Virtual-reality project - grand-theft-socket payload

I have a windows backdoor pet project - virtual-reality.
I recently added a new payload - grand-theft-socket.

Situation: you have a server you need to backdoor. Server runs a public service listening on some port. For the sake of argument lets pretend it is a webserver. All outgoing traffic is disallowed.

Grand-theft-socket:

  1. You inject gts.dll (payload) into webserver process (injection is not covered by VR project)
    • Injected DLL hooks WSAAccept()
  2. You send a knock by executing vr.py tcp_knock webserver_ip port.
  3. You execute meterpreter/bind_tcp with RHOST=webserver_ip and LPORT=port.
  4. You enjoy your meterpreter session.

All of this happens while not interrupting normal service operations. Webserver continues to serve webpages and what not.

How it is done:

  • tcp_knock sends a small packet requesting next connection to be treated as backdoor connection. This connection is terminated and INVALID_SOCKET is returned to the host process. (knock is not designed to be secure. It is designed to be improbable by chance)
  • When a connection from ip address that sent a knock is created:
    1. New “stager” process is created [1]
    2. Accepted socket is duplicated into stager process.
    3. INVALID_SOCKET is returned to host process.
    4. Stager reads 4 bytes payload length. [2]
    5. Stager reads payload of previously specified length.
    6. Stager executes payload.

In a sense we steal a socket from legit service and use it for incoming backdoor connection.


You may find some other interesting things in this project.

  • icmp backdoor which executes meterpreter stager sent as ping packet data
  • https backdoor which harvests steganographically encoded commands from images posted on imgur.com
7 Likes

Super cool, starred the project and looking forward to testing it out.

1 Like

Dude, this is insanely cool!

Awesome share!

Well damn, I might actually use this soon…

What VR headset are you using to run your software program: Grand-theft-socket? Or have you not gotten to the implementation phase yet???

-Archangel