Veil-Ordnance – Fast Stager Shellcode Generation

Generating shellcode is a task that nearly all pen testers have to do at some point, unless they write their own shellcode.  The typical way of generating shellcode consists of using msfvenom, or the combination of msfpayload and msfencode.  Both of these methods can easily generate shellcode for the payload of your choice, and you can invoke shellcode encoders, if necessary, to avoid bad characters.

Since its release, Veil-Evasion has always relied on msfvenom for generating the shellcode within Veil-Evasion payloads.  Leveraging another tool’s capabilities has allowed us to rely on the Metasploit Framework to handle the shellcode generation without requiring too much effort on our end.  However, this has also caused some issues.  On two separate instances, updates to msfvenom’s output has caused Veil-Evasion to “break” by creating invalid/non-working payloads.  This is because Veil-Evasion is parsing the msfvenom output.  In the event that the msfvenom output changes, then our ability to parse it typically breaks, and requires a patch on our end.  Will Schroeder (@harmj0y), Mike Wright (@themightyshiv), and myself (@ChrisTruncer) identified this issue fairly early on when developing Veil-Evasion, and we basically took the approach that we hoped there wouldn’t be changes to the output, or we would deal with it.  Well, we were obviously wrong.  After the first break in compatibility, we discussed the need for having our own shellcode generator independent of the Metasploit Framework.  Even through we agreed it was needed, our other commitments kept our attention.  That was, until we ran into the issue a second time.  At this point, we felt it was something we actually needed to look into.

Jon Yates (@redbeardsec) made a significant contribution by diving into the Metasploit source code to understand how the base MSF shellcode is generated.  He helped catch me up to speed with everything he had learned, and really was a huge asset in writing Veil-Ordnance.  Armed with what I needed to know thanks to Jon, I started writing a small POC that would generate shellcode for a few different payloads.  I selected a few of the more “popular” payloads to support for the initial release, and added them into Ordnance.  However, the tool would require at least one encoder for use, and Justin Warner (@sixdub) graciously created a single byte xor encoder, and said I was free to add it in to Ordnace.  With six different payloads, a single encoder, and a good amount of QA time, I’m happy to push out the initial release of Veil-Ordnance.

Github Link:

CLI Options

NOTE: One MAJOR point to note here, is that Ordnance is a pure port of Metasploit’s stagers within the Metasploit Framework.  We did not write these stagers, they were ported from Ruby into Python, and added to Ordnance.  The Metasploit Framework developers are the guys who deserve full credit for creating these payloads.

Ordnance has multiple features that I find helpful:

  • Instant generation of the stager shellcode
    • reverse_tcp
    • bind_tcp
    • reverse_http
    • reverse_https
    • reverse_tcp_dns
    • reverse_tcp_all_ports
  • An encoder is available for removal of most bad characters
  • The default Ordnance output will always remain the same
    • By default, only the shellcode is returned to the console
    • With extra flags, the user can obtain the shellcode “metadata” (size, xor key, etc.)

Ordnance is used by passing parameters to it via the command line.  Ordnance’s command line parameters are:

  • -p – payload type (rev_tcp, bind_tcp, rev_http, rev_https, rev_tcp_dns, rev_tcp_all_ports)
  • –ip – IP address (or domain) to connect to for reverse payloads
  • –port – Port number to connect to, or listen on
  • -e – Encoder to use when encoding shellcode
  • -b – Bad character(s) to avoid within the shellcode (\x00\x0a)
  • –print-stats – Prints the extra “metadata” about the generated shellcode
  • –list-payloads – lists all currently available payloads
  • –list-encoders – lists all currently available encoders

To use Ordnance to generate reverse tcp stager shellcode, you could use the following command:

./ -p rev_tcp --ip --port 8675


This will output reverse tcp stager shellcode which can be copied and pasted for use.  If you wanted to use Ordnance to generate reverse https stager shellcode, avoid the use of “\x00” and “\x0a”, and see the length of the generated shellcode, you could use the following command:

./ -p rev_https --ip --port 443 -e xor -b \x00\x0a --print-stats

https stats

Assuming the encoder does not run into any character encoding issues, Ordnance would output the stats about the shellcode generated, and then the shellcode itself.

I would love to call upon to community to help add one or two more encoders into Ordnance.  The more encoders, the better to try to help ensure all bad characters could be avoided if necessary.

If anyone has any questions about how to use Veil-Ordnance, please feel free to get in touch with us on twitter (@veilframework), hop on IRC in #veil, or hit us up on Github!  If anyone finds any bugs, please let us know!  Opening an issue on Github lets us easily track problems!  Thanks, and we hope that this can help!

5 thoughts on “Veil-Ordnance – Fast Stager Shellcode Generation

  1. We are all aware that in an auditing scenario, fishing still remains a wide open door, and sometimes just the only one.
    Do you have any plans to weaponize veil’s powershell payload embeded on macros?
    Do you have any suggestions on how do it properly for now ?
    Thanks and congrats.

    1. Hi, I don’t think this necessarily relates to Veil-Ordnance, so, it likely wouldn’t be included in that. There are posts on the internet about people including powershell attacks in macros, I’d check those out.

Leave a Reply