Shellter Pro v2.1
[+] Fixed a read-out-of-bounds bug.
The function that verifies some information about the certificate table, when the target PE appears to be digitally signed, did not validate properly some extracted data.
This issue could be triggered if the user supplied a PE with invalid values regarding the Certificate table address and/or size.
Versions affected: Shellter Pro v1.2, 1.3, 2.0
Reported by: Kyprianos Vasilopoulos (@kavasilo)
Shellter Pro v2.0
[+] Dynamic Payload Injection In DLLs.
Shellter Pro will now also support injecting your payload(s) in legitimate DLLs. This feature is compatible with all the other features of Shellter Pro. It does not only give an extra boost to the AV evasion capabilities, but it also allows the user to bypass application white-listing limitations under specific scenarios. Furthermore, it can be used in Red Team engagements to demonstrate persistence by infecting a DLL of a legitimate application. Something that can go unnoticed for a very long time in real attack scenarios.
Shellter Pro v1.3
[+] Fixed an issue in the IAT handler availability check.
If the only available combination supported by the target executable was LoadLibraryW/GetProcAddress, the following, generic combination: LoadLibrary/GetProcAddress would show as unavailable due to a mistake in the IAT pointers combination check.
Shellter Pro v1.2
[+] Multi-Payload chaining feature is now always supported.
Up until this update, chaining multiple payloads was only supported if the executable supported the Stealth Mode feature. The user could use the multi-payload chaining feature without enabling Stealth mode, but the latter had to be compatible with the executable. From this update onwards, chaining multiple payloads can always be used, even if the executable does not support Stealth mode.
[+] Enhanced certificate table size check.
Implemented a couple of checks to verify that the certificate table size information is consistent. If those checks fail, there will be no attempt to remove any information related to the digital signature. This does not affect the rest of the operations.
[+] Optimized payload execution delay when Stealth Mode is not enabled.
When this mode is not enabled there is always an additional delay before the payload is executed. This delay is CPU performance dependent and for that reason it could be of several seconds if you test the infected executable inside a virtual machine.
[+] A few optimizations in obfuscation based on Shellter Pro features enabled by the user.
Shellter Pro v1.1
[+] Optimized tracer to avoid waiting for an extra debug event in some cases after tracing time had elapsed in Auto Mode.
This issue could be noticed if the target application would load very fast and then would stop generating any debug events before the tracing time had elapsed.
This would cause the tracer to keep waiting for a last debug event to occur in order to exit the tracing stage. If that happened it means that automation, hence using Shellter Pro through a script would be compromised as Shellter Pro would just wait there for a debug event.
The user would have to interact with the target application himself to force a debug event to occur and proceed with the rest of the injection stages.
The behaviour of tracer has now changed so if all tracing time in Auto mode has elapsed, Shellter Pro will automatically handle the situation described above and will proceed.
[+] Optimized the injected code that handles multiple payloads chained while Stealth mode is not enabled by the user.
The handler will now be aware of any payloads that are still running and wait for all of them to finish. Once that happens it will kill the host process. Also, note that this handler can only be aware of its own thread and the threads that assigns to the execution of the payloads.
All this does not apply when Stealth mode is enabled. In that case the handler will immediately restore the execution flow instead of waiting for the threads assigned to the payloads, in order to allow the application to run as normal.
A scenario that you wouldn’t normally see and could make this fail is using two payloads that each one of them starts a new thread which kills its parent thread. If both would do that, then the handler would proceed and kill the process since the two threads that is aware of have been terminated. However, this is not the default behavior and is only mentioned here to raise awareness of possible limitations.
Finally, don’t forget to use “ExitFunc Thread” if you want to generate payloads directly from metasploit and use them with Stealth mode and/or multi-payload injection. If you don’t, then the first payload exiting will kill the process and you will also lose the rest. This also applies if you use the multi-handler exploit from metasploit. If you use payload stagers listed in Shellter Pro then this is handled by Shellter with regards to the payload itself. However, you still need to set the “ExitFunc Thread” in the multi/handler exploit.
[+] Optimizations in command line parser for supported features checking.
From this version onwards the command line parser will check if the first argument is “–f” which sets the target executable.
Example: “–f target.exe”
This is done in order to only check once which features of Shellter Pro are supported by the target so other arguments relying on any of those can immediately verify if they can be used.
[+] Added supported features check also in Manual mode and in Auto mode when this is used without command line arguments. That check is now performed as soon as the user specifies the executable target.
[+] Changes in the interactive console when using Shellter without command line.
Shellter will use the supported features check and if Stealth Mode/Multi-Payload chaining features are supported, it will ask the user to enable none, one or both of them before the tracing starts, or before the user submits an EFD file. This is done in order to handle in a more reliable way the Multi-Payload chaining feature with Stealth Mode disabled.
[+] Fixed an issue in the function that checks for which Shellter Pro features are supported by the chosen executable target.
Checking for the GetModuleHandle/GetProcAddress combination in the imports table was skipped, while the rest of the IAT handler combinations were properly checked.
In case the only available combination in the chosen executable was the aforementioned one it would cause to disable Shellter Pro features that would be otherwise supported by the executable target.
[+] The executable target is now validated before creating a backup of the file.
Shellter Pro will not take a backup of the executable target unless its file format is validated. This does not mean that PE validation is something new in Shellter. However, until this update Shellter would first make a backup and then validate the PE file format, which wouldn’t be necessary if validation failed since Shellter wouldn’t proceed anyway.
Shellter Pro v1.0