Metasploit Shellcode Grows Up: Encrypted and Authenticated C Shells
by Shelby Pace
Rapid7, 2019
https://github.com/rapid7/metasploit-framework/pull/12530
This blog post describes the addition of encrypted and authenticated shells to the Metasploit Framework.
| Notes |
|---|
| Metasploit |
| encryption |
| payload |
| ChaCha20 |
| traffic analysis |
| random authentication key |
| authentication |
| pingback payload |
| MinGW |
| C |
| TCP |
| obfuscation |
| stageless payload |
| staged payload |
| Windows |
| x86 |
| x64 |
| command shell |
| assembly language |
| stub |
| concatenation |
| Metasm |
| Matt Graeber |
| Nick Harbour |
| position-independent shellcode |
| GetProcAddress() |
| WinAPI |
| WinAPI function resolution |
| DLL |
| kernel32.dll |
| Winsock |
| LoadLibrary() |
| GetProcAddressWithHash() |
| Process Environment Block |
| Export Address Table |
| -nostdlib |
| main function |
| strings |
| .text section |
| .rdata section |
| PE file |
| shellcode |
| -O2 compiler optimization flag |
| declaring strings as byte arrays |
| ExecutePayload() |
| -ffunction-sections |
| objdump |
| StripSymbols |
| AlignRSP() |
| linker script |
| lib/metasploit/framework/mingw.rb |
| compiler |
| linker |
| RWX memory region |
| flagged by AV |
| Windows, Linux, macOS, Debian, Ubuntu, Kali Linux |
| homebrew |
| mingw-x64 package |
| nonce |
| UUID |
| random key |
| Metasploit database |
| msfvenom |
| Windows Defender |
| AV evasion |