Veil-Ordnance

•

6 likes•4,293 views

Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.

Technology

Shellcode Generation
Shellcode is commonly the medium for payloads
within exploits
Typically, it’s generated using one of two methods
msfvenom
msfpayload | mefencode
Unless custom written, most people rely on MSF

Veil-Evasion
We “outsource” our shellcode generation capabilities
Reliance on outside tools can cause problems
If msfvenom output changes, our parsing breaks
This has happened twice
Speed - MSF slow to start (even with simplified
framework)

What we need
We need a tool that generates shellcode
Output doesn’t change
Allows us to easily control what we want to parse
Still provide some bad character avoidance
capabilities
Speed is always nice too

Command Line Options
-p = Stager Type
rev_tcp…
- -ip = IP (or domain)
to connect to
- -port = Port to
connect to or listen
on
-e = encoder name
xor
-b = bad characters
- -print-stats = size,
name, etc.
- -list-payloads
- -list-encoders

Veil-Ordnance Info
Six different payloads
Tried to base off of my experience as most common (rev_tcp,
bind_tcp, rev_https, rev_http, rev_tcp_dns, rev_tcp_all_ports)
All payloads have been ported from the Metasploit Framework -
i.e. I did not write the shellcode!
Jon Yates (@redbeardsec) really helped with diving in to learn how
these are generated
1 Encoder
Single Byte Xor Encoder - Developed by Justin Warner (@sixdub)

I Need Help!
Encoders! Please, send me any/all python
POCs!
Slowly working through msf encoders
Feedback, bugs, etc.!

Thanks! Questions?
Get in touch!
@ChrisTruncer or @veilframework
https://www.veil-framework.com
https://www.christophertruncer.com
https://github.com/Veil-Framework
#Veil on Freenode
Chris at veil-framework dot com

What's hot

The State of the Veil Framework

VeilFramework

Pentester++

CTruncer

Bringing Down the House - How One Python Script Ruled Over AntiVirus

CTruncer

An EyeWitness View into your Network

CTruncer

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

midnite_runr

The Art of AV Evasion - Or Lack Thereof

CTruncer

Hacking - Breaking Into It

CTruncer

Egress-Assess and Owning Data Exfiltration

CTruncer

CheckPlease - Payload-Agnostic Implant Security

Brandon Arvanaghi

What Goes In Must Come Out: Egress-Assess and Data Exfiltration

CTruncer

CheckPlease: Payload-Agnostic Targeted Malware

Brandon Arvanaghi

Passive Intelligence Gathering and Analytics - It's All Just Metadata!

CTruncer

Finding Needles in Haystacks

snyff

Why Rust? - Matthias Endler - Codemotion Amsterdam 2016

Codemotion

Rust Programming Language

Jaeju Kim

ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the nasty, waiting for the right moment to bite. Now, what is this whole ES6 thing? How did it develop and who made it? And why is it now implemented in your favorite browser? And what does it mean for web-security and beyond? This talk will answer these questions and showcase the new language from an attacker's perspective. You will see the new code constructs possible to be executed with ES6, new attack vectors and learn what you can do to tame that beast. Kafkaesque terminology such as expression interpolation, proper tail calls, computed properties, spread parameters, modules and tagged template strings will no longer be surprising you after attending this talk.

ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...

Mario Heiderich

S2 e (selective symbolic execution) -shivkrishna a

Cysinfo Cyber Security Community

Deep drive into rust programming language

Vigneshwer Dhinakaran

This presentation will sum up how to do tunnelling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunnelling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunnelling on your network or to bypass misconfigured filters.

XFLTReat: a new dimension in tunnelling

Shakacon

Exploitation and State Machines

Michael Scovetta

What's hot (20)

The State of the Veil Framework

Pentester++

Bringing Down the House - How One Python Script Ruled Over AntiVirus

An EyeWitness View into your Network

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

The Art of AV Evasion - Or Lack Thereof

Hacking - Breaking Into It

Egress-Assess and Owning Data Exfiltration

CheckPlease - Payload-Agnostic Implant Security

What Goes In Must Come Out: Egress-Assess and Data Exfiltration

CheckPlease: Payload-Agnostic Targeted Malware

Passive Intelligence Gathering and Analytics - It's All Just Metadata!

Finding Needles in Haystacks

Why Rust? - Matthias Endler - Codemotion Amsterdam 2016

Rust Programming Language

ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...

