August 08, 2011, 2:51 PM — by Spencer McIntyre, SecureState -- A while ago, many security focused sites and mailing lists were abuzz with the release of a new tool called ShellCodeExec that boasts the ability to execute alpha numerically created shellcode (as commonly generated with the Metasploit Framework). I was particularly interested in how this new tool worked; and the author, Bernardo Damele, was kind enough to release it under an open source license allowing me to review the source. The source is all written in C and supports both Linux and Windows operating systems. I have never had the need to execute shell code to bypass antivirus on Linux, so I focused on the Windows portion.
The method that this tool uses is a simple one that opens a location in its address space with a call to VirtualAlloc with permissions of read, write, and execute. VirualAlloc is a Windows specific call that reserves a region of memory with the specified permissions. The read and write permissions are required because the alpha numeric shell code will change itself as it is being executed. ShellCodeExec then copies the user supplied shellcode string into the resulting memory buffer from VirtualAlloc. Finally, ShellCodeExec executes the shellcode via an Assembly stub that takes a pointer to the shell code as its only parameter before calling it. One of the very nice features of this tool is that the stub used to execute the shell code is wrapped in a Structured Exception Handler (SEH) block, allowing the program to execute gracefully, even if the shellcode encounters an error.
One feature that I believe would greatly complement ShellCodeExec is the ability to inject the shellcode into a process ID of the user’s choosing. This can be particularly useful when on a host that only permits certain processes to initiate outbound connections. With this goal in mind, I set out to implement these techniques in my own general purpose injection utility, which I have dubbed Syringe.
In order to inject the shellcode into a remote process, I chose to modify the popular DLL injection technique that utilizes a call to CreateRemoteThread. This popular technique makes a call to start a new thread with a pointer to “LoadLibraryA” as the function to execute with an argument of a pointer to a character array of the DLL to load. In order to modify the shellcode provided by the user, I followed this concept but instead wrote an assembly stub to the address space of the remote process, which will be tasked with executing the shellcode. The assembly stub takes a single argument, like LoadLibraryA, but instead of it representing a DLL to load it, points to the shellcode to execute in the same way as ShellCodeExec does.
To implement this technique, Syringe follows these steps: