Will presented on using Pyinstaller and introducing Pwnstaller, a tool he created to dynamically generate unique Python payload executables. Pyinstaller packages Python scripts into standalone executables but its loader binaries could be detected by antivirus. Pwnstaller obfuscates and recompiles the Pyinstaller loader source each time to avoid static signatures. It has been integrated into Veil-Evasion so Python payloads benefit from dynamically generated unique loaders that are harder for antivirus to detect.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
This presentation was given at DerbyCon 6 on 9/23/2016. It covers the fusion of the PowerShell Empire and Python EmPyre projects, as well as new Empire 2.0 transports.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
PowerUp - Automating Windows Privilege EscalationWill Schroeder
This slidedeck was given as a firetalk at @BSidesBoston '14, and covers the genesis and implementation of PowerUp, a Powershell tool for Windows privilege escalation.
PowerShell for Cyber Warriors - Bsides Knoxville 2016Russel Van Tuyl
Powershell, the new hotness, is an interactive object-oriented command environment that has revolutionized the ability to interact with the Windows operating systems in a programmatic manner. This environment significantly increases the capabilities of administrators, attackers, defenders, and malware authors alike. This presentation introduces popular PowerShell tools and techniques used by penetration testers and blue team members. Tools range from in-memory only remote administration tools to Active Directory enumeration and from reverse engineering to incident response. Additionally, we will review a couple of pieces of malware that leverage PowerShell and provide information on detecting or defending against previously discussed attacks. If you're a CyberWarrior, this presentation will undoubtedly up your game by equipping you with knowledge on the almighty PowerShell.
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
This talk covers the basics of how PowerShell works and how to use it. It then goes over a lot of the interesting offensive PowerShell tools that are available and gives a demo of using PowerShell to escalate to Domain Admin privileges on a network.
A video of the talk is available here: https://www.youtube.com/watch?v=YSUJNInriiY
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
A presentation covering some of the interesting things going on with Powershell in the Infosec community. I give a brief overview of what powershell is, then go over some interesting aspects of three different offensive powershell frameworks and finally give a demo of how a local user can escalate to domain admin privileges using just these frameworks.
This was a workshop I conducted at Black Hat Europe'12. The workshop explains how to program a USB HID, Teensy++ in this case, for usage in offensive security.
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItNikhil Mittal
The talk I gave at Black Hat USA 2016 on Anti Malware Scan Interface. The talk looks at what good AMSI brings to Windows 10 and various methods of avoiding/bypassing it.
This article will help you fetch details about the Ubuntu based AWS EC2 instance. You need to deploy the Python (2.7) based REST Services in Apache webserver. The core of application is Python DJango framework, which uses a custom virtual environment (vitualenv). The Apache uses mod_wsgi for connecting the WSGI application and mod_sec for security purposes.
Deploying Django with Apache and mod_wsgi is a method to get Django into production. mod_wsgi is an Apache module which is supposed to host any Python WSGI application, which includes Django. Django can work with any version of Apache that supports mod_wsgi.
Read the article further, to understand the step-by-step deployment process.
Ubuntu Server is lean, fast and powerful. Its services are reliable, predictable and economical. It is the perfect base on which you can build your instances. Django is a web framework which is written in Python. One can easily guess that everything, in Django, is also done in Python. Django was developed to simplify the creation of database driven sites. The best feature in Django is that it, probably, is the fastest website framework to create a fully functioning website.
Development environments are a necessary part of every developer's workflow. They can also be a great source of friction. What may begin as simply running python my_app.py eventually bloats as you add more apps, more databases, more testing frameworks, and more developers. We'll talk about the evolution of a typical development environment, how it lets us down, and how we try to make it better. We'll end with an introduction to Dusty, a new tool which uses Docker containers to take our development environments to the next level.
Originally presented at PyGotham 2015.
Advice on how to make Python projects more accessible to newcomers, and how to improve your build and environment consistency.
Presented at MelbDjango 2018-08-16.
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one way to successfully complete the challenges.
In this talk, Adnan Abdulhussein will walk you through Bitnami's journey in maintaining our first handful of container images to the ~70 images of popular open-source apps we have available today. You will learn how to bend entrypoints to your will, improve security with non-root containers, reduce image sizes with multi-stage builds and optimised base images, and more!
A soup to nuts presentation on using Composer and repository servers to manage and leverage shared code libraries for personal projects to the largest enterprise.
We have used a trial version of PVS-Studio for HPX previously, but I vaguely remembered it as being very verbose in its diagnostics. I have read a lot about the tool lately, and since it was a long time since we used it, we contacted the developers at Viva64 asking whether they would be willing to support our open source project. We were positively surprised that they agreed to provide us with a free license for one year in exchange for a blog post about our experience with the tool.
