MCPcopy
hub / github.com/trustedsec/unicorn / custom_shellcode

Function custom_shellcode

unicorn.py:384–429  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

382
383# this is used for custom shellcode generation
384def custom_shellcode():
385 print("""
386[*******************************************************************************************************]
387
388 -----Custom Shellcode Generation Method----
389
390This method will allow you to insert your own shellcode into the Unicorn attack. The PowerShell code
391will increase the stack side of the powershell.exe (through VirtualAlloc) and inject it into memory.
392
393Note that in order for this to work, your txt file that you point Unicorn to must be formatted in the
394following format or it will not work:
395
3960x00,0x00,0x00 and so on.
397
398Also note that there is size restrictions. The total length size of the PowerShell command cannot exceed
399the size of 8191. This is the max command line argument size limit in Windows.
400
401Usage:
402
403python unicorn.py shellcode_formatted_properly.txt shellcode
404
405Next simply copy the powershell command to something you have the ability for remote command execution.
406
407NOTE: THE FILE MUST PROPERLY BE FORMATTED IN A 0x00,0x00,0x00 TYPE FORMAT WITH NOTHING ELSE OTHER THAN
408YOUR SHELLCODE IN THE TXT FILE.
409
410There are some caveats with this attack. Note that if your payload size is large in nature it will not
411fit in cmd.exe. That means that from a command line argument perspective if you copy and paste you will
412hit the 8191 character size restriction (hardcoded into cmd.exe). If you are launching directly from
413cmd.exe this is an issue, however if you are launching directly from PowerShell or other normal
414applications this is a non-problem.
415
416A couple examples here, wscript.shell and powershell uses USHORT - 65535 / 2 = 32767 size limit:
417
418typedef struct _UNICODE_STRING {
419 USHORT Length;
420 USHORT MaximumLength;
421 PWSTR Buffer;
422} UNICODE_STRING;
423
424For this attack if you are launching directly from powershell, VBSCript (WSCRIPT.SHELL), there is no
425issues.
426
427
428[*******************************************************************************************************]
429 """)
430
431# this is used for custom shellcode generation
432def settings_ms():

Callers 2

format_payloadFunction · 0.85
unicorn.pyFile · 0.85

Calls

no outgoing calls

Tested by

no test coverage detected