We've released an update to Core Impact Pro that adds a small (but interesting) new feature to one of our most popular modules. Users now have the ability to generate agent payloads that can be customized to specific targets by third party frameworks. Core Impact Pro's “Package and Register Agent” is our executable payload generator module. It's truly the Swiss Army Knife of exploitation -- it can be used in trojan-like attacks, OS Command Injections for in-house developed web applications, setting up an agent for pivoting, and a number of other scenarios.
Within the "Package and Register Agent" module, you've previously chosen between two options: “executable” and “library.” We've added a third option: "raw." When you select "raw," the output will be a file containing shellcode. This shellcode can be used to deploy an Impact agent based on the parameters of the third party module, such as what connection method to use, what architecture and operating system the shellcode should be created for, injection options, whether a multistage attack should be used, etc. This new feature was developed based on requests from our users, who wanted to use the advanced capabilities that come with deploying an agent but needed to do specific processing to the payloads.
Even though we try to provide as much functionality as possible, the truth is, there will always be another feature we could have added. For example, we could write encoder after encoder, generating VBS, Java, PHP, etc. but there's always going to be a language we've left out. That's just one example of an instance in which you might want the raw shellcode capable of deploying an agent.
A Practical Example As I mentioned, having access to the shellcode enables interaction with third party tools, including msfencode from Metasploit Framework and Veil-Evasion from Veil Framework. Let's look at an example of how we would go about this process, first using Veil Framework. Our first step here is to generate an agent using the new "raw" option in the “Package and Register Agent” module. When we click “OK,” the task will start. We can check the module log to follow the progress: We can now use Veil-Evasion to encode the payload. Consider what payload from Veil to choose. Although all the “*/shellcode_inject/*” payloads should work, we've found a few bugs and limitations in a some of them, so we suggest trying any payload generated in a laboratory target first. After selecting the payload, we can play with the payload generation options in Veil. The next step is to issue the "generate" command, and to select the option for providing our own shellcode from a file: Finally, we've generated a payload.exe ready for use. Copying back the resulting file to Windows will then allow you to deploy an agent on a target system. You can also use the Python file directly to deploy the agent in a target where the Python interpreter is available.
Metasploit Framework As seasoned Metasploit users know, doing something similar using "msfencode" is just a matter of running a command and specifying the file with the shellcode as input. For example:
./msfencode -i raw_agent -t exe -x template_x86_windows.exe -o agent.exe -e x86/shikata_ga_nai -c
will generate a PE executable, encoded using shikata_ga_nai.