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
In less than two years Docker went from first line of code to major Open Source project with contributions from all the big names in IT. Everyone is excited, but what's in for me - as a Dev or Ops? In short, Docker makes creating Development, Test and even Production environments an order of magnitude simpler, faster and completely portable across both local and cloud infrastructure. We will start from Docker main concepts: how to create a Linux Container from base images, run your application in it, and version your runtimes as you would with source code, and finish with a concrete example.
Kerberoasting has become the red team’s best friend over the past several years, with various tools being built to support this technique. However, by failing to understand a fundamental detail concerning account encryption support, we haven’t understood the entire picture. This talk will revisit our favorite TTP, bringing a deeper understanding to how the attack works, what we’ve been missing, and what new tooling and approaches to kerberoasting exist.
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
2. $ whoami
Security researcher and penetration tester/red teamer
for Veris Group’s Adaptive Threat Division
Co-founder of the Veil-Framework #avlol
www.veil-framework.com
Shmoocon ‘14: AV Evasion with the Veil Framework
co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-
PowerView
BSides ATX ‘14: Wielding a Cortana
Defcon ‘14 (accepted): Post-Exploitation 2.0
3. tl;dr
Why we use Pyinstaller
DEP, Pyinstaller, and a weird Veil-Evasion bug
How Pyinstaller works
Pwnstaller v1.0
Questions
4. Caveat
This is a proof of concept based off of an idea
Going to detail through the problem that prompted
thinking about this, and walk through the thought
process that led to the PoC solution
Probably a better way to do this, but seemed like an
interesting concept and wanted to get the idea out there
5. Pyinstaller 101
Pyinstaller is “a program that converts (packages) Python
programs into stand-alone executables”
http://www.pyinstaller.org/
Packages Python scripts into OSX, Linux, or Windows
self-extracting executables
Lets developers distribute projects without relying on an
existing Python installation
6. Pyinstaller Repurposed
Pentesters realized a few years ago that we could use it
to package malicious scripts
advantageous, as legitimate projects use Pyinstaller
www.pyinstaller.org/wiki/ProjectsUsingPyInstaller
Dave Kennedy’s “PyInjector” was released in 2012 based
on Debasish Mandal’s original post:
https://www.trustedsec.com/august-2012/new-tool-
pyinjector-released-python-shellcode-injection/
http://www.debasish.in/2012_04_01_archive.html
7. Pyinstaller in Veil-
Evasion
Veil-Evasion sets up Pyinstaller under Wine so Python
payloads can be compliled natively to Windows .exe’s
Generation is transparent to the user
Allows for the dynamic generation of Windows Python
payloads, all on Kali!
We always want to preserve a single attack platform
8. Veil Payloads and DEP
Void pointer casting for shellcode injection may fail, as
the memory location used is not explicitly marked X
(*(void(*)()) shellcode)();
Most systems tend to default to an opt-in DEP
enforcement policy
if the executable you're running opts-in, void pointer
casting will fail with a memory access violation
9. A Weird Veil Bug
Python void pointer payloads worked as .py files, but
failed as Pyinstaller executables
The python.exe interpreter used by Pyinstaller is not
DEP enabled, but the resulting Pyinstaller payloads do
in fact opt in to this protection
see http://www.veil-evasion.com/dep-pyinstaller/
10. How Pyinstaller Works
Pyinstaller uses the CArchive data structure to package
up the main python .dll, any necessary libraries, and
your target script
Basically like a compressed ZIP container
This CArchive is attached to then end of a “launcher”
executable
We use the runw.exe version so we can hide the window,
making execution transparent to the user
12. How Pyinstaller Works
On execution, the launcher executable:
Decompresses the CArchive to a temporary location
Loads the python15.dll using LoadLibraryExA
Maps all the entry points in the python .dll for necessary
methods
Sets up env stuff and starts the Python process
Imports all specified necessary modules
Runs the extracted script using PyRun_SimpleString
13. How Pyinstaller Works:
English
When the Pyinstaller produced executable is run, a
minimal Python environment is extracted from a
compressed attachment
Components necessary for the environment are
registered and set up
The script attached is run
Lets you run Python scripts without Python being
installed on a target machine!
