page 45: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/45.jpg)
LOE
![Page 46: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/46.jpg)
LOE
• Five days straight at about 12-15 hour days
![Page 47: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/47.jpg)
LOE
• Five days straight at about 12-15 hour days
• When I solved one problem, 2-3 more appeared
![Page 48: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/48.jpg)
LOE
• Five days straight at about 12-15 hour days
• When I solved one problem, 2-3 more appeared
• There is a point where a manual rewrite would have been easier - I crossed it
![Page 49: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/49.jpg)
LOE
• Five days straight at about 12-15 hour days
• When I solved one problem, 2-3 more appeared
• There is a point where a manual rewrite would have been easier - I crossed it
• 🔥BURN IT DOWN🔥
![Page 50: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/50.jpg)
Next idea
![Page 51: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/51.jpg)
Next idea
[—SFHA—]
![Page 52: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/52.jpg)
Next idea
[the actual payload logic][—SFHA—]
![Page 53: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/53.jpg)
Next idea
[the actual payload logic]
![Page 54: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/54.jpg)
Next idea
[the actual payload logic][IAT Stub]
![Page 55: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/55.jpg)
Next idea
[the actual payload logic][IAT Stub] [offset table]
![Page 56: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/56.jpg)
Some requirements
• Support Read/Execute Memory
• Try to keep it small
• Support any Metasploit Shellcode that uses SFHA
![Page 57: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/57.jpg)
Workflow• Take Input via stdin or from file
• Disassemble
• Capture blocks of instructions
• Capture API calls
• Build a lookup/offset table
• Find an appropriate IAT for the EXE
• OUTPUT
![Page 58: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/58.jpg)
Offset Table Approach
![Page 59: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/59.jpg)
Offset Table Approach
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]
![Page 60: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/60.jpg)
Offset Table Approach
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 61: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/61.jpg)
Offset Table Approach
b'RtlExitUserThread\x00ExitThread\x00kernel32\x00WinExec\x00GetVersion\x00ntdll\x00'
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 62: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/62.jpg)
Offset Table Approach
b'RtlExitUserThread\x00ExitThread\x00kernel32\x00WinExec\x00GetVersion\x00ntdll\x00'
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 63: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/63.jpg)
Offset Table Approach
b'RtlExitUserThread\x00ExitThread\x00kernel32\x00WinExec\x00GetVersion\x00ntdll\x00'
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 64: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/64.jpg)
Offset Table Approach
b'RtlExitUserThread\x00ExitThread\x00kernel32\x00WinExec\x00GetVersion\x00ntdll\x00'
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 65: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/65.jpg)
Offset Table Approach
b'RtlExitUserThread\x00ExitThread\x00kernel32\x00WinExec\x00GetVersion\x00ntdll\x00'
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 66: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/66.jpg)
Offset Table Approach
b'RtlExitUserThread\x00ExitThread\x00kernel32\x00WinExec\x00GetVersion\x00ntdll\x00'
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 67: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/67.jpg)
Offset Table Approach
b'RtlExitUserThread\x00ExitThread\x00kernel32\x00WinExec\x00GetVersion\x00ntdll\x00'
[876f8b31][XX][XX][a2a1de0][XX][XX][9dbd95a6] [XX][XX]DLL API
![Page 68: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/68.jpg)
![Page 69: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/69.jpg)
![Page 70: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/70.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
![Page 71: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/71.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
1
![Page 72: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/72.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
12
![Page 73: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/73.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
[some winAPI]
12
![Page 74: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/74.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
[some winAPI]
12
3
![Page 75: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/75.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
[some winAPI]
12
34
![Page 76: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/76.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
[some winAPI]
12
35
4
![Page 77: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/77.jpg)
The new workflow
[IAT Stub ][Lookuptable][the actual payload logic]
[some winAPI]
12
35
6, Continue to 2 until done
4
![Page 78: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/78.jpg)
LOE
• The initial POC took < 12 hours
• Adding the workflow and stubs:12 hours
• Finalizing the tool: ಠ_ಠ
• But I’m happy 🤓
![Page 79: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/79.jpg)
About those API Hashes
![Page 80: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/80.jpg)
About those API Hashes
• They are now meaningless
![Page 81: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/81.jpg)
About those API Hashes
• They are now meaningless
• AVs depend on them for signatures
![Page 82: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/82.jpg)
About those API Hashes
• They are now meaningless
• AVs depend on them for signatures
• What happens if we mangle them?
