Whitelist: February 2018

Metasploit Loader (III): loader64.exe (x64_64 bits)

ANTIVIRUS EVASION /Metasploit Loader (III): loader64.exe (x64_64 bits)

- Layout for this exercise:

- This exercise is based in the previous one:

http://www.whitelist1.com/2018/02/metasploit-loader-i-loaderexe-x8632-bits_27.html

1 - Adapting the source code to the x64_64 bits architecture

- The goal of this exercise is to adapt previous example of Windows 10 x86_32 bits to the x64_64 bits architecture.

- Let's create a new file main64.c where changes will be implemented.

- The technical explanation of why and how to modifiy the source code for the new architecture is here:

https://github.com/rsmudge/metasploit-loader
https://dev.metasploit.com/pipermail/framework/2012-September/008664.html

- For the x86_32 bits architecture:

- For the x64_64 bits architecture:

- To sum it up, the x64_64 bits architecture uses 10 Bytes for the RDI register: a \x48 hexadecimal must be prepended, keeping the bytes of the x86_32 bits case (BF 78 56 34 12), and ending up with \x00s.

- Editing main64.c to reflect these changes:

- The first change is to amplify the buffer up to 10 Bytes. The old code:

- The new code:

- The second change is to prepend with 0x48. The old code:

- The new code:

- Also, updating the buffer expansion from 5 to 10, as before. Old code:

- New code:

- Finally, the whole altered section looks like this:

- Cross-compiling with mingw32 (version for x64_64 bits):

- A new executable loader64.exe is created:

2 - Running the payload at the victim side

- Setting a simple web server at Kali:

- Downloading the executable loader64.exe to Windows 10:

- Setting up a Metasploit handler session at Kali machine:

- However, when running loader64.exe at Windows 10 the file stops working:

- Also, a Meterpreter session is created but it dies after a few instants:

- Why does this handler session fail?

- The reason is that the payload was established for the x86_32 bits architecture, what is not correct because in this exercise we are dealing with x64_64 bits:

- So, the payload must be replaced with the version for x64_64 bits (let's notice the /x64):

- Repeating the whole process now the attack is successful. Establishing a Metasploit handler session on Kali:

- Running loader64.exe from the victim Windows 10 x64_64 bits:

- Finally the meterpreter session is successfully generated:

4 - Checking the Anti Virus evasion rate

- Checking loader64.exe against Virus Total a rate of 95.5% of evasion success is achieved:

- Checking loader64.exe against No Distribute, a rate of 100% of evasion success is achieved:

Metasploit Loader (II): loader-modified.exe (x86_32 bits)

ANTIVIRUS EVASION /Metasploit Loader (II): loader-modified.exe (x86_32 bits)

- Layout for this exercise:

- This exercise is based in the previous one:

http://www.whitelist1.com/2018/02/metasploit-loader-i-loaderexe-x8632-bits_27.html

1 - Modifying the source code

- The objective of this exercise is to get an executable easier to use than the previous loader.exe, so that it is not necessary to go through the command line with the arguments of the IP and port of the attacker, embedding both parameters in the payload code.

- To achieve this goal we need to modify the source code main.c:

- Opening main.c:

- First this section of the code must be removed, because the executable is not going to take arguments any more from the user through the command line:

- Now, this section must be altererd, because the socket will be established with constant parameters, and not passed as arguments to the function:

- Kali's IP and port 9999 are introduced, replacing the older connection parameters:

- To finalize, the source code must be compiled again (using mingw32 with version for x86_32 bits architecture), outputting a new executable called loader-modified.exe:

2 - Checking the functionality of loader-modifed.exe

- Setting a simple web server on Kali:

- Connecting from the victim Windows 10 (x86_32 bits) and downloading loader-modified.exe:

- Setting up a Metasploit handler session on Kali Linux, waiting to the victim Windows 10 to run the executable:

- Running the executable on Windows 10 (x86_32 bits) :

- The attack is successful:

3 - Checking the Anti Virus evasion rate

- Checking loader-modified.exe against Virus Total, a rate of 68.2% of evasion success is achieved:

- Checking loader-modified.exe against No Distribute, a rate of 71.8% of evasion success is achieved:

- So comparing to the previous exercise the rate detection is slightly smaller, but on the brigth side the payload is a lot easier to be used.

Metasploit Loader (I): loader.exe (x86_32 bits)

ANTIVIRUS EVASION /Metasploit Loader (I): loader.exe (x86_32 bits)

- Layout for this exercise:

1 - Installing loader.exe

- Metasploit Loader is a client compatible with Metasploit's staging protocol.

- Metasploit Loader implements the functionality of the first stage of the Materpreter payload. Then receives the DLL and finally it passes the control.

- The project can be cloned from here:

https://github.com/rsmudge/metasploit-loader