Webinar takeaway – Shellcode Execution with Python

teaser for this Webcast, which made me attend

Imagine you are pen testing a company and gain access to a Windows application server. You discover the server has application allow listing deployed, and strong EDR/XDR defensive solutions. To your excitement, you find there is a Python interpreter installed. It would be really great if you could use that Python interpreter to execute your favorite C2 framework shellcode and use all of your normal hacking toolsets to continue your work. With a little bit of coding work, you can! In this Black Hills Information Security (BHIS) webcast, you will learn exactly how to achieve your goal of shellcode execution with Python.

My key takeaways

• Having a python interpreter installed on a Windows Application Server is an additional security risk, as it allows the attacker to create a C2 channel without using any exe (which might be detected by EDR)
  • disable Microsoft Store to avoid LOTL
• ctypes buildin Python3 lib provides C compatible data types and allows DLL function calling
• the NTDLL.dll, which is not really documented, might help overcome the barrier between usermode and kernel mode
• Its easy to crash the interpreter when calling C functions in a DLL if passed incompatible Python-types as arguments
  • using wintypes might help to avoid
• Remote process injection is often detected by EDR/XDR. Creating a thread within the Python process itself is preferred.
  • Basic steps to follow:
    • Allocate some memory
    • Copy the shellcode to the allocated memory
    • Create the thread with the starting address of the allocated memory
    • Wait on the thread
• You can reduce the to getting busted by adding english words or NULLs to your script
• Memory scanners looking for virtual mem not backed by disk image.
  • Use heap in same process
  • Make new thread base address “look” legit.
• Evaluate if Python3 process is 64 bit or 32 bit: echo(sys.maxsize == 2 ** 63 - 1) or plattform.architecture() (mod import required)

Env

• Provided by BHIS

• Speaker

  • Joff Thyer

additional links

• https://www.antisyphontraining.com/introduction-to-python/
• https://renenyffenegger.ch/notes/Windows/development/WinAPI/data-types/index
• https://pypi.org/project/psutil/
• https://github.com/RiverGumSecurity/PythonShellcode
• https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthread

User comments

• Cy-Beard — heute um 19:47 Uhr What are resources i can use to learn more in WindowsAPI, especially on local and remote process injection? jacquesc — heute um 19:50 Uhr This might be a start: https://www.ired.team/offensive-security/code-injection-process-injection

• Cactus — heute um 20:04 Uhr https://github.com/klezVirus/SysWhispers3

Video