![Page 84: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/84.jpg)
Introducing FIDO
![Page 85: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/85.jpg)
Introducing FIDO
![Page 86: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/86.jpg)
Introducing FIDO
![Page 87: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/87.jpg)
Issues with some DLLs
![Page 88: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/88.jpg)
System Binaries/DLLs with LLAGPA or GPA in IAT
LLAGPA GPA
XPSP3 1300 5426
VISTA 645 26855
WIN7 675 48383
WIN8 324 31158
WIN10 225 50522
![Page 89: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/89.jpg)
API-MS-WIN-CORE*
![Page 90: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/90.jpg)
API-MS-WIN-CORE*• These files are the exposed implementation of the
windows API
![Page 91: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/91.jpg)
API-MS-WIN-CORE*• These files are the exposed implementation of the
windows API
• Existed since win7
![Page 92: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/92.jpg)
API-MS-WIN-CORE*• These files are the exposed implementation of the
windows API
• Existed since win7
• GPA is implemented via API-MS-WIN-CORE-LIBRARYLOADER-*.DLL
![Page 93: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/93.jpg)
API-MS-WIN-CORE*• These files are the exposed implementation of the
windows API
• Existed since win7
• GPA is implemented via API-MS-WIN-CORE-LIBRARYLOADER-*.DLL
• Normally used in system dlls
![Page 94: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/94.jpg)
API-MS-WIN-CORE*• These files are the exposed implementation of the
windows API
• Existed since win7
• GPA is implemented via API-MS-WIN-CORE-LIBRARYLOADER-*.DLL
• Normally used in system dlls
• Can be called by userland applications via IAT parsing
![Page 95: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/95.jpg)
Because it is in…
![Page 96: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/96.jpg)
Because it is in…
Kernel32.dll
![Page 97: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/97.jpg)
![Page 98: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/98.jpg)
SAY AGAIN?
![Page 99: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/99.jpg)
SAY AGAIN?
• We just need GPA in any DLL Import Table to access the entire windows API
![Page 100: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/100.jpg)
SAY AGAIN?
• We just need GPA in any DLL Import Table to access the entire windows API
• Since win7, GPA has been in Kernel32.dll Import Table
![Page 101: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/101.jpg)
SAY AGAIN?
• We just need GPA in any DLL Import Table to access the entire windows API
• Since win7, GPA has been in Kernel32.dll Import Table
• We’ve had a stable EMET EAF(+)/Caller bypass opportunity since Win7 (works for win7 - win10)
![Page 102: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/102.jpg)
One more thing• GetProcAddress is not the only one
• LoadlibraryExA is in API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0.dll
LoadLibraryA(‘moo.dll’) == LoadLibraryExA(‘moo.dll’, 0)
• This is completely reliable for Win7
• Maybe Windows 8
• Not on windows Win10 - Must use ExternGPA with API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0.dll
![Page 103: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/103.jpg)
Tor Exploit w/My Stub vs EAF+/Caller
DEMO: https://youtu.be/oqHT6Ienudg
![Page 104: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/104.jpg)
Issues
• Multi-staged payloads should not use SFHA - will be flagged by EMET
• Meterpreter DLL flagged by EMET EAF because of Reflective DLL loader
• Updating MSF will take some work
• Need to do winx64
![Page 105: Teaching Old Shellcode New Tricks - RECON.CX · PDF fileTeaching Old Shellcode New Tricks REcon Brussels 2017 @midnite_runr. C’est Moi ... • It’s time to update publicly available](https://reader031.vdocuments.us/reader031/viewer/2022020314/5a72f6b77f8b9a93538e5195/html5/thumbnails/105.jpg)
Questions?
• CFG/RGF Implications? ¯\_( )_/¯
• Get the code: https://github.com/secretsquirrel/fido
• Thanks: @SubTee, @FreedomCoder, @Wired33, @__blue__