S2 e (selective symbolic execution) -shivkrishna a

Deep drive into rust programming language

XFLTReat: a new dimension in tunnelling

Exploitation and State Machines

Similar to Veil-Ordnance

Perl Usage In Security and Penetration testing

Vlatko Kosturjak

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis

Chong-Kuan Chen

Metasploit: Pwnage and Ponies

Trowalts

The Attached slide was presented at Null Open Security/OWAP/G4H combined community event, the document shared here is a representation of Independent study on usage of Metasploit on purpose built vulnerable machine Metasploitable3. With New attack vectors such as Elastic Search API and Jenkins servers -21/01/2017 Contains 1. Introduction to Metasploit (why metasploit?) 2. Demo Setup and talked on how to- Using Metasploitable3 3. Networking with VirtualBox for personal lab 4. Auxiliary Modules (Scanners and Servers ) - Demo of snmp_enum 5. Exploit Module (searching exploits) 6. Payload types 7. Exploit Demo 1 - /exploit/multi/elasticsearch/script_mvel_rce 8. Exploit Demo 2 - /exploit/multi/http/jenkins_script_console

Metasploit For Beginners

Ramnath Shenoy

RAT - Repurposing Adversarial Tradecraft

⭕Alexander Rymdeko-Harvey

SD, a P2P bug tracking system

Jesse Vincent

stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!

NETWAYS

Driver Debugging Basics

Bala Subra

6. processes and threads

Marian Marinov

Pitfalls and limits of dynamic malware analysis

Tamas K Lengyel

Simplest-Ownage-Human-Observed… - Routers

Logicaltrust pl

Filip palian mateuszkocielski. simplest ownage human observed… routers

Yury Chemerkin

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

NoSuchCon

DEFCON 23 - Mike Sconzo - i am packer and so can you

Felipe Prado

Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw

Redspin, Inc.

Over the past year, Tripwire Security Researchers Tyler Reguly and Andrew Swoboda have invested numerous hours into understanding the Microsoft Remote Desktop Protocol, specifically the pre-authentication portions of RDP. The Microsoft Open Protocol Specifications were heavily utilized for this projected and, while both researchers had used the specifications before, neither had fully realized their usefulness to security researchers. This session will be a discussion of The Microsoft Open Protocol Specification with RDP as the example. The culmination of the session will be the release of a new RDP Fuzzer and a discussion around the vulnerabilities it has already discovered. Attendees can expect to walk away with a strong understanding of the Microsoft Open Protocol Specifications and how they can leverage them to build protocol implementations and fuzzers, as well as investigate inherent flaws and discover new vulnerabilities. Attendees will have a better understanding of the pre-authentication RDP connection sequence and exactly what data is exchanged and what an attacker can deduce from this communication. Finally, attendees will gain insight into new RDP vulnerabilities.

Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...

EC-Council

Hacking with Reverse Engineering and Defense against it

Prakashchand Suthar

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

lior mazor

HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave

Hackito Ergo Sum

ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...

distortdistort

Similar to Veil-Ordnance (20)

Perl Usage In Security and Penetration testing

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis

Metasploit: Pwnage and Ponies

Metasploit For Beginners

RAT - Repurposing Adversarial Tradecraft

SD, a P2P bug tracking system

stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!

Driver Debugging Basics

6. processes and threads

Pitfalls and limits of dynamic malware analysis

Simplest-Ownage-Human-Observed… - Routers

Filip palian mateuszkocielski. simplest ownage human observed… routers

NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core

DEFCON 23 - Mike Sconzo - i am packer and so can you

Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw

Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...

Hacking with Reverse Engineering and Defense against it

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave

ROPInjector-Slides - Using-Return-Oriented-Programming-For-Polymorphism-And-A...

Recently uploaded

Explore the core of Salesforce success in 'Salesforce Adoption – Metrics, Methods, and Motivation.' We will discuss essential metrics, effective methods to drive adoption, and the driving force behind user engagement and explore strategies for onboarding, training, and continuous support that empower users to navigate the platform seamlessly. By leveraging these tools, you can effectively measure adoption against your company’s goals and create an environment where users not only adopt Salesforce but actively contribute to its ongoing success.

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

CzechDreamin

How to differentiate Sales Cloud and CPQ on first glance might be tricky if you do not know where to look and what to look at. You will know :-) Managing the sales process within Salesforce is a common use case that can be managed with standart Sales Cloud. If you want to do entire quoting process you will find out Salesforce CPQ solution exists. What is then the difference if both can handle selling products? You will see comparison of 10 different features, which Sales Cloud and Salesforce CPQ handle differently. Simple question you will always remember if you should consider using Salesforce CPQ will be a cherry on top.

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

CzechDreamin

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Product School

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Intrigued by why some of the world's largest companies (Netflix, Google, Cisco, Twitter, Uber etc) are using gRPC? In this demo based talk we delve into the world of gRPC in .Net, what it does and why we should use it. We compare the interface with both Rest and graphQL. We will show you how to implement grpc server-side in .net and in the web. Finally, I will show you how the tooling helps you deliver powerful interfaces and interact with them quickly and simply.

