Reverse shell over ICMP (with a disassebler digression and a final mistery)

malware

#1

Good morning,
this is my first tutorial and I hope it will serve to the purpose. This is a practical one because I think that if it’s really nice to read about all that Calc and Notepad spawning around - of course these articles have a really great educational value, it’s not my intention to belittle the content neither all the writers - otherwise I think it’s not so useful in “everyday job”. Please apologize me if saying that I have offended someone, again it’s not my intention but I think that generally about Infosec there is a lack of real example even if the POC is fundamental to understand the matter. Anyway let’s get our hands dirty.
Last week a client of mine during a PT wanted to test the efficiency of his AV (Kaspersky AV 8.0 for Window Server EE SP2), just running a evil exe on his application server (Windows Server 2012 64bit). I thought oh that’s really great, so this time no SE stuff, no need to fool the secretary to inject my evil exe :slight_smile: . Great, an easy job finally. We have already developed a C# bind shell that was very useful on a previous job, I could give it a try. This time no luck: the local windows firewall (I did not expect that) blocked the TCP port. No panic, I already knew about this great ICMP reverse shell developer by Nico Leidecke. On GitHub there is an exe already packed. I know that is not really the “hacker way”, but I lost this way long time ago :stuck_out_tongue: so I decided to try it as it is. Checking the exe with pscan I got 3 detections on 35. For Kaspersky and Avira (my personal AV) it was clean. Anyway when I executed the exe on my Win box Avira immediately detected the process and moved the exe in quarantine. Kaspersky did the same of course. So I downloaded the C source code to apply some code obfuscation (this was actually my original idea to write a tutorial about this topic) and to recompile it using Visual Studio 2015.
I have done some basic modification to fit my need, essentially I removed the argument passed to main and I hard coded the attacker IP, then I changed some call and added some instructions to avoid compiling error on VS. Then I compiled and I executed it on my machine. Avira remains quiet. I tried on a lab machine with Kaspersky installed and it wasn’t detected. Submitting the file to pscan I got 0 detections (checked right now again):


So I guess that the Visual C++ compiler did a great job to obfuscate the executable :smiley: I tried to compare the assembly code of the original exe with the one generated with VS attaching the process in Immunity Debugger but telling the truth I was not able to understand the flow, especially searching for the Intermodular calls give only repeated CALL ntdll.RtlAllocateMemorayBlockLookside. So I think that the exe has been compressed in some way. If someone can help me about that it will be very appreciated. Indeed here you can read the disassembled section of the CreateProcess for the cmd command of exe generated with Visual C++

if (!CreateProcess(NULL, cmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, (LPSTARTUPINFO)&si, pi)) {
00372494 mov esi,esp
00372496 mov eax,dword ptr [pi]
00372499 push eax
0037249A lea ecx,[si]
0037249D push ecx
0037249E push 0
003724A0 push 0
003724A2 push 8000000h
003724A7 push 1
003724A9 push 0
003724AB push 0
003724AD lea edx,[cmd]
003724B3 push edx
003724B4 push 0
003724B6 call dword ptr [[email protected] (037B024h)]
003724BC cmp esi,esp
003724BE call __RTC_CheckEsp (0371136h)
003724C3 test eax,eax
003724C5 jne spawn_shell+1AEh (03724CEh)
return STATUS_PROCESS_NOT_CREATED;

Just for fun you can see how the stack is loaded with the call arguments in reverse, e.g. eax point to pi, 8000000h is the CREATE_NO_WINDOW value. This is a common call sequence for the cmd process so it should be easily detected by AV in my opinion, so in the end I did not know how it can work :smiley:
Here you can find the source code of the project, the C slave modified (you can read in the file comment how to set the VS project properly) and the Python master (I only made the usage message clearer). As usual please don’t spread the code around since at the moment it’s FUD
Thanks for reading. All the comments, especially those negative, are welcome :smile:


#2

What exactly is this a tutorial for? You don’t explain how to obfuscate the reverse shell and you express your sentiment for not wanting to learn.


#3

#4

Uh my God dear friend, I didn’t expect the censorship in a place like that. Unbelievable, anyway I’m not in the right place I see. Then if you read carefully the post the only one between us that has used the word “learn” are you, so I guess that this is your own opinion about the idea that I don’t want to learn, of course I will accept it but sorry I don’t agree. In the same way I can say that you miss the sense of humor and my friend this is really a shame. To answer to your question the tutorial was how to make an existing payload that is not FUD FUD. Maybe you need a step-by-step guide. I don’t know where you read that this was a post about obfuscation, I wrote exactly the contrary, anyway if you had had the will to follow the link, to download both the source, to compile them, analazing with a debbugger you could get the answer by your own. Who doesn’t want to learn?
I wish you a good day


#5

(Security Architect & Founder) #6

Hello! It’s nice to see you posted an article. Would you mind adding, er, paragraphs? Also headings would be nice.

Navigating this article visually is a nightmare!


#7

That’s not censorship. I’m simply stating my opinions of your piece.


#8

So I unlisted @zinzloun’s write-up but he decided to complain about it in public with a 2nd post instead of asking privately as to why that happened.

  1. According to your write-up, you are working for a company. Meaning, you are supposed to be mature enough to accept criticism either by your clients, me, @Nymx or whoever else. Not only did you not accept any criticism, but you weren’t even bothered to PM me or the rest of the admins as to why that might happened. You decided to go public. Pretty childish. There were occasions where we repeatedly unlisted a person’s post. We gave him feedback in private, and he improved. He didn’t bitch about it in public. Behave according to your age please.

