BOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcode

Post-Image

BOF2shellcode — a tutorial converting a stand-alone BOF loader into shellcode

TL;DR — At FalconForce we love purple teaming, meaning that we engage in both red teaming and blue teaming. For the red teaming we often have a need to run offensive tools on a target machine without dropping the tool on disk. One way to do that is to convert an existing executable into shellcode using donut, and executing that shellcode in memory. Another method is to use CobaltStrike BOFs, but this is limited to use only within CobaltStrike. In this blog we want to walk through another method which we are experimenting with: converting BOFs into shellcode. We will do this by converting an existing BOF loader tool (COFFLoader) written in C to shellcode and then use this method to write our own loader that can convert Cobaltstrike BOFs into shellcode. If you are just interested in the PoC tool, it is available in this Github repository. Note that this is just a PoC and it is probably not suited for use in a real red teaming engagement, but it should get you a very good head start if you want to use this technique.

The Blog is written in a tutorial format so you can follow along, hopefully learning a few new tricks related to C to Shellcode conversion along the way.

The source code for each step is available in a public GitHub repository; each section references a specific commit showing the code at that specific point in time.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/bof2shellcode-a-tutorial-converting-a-stand-alone-bof-loader-into-shellcode-6369aa518548