David Vassallo's Blog

If at first you don't succeed; call it version 1.0

Antivirus evasion : Ghost Writing update

I recently read an excellent article on PenTestGeek about “Ghost Writing”:

https://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/

The article is extremely easy to follow, with some adjustments to running metasm under kali:

  • The site_ruby folder is located under: /usr/local/lib/site_ruby/
  • You dont need to copy the metasm files however, you can simply run gem install metasm
  • The disassembler script is located under: /usr/share/metasploit-framework/lib/metasm/samples/disassemble.rb

In the article, we see how the author uses ghost writing to change the signature of the shellcode file he generated by inserting instructions that do not change the actual execution of the program. Some other techniques I found effective are:

  • Find an xor eax, eax statement, and perform any operations you wish on EAX, such as mov eax, 22 or add eax, 22 and so on. The XOR statement means the register is going to be zeroed out, so these statements will have no effect.
  • Use of commands like add eax, 0 and sub eax, 0… not much explanation needed there…
  • Use of inc eax and dec eax, making sure the eax register is not used in intervening code (inc = increment and dec = decrement)
  • Use of jmp and labels to move the position of code within the file

Where I diverged from the PenTestGeek article is in the re-encoding stage. The author used the peencode.rb script (from the same sample directory the disassemble.rb script is found). This means the ghost written shellcode is compiled as a standalone executable. That’s fine, but we have some excellent frameworks like “The Backdoor Factory” which can inject shellcode into code caves within existing EXE files… meaning a better chance of the victim running an innocent or familiar looking exe that actually does something.

So how do we generate the raw binary shellcode from our ghost written assembly file? It turns out to be quite simple… Instead of using peencode.rb, we use exeencode.rb, whose default output is raw binary. We’d end up with something like so:

ruby /usr/share/metasploit-framework/lib/metasm/samples/exeencode.rb -o raw.o ./ghost_written.asm 

And our raw shellcode is now in raw.o. This in turn allows us to use backdoor factory to inject our improved, ghost written shellcode, into an existing, familiar exe, say Putty….

backdoor.py -f /tmp/putty.exe -s user_supplied_shellcode -U /tmp/raw.o

Assuming you have putty.exe and raw.o in your tmp folder, backdoor factory will do it’s magic, inserting shellcode into code caves and all that goodness, and you end up with an improved, ghost written shellcode, backdoored, putty.exe

 

PS you really should see the presentation from SecretSquirrel on The Backdoor Factory, and his blog posts on using the factory along with mitmproxy to backdoor EXEs passing over the wire – he is awesome…

Hackathon notes and links

I recently had the opportunity to participate in (my team won as it turned out… Special thanks to Ian Attard and Godwin Caruana) the Malta Information Technology Agency (MITA) Hackathon, organized by TrustedSec. I learnt a lot, thanks to David Kennedy and my team mates. I also did quite a lot of research beforehand and there is a treasure trove of information on the web that i’d like to make a note of for future reference. Maybe others will find the information here of use. Full credit goes to the respective authors of the articles:

Interesting Articles and Links:

Notes:

  • Startup nessus: /etc/init.d/nessusd start, link: http://localhost:8834
  • List SMB shares on a target from linux command line: smbclient -L 1.2.3.4
  • Connect to SMB share “Users” with guest account: smbclient \\\\192.168.12.54\\Users -U guest -N
  • Web application scanners I didn’t know of: w3af , arachni
  • Searchsploit is your friend :) http://www.securitygeeks.net/2013/01/how-to-search-for-exploits-using.html. On kali just type “searchsploit [search terms]
  • Since it’s your friend, you should update it :) here’s my script to do just that:

  • To add a new exploit that has been written for metasploit but not currently included in the framework (in Kali):
    • Create a directly called “exploits” under ~/.msf4/modules (note the name must be exploits, else metasploit won’t pick up your scripts)
    • Create a new directory of your choice under ~/.msf4/modules/exploits for example:

      mkdir ~/.msf4/modules/exploits/hackathon

    • Find the exploit you need, maybe using serchsploit, and copy into your newly created folder for example:
      Selection_015
    • Startup msfconsole and search for your exploit (I normally search for the folder name – hackathon – since I pretty much know what I placed in there)
      Selection_016
    • Run the exploit :)
Follow

Get every new post delivered to your Inbox.

Join 162 other followers