  2. You mentioned that you used to be a part of different communities/forums in the past. Your write-up clearly shows what kind of places they were.

  3. You said “Generally if you write something stupid or unfitting you are exposed to the “public shame”.” From my point of view, your write-up showed 0 effort, 0 documentation/format and close to 0 explanation. You are not in a pentesting forum. You could at least explain in a bit of detail what you do, how you do it and why you do it so that the rest can make sense out of it. I felt like you were rushing for work and decided to make a write-up while running.

  4. You don’t have to write about your recent 0-day exploit. Any sort of post is appreciated. Just justify and explain a bit of what you are doing. There are plenty of great write-ups around 0x00sec so feel free to take a look.

  5. If you are planning to make a write-up of this style in the future, at least add an intro section stating “don’t waste your time reading it, you will understand nothing and frankly I don’t care”.


(Security Architect & Founder) #9

Completely support @_py on this.

@zinzloun, you have 3 days to accept the constructive criticism or suffer the fate of unlisting.

0x00sec is a quality forum, with quality content. Writers should strive to adhere to that. If people cannot accept constructive criticism, then they simply do not belong.

0x00sec might not be for everybody. If you do not feel comfortable, then feel free to depart. Departures are rare, but occasionally one feels he does not fit, and then users either choose to leave, or return when they have reached a point when they can maturely accept comments of criticism.

- pry0cc


#10

Well the main problem here is just that it isn’t a tutorial IMO (Because of the layout mainly).

Some paragraphs would be nice indeed.

Anyway I think what you were telling is interest, but you must know this is not ‘censorship’ in the sense that we censor your content, but rather the layout you used for the article.

Don’t take it the hard way, the problem is how you present it, not what you’re presenting.


#11

Sorry if I bore the community with this useless conversation, this will be my last for sure. I will answer you @_py point by point:
1 I don’t really understand this double channel, private and public. I have not read anything about that in your policies. My post did not offend anyone, you decided to unlist without provide any motivation. How can I know, being a noob here, that you will provide an explanation, and why I should ask to the admins what happened if I did not know that I have to ask? If you leave the post listed and you write your motivation you will help me and the community to understand what is wrong in my post. So in the end why I can not bitch in public if I do not go against your policy? If I’m a child you talk like a priest. :wink:
2 Here you are offending me and you don’t deserve an appropriate answer. I only quote your policy "remember to criticize ideas, not people"
3 This is a disapproval that you could have written in the original post instead to unlist the tutorial, don’t you think so?
4 Actually my friend I have never found any 0-day exploit and I do not search for them at all, I have already read quite a lot of your tutorial and actually I thought honestly that mine would have been appropriate. Again I apologize for the bad layout, as I said I’m not used to write step by step well formatted tutorial (I save my best for the VA reports ;)) I thought that the matter could be interested for someone
5 Again you are expressing an opinion about me and not about the content of my post, maybe you are so skilled that those stuff tires you but maybe there are other that can appreciate it. I clearly write that I did not code the master neither the client, I said that I have the idea to obfuscate the code but it was not necessary, so for you this is a shame? Because the compiler solved my problem? Have you ever heard about that idea to keep it simple? I faced a problem and I solved in this way, but maybe for you is not so a so noble way. You are right, I had to write In this post I solve a problem as a skiddie.
In the end, to answer @pry0cc as well, I do not know if I mature and skilled enough for this community, feel free to act according to your idea and policy but in my poor opinion you are talking like the Spanish Inquisition :slight_smile:
Again nothing personal my friends: panta rei.
I wish you a good evening


#12

Don’t you understand that it’s a bit weird to go public with this? If you don’t like the feedback someone gives you in a PM you pm him back, now you are just creating stupid drama.
Besides py was only commenting on your behaviour, if you take that personally, then that is by choice.


#13

@zinzloun: I don’t know if you actually read my reply but 4 of my points had to do with your write-up and not “offending” your attitude/personality as you mentioned. You said that we didn’t give you an explanation as to why we unlisted it. How could we? Right after I unlisted it, you made a public post complaining about it. I didn’t have time to breathe, let alone PM you.

Nobody is a master here and nobody will ever be. The masters are long gone and dead. There is no perfect tutorial. There is always a chance to improve ourselves. I appreciate your effort, but when you are posting on a community forum like 0x00sec, the least you should expect is constructive criticism. We are helping each other, not hating.

If you still believe your post was perfect, then please keep that style and see for yourself the kind of feedback you’ll be getting.

Since you referred to a greek quote and I’m greek, here’s one for you:

I can’t teach anybody anything. I can only make them think. ~Socrates


#14

I’m not really able to understand this dichotomy about public and private, for sure it’s my fault. Anyway my friend wonderful land yours, cradle of civilization, I was there in november to run the marathon, again nothing personal but I will not change my opinion, simply we do not get along very well. Thanks for the quote, one of my favourite! Indeed I’m italian and as you can guess @IoTh1nkN0t I love drama.


(Burning away in an Explosion) #15

Had the same phase. Got over this stuff. Maybe not totally, but today it’s better. You can to it too. (Meme “Just do it”)

(With phase I mean that I loved to discusse about nonsense.)

(Could include(“sarcasm.php”) :stuck_out_tongue_winking_eye:)


#16

(system) #17

(oaktree) #18