Demystifying gRPC in .Net by John Staveley

John Staveley

Join us as we dive into the latest updates to the UiPath Orchestrator API, including new limits and features for 2024. Discover how these changes can enhance your automation projects and streamline your workflows. 📚 Overview of UiPath Orchestrator API 🔧 Recent changes to API limits 🛠️ How to adapt to new limits 📋 Best practices for using the Orchestrator API efficiently ❓ Q&A session

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

DianaGray10

Ever caught yourself nodding along when someone mentions "delivering value" in Agile, but secretly wondering what the heck they actually mean? You're not alone! Join us for an eye-opening session where we'll strip away the buzzwords and dive into the heart of Agile—value delivery. But what is "value"? Is it a mythical unicorn in the world of software development, or is there more to this overused term? This isn't going to be a sit-and-get lecture. We're talking about a face-to-face, interactive meetup where YOU play a crucial role. Come along to: Define It: What does "value" really mean? We’ll build a definition that’s not just words, but a compass for your Agile journey. Contextualise It: Discover what value means specifically to you, your team, your company, and your industry. Because one size does not fit all. Deliver It: Share strategies and gather new ones for uncovering and delivering true value—no more shooting in the dark!

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

David Michel

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

Speed Wins: From Kafka to APIs in Minutes

confluent

IoT Analytics Company Presentation May 2024

IoTAnalytics

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.

"Impact of front-end architecture on development cost", Viktor Turskyi

Fwdays

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

You’ve heard good data matters in Machine Learning, but does it matter for Generative AI applications? Corporate data often differs significantly from the general Internet data used to train most foundation models. Join me for a demo on building an open source RAG (Retrieval Augmented Generation) stack using Milvus vector database for Retrieval, LangChain, Llama 3 with Ollama, Ragas RAG Eval, and optional Zilliz cloud, OpenAI.

Introduction to Open Source RAG and RAG Evaluation

Zilliz

Recently uploaded (20)

Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom

10 Differences between Sales Cloud and CPQ, Blanka Doktorová

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Bits & Pixels using AI for Good.........

Demystifying gRPC in .Net by John Staveley

Exploring UiPath Orchestrator API: updates and limits in 2024 🚀

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx

How world-class product teams are winning in the AI era by CEO and Founder, P...

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Designing Great Products: The Power of Design and Leadership by Chief Designe...

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Speed Wins: From Kafka to APIs in Minutes

IoT Analytics Company Presentation May 2024

When stars align: studies in data quality, knowledge graphs, and machine lear...

"Impact of front-end architecture on development cost", Viktor Turskyi

Connector Corner: Automate dynamic content and events by pushing a button

Introduction to Open Source RAG and RAG Evaluation

Veil-Ordnance

1. Veil-Ordnance @ChrisTruncer

2. Shellcode Generation Shellcode is commonly the medium for payloads within exploits Typically, it’s generated using one of two methods msfvenom msfpayload | mefencode Unless custom written, most people rely on MSF

3. Veil-Evasion We “outsource” our shellcode generation capabilities Reliance on outside tools can cause problems If msfvenom output changes, our parsing breaks This has happened twice Speed - MSF slow to start (even with simplified framework)

4. What we need We need a tool that generates shellcode Output doesn’t change Allows us to easily control what we want to parse Still provide some bad character avoidance capabilities Speed is always nice too

5. Veil-Ordnance

6. Command Line Driven

7. Command Line Options -p = Stager Type rev_tcp… - -ip = IP (or domain) to connect to - -port = Port to connect to or listen on -e = encoder name xor -b = bad characters - -print-stats = size, name, etc. - -list-payloads - -list-encoders

8. Verbose Output

9. Veil-Ordnance Info Six different payloads Tried to base off of my experience as most common (rev_tcp, bind_tcp, rev_https, rev_http, rev_tcp_dns, rev_tcp_all_ports) All payloads have been ported from the Metasploit Framework - i.e. I did not write the shellcode! Jon Yates (@redbeardsec) really helped with diving in to learn how these are generated 1 Encoder Single Byte Xor Encoder - Developed by Justin Warner (@sixdub)

10. Demo Time

11. I Need Help! Encoders! Please, send me any/all python POCs! Slowly working through msf encoders Feedback, bugs, etc.!

12. Thanks! Questions? Get in touch! @ChrisTruncer or @veilframework https://www.veil-framework.com https://www.christophertruncer.com https://github.com/Veil-Framework #Veil on Freenode Chris at veil-framework dot com

Veil-Ordnance

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Veil-Ordnance

Similar to Veil-Ordnance (20)

Recently uploaded

Recently uploaded (20)

Veil-Ordnance