14. Solving The Veil Bug
So the DEP opt-in policy is determined by the launcher
.exe, not the Python interpreter
Our next step was to generate a Pyinstaller launcher that
didn’t opt-in to DEP
Luckily Pyinstaller is open source
https://www.veil-framework.com/dep-pyinstaller/
15. Solving The Veil Bug
Pyinstaller holds precompiled copies of 32-bit and 64-bit
loaders for Linux, OSX and Windows in
pyinstaller/support/loader/*
The sources for the loaders are included in
pyinstaller/source/*
runw.exe is the loader we want to regenerate
used for “windowed” executables
DEP
16. Turning Off DEP
The binaries utilize the WAF build system to build the
loaders
./pyinstaller/source/wscript
add conf.env.append_value('LINKFLAGS',
'/NXCOMPAT:NO') right after the other flags on lines 209
and 211
This will instruct the Visual Studio linker to turn off DEP
compatibility
17. Problem?
Sweet, we have a shiny new launcher.exe
But our project is focused on evading AV
Including a static, custom-compiled launcher executable
is a GREAT way to say “Hey vendors, check out this
Veil-Evasion payload! Signatures lolz”
18. Solution
Besides running Pyinstaller itself natively on Kali, we
can dynamically recompile the Pyinstaller launcher on
using mingw!
This makes it trivial to makes some small changes and
get a different SHA1 signature each time
Why don’t we make it *a little* harder to flag on?
19. Obfuscation: Phase 1
There are only a handful of source files needed to
recompile runw.exe
utils.c - some helper methods (246 lines)
launch.c - “where the magic happens” (1617 lines)
main.c - invokes launch.c (165 lines)
./zlib/* - extract of zlib v1.2.3
Lets start with some basic obfuscation
20. Obfuscation: Phase 1
The initial goal: make ssdeep as useless as possible
against “families” of our generated launcher
Any unnecessary code was stripped out (i.e. code for
OSX and Linux binaries)
Thought process: randomize/shuffle wherever we can
A selection of random libraries imports thrown in
21.
22. Obfuscation: Phase 2
Let’s go just a bit further and have a some fun with
anything doing basic dynamic analysis
How about interspersing lots of nested processing
methods throughout the code
similar to our c/meterpreter/* payloads
This mucks up the call tree of the program without
altering the actual execution
23. Finishing Touches
The Pyinstaller icon is kind
of recognizable
How about some randomized .ico’s instead?
24. Putting It All Together
The end result, every time the generator runs:
obfuscated code for all* source files associated with the
Pyinstaller launcher are generated
a randomized icon is chosen for the final packaged result
mingw32 is used to compile everything into a new
runw.exe, all on Kali
the new runw.exe is copied into the correct resource
location to be used by Pyinstaller
*except some known zlib libraries
25. ssdeep comparison
ssdeep is a ‘fuzzy hashing’ static malware comparison tool,
allowing for the comparison of malware families
Generated a run of 1000 runw.exe loaders
(1000 choose 2) = 499500 possible comparison combinations
367,073 pairings (74%) scored 30/100 or better
228,961 pairings (46%) scored 50/100 or better
34,420 pairings (7%) scored 70/100 or better
0 pairings scored at 90/100 or better
What this means: none of the loader pairings scored as a
closely ‘similar’ malware family
27. In Plain English
Each generated Pyinstaller loader is reasonably unique
from a basic static malware analysis perspective
Competent reversers will be able to figure out what’s
going on in very little time
But hopefully this is relatively resistant against static
signatures
I’m sure there are better obfuscation methods, so go
implement them!
28. Pwnstaller v1.0
http://www.harmj0y.net/blog/python/pwnstaller-1-
0/
The code is up on github:
https://github.com/HarmJ0y/Pwnstaller
And it’s been integrated into Veil-Evasion
In the development branch now, hitting the master branch
on the 5/15/2014 V-Day
All Python payloads can now utilize a dynamically
generated Pwnstaller loader by choosing “2 - Pwnstaller”
from the Python compilation menu
30. Recap
Pyinstaller is some cool stuff
Pwnstaller will hopefully extend the lifetime of Veil-
Evasion Python payloads by making static signatures
reasonably difficult to write
“This is script-kiddie garbage that will harm users of
Pyinstaller when AVs flag it without benefiting
anyone who matters. Hope you get booed off at
Bsides.” – The Internet
31. Shameless Sidebar
Want to research cool stuff like this?
Want to work with 9 x OSCPs and 4 x OSCEs?
Want to do some sweet red teaming?
Hit me up to join the Adaptive Threat Division
32. Questions?
Contact me:
@harmj0y
will@harmj0y.net
Read more:
http://www.harmj0y.net/blog/python/pwnstaller-1-0/
Get Pwnstaller:
https://github.com/HarmJ0y/Pwnstaller
Now in Veil